42Crunch for Mid-market companies

For mid-market teams, balancing security velocity with limited staffing is a constant constraint. This scanner is a self-service API security scanner designed for this context. You submit a URL and receive a risk score from A to F along with prioritized findings. The approach is black-box, requiring no agents, no code access, and no SDK integration. It supports any language, framework, or cloud, and standard scans complete in under a minute using read-only methods.

The scanner checks 12 categories aligned to the OWASP API Top 10 (2023), including authentication bypasses, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, and data exposure patterns like PII and API key leakage. It also detects input validation issues, rate-limiting weaknesses, encryption misconfigurations, SSRF indicators, and unsafe consumption surfaces.

Findings map directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulations, the scanner helps you prepare for and supports audit evidence, aligning with security controls described in relevant frameworks without asserting certification or compliance guarantees.

Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and cookies. A domain verification gate ensures only the domain owner can scan with credentials, using DNS TXT records or an HTTP well-known file. The scanner only forwards a limited header allowlist, including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The scanner follows a strict safety posture. It uses read-only methods only and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and is purged within 30 days of cancellation, and it is never sold or used for model training.

Integration options reduce friction across workflows. The Web Dashboard centralizes scans, reports, and score trends with downloadable compliance PDFs. The CLI, distributed as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a defined threshold. An MCP Server allows scans from AI coding assistants, and a programmatic API supports custom integrations.

Pro tier adds continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. It provides diff detection across scans, highlighting new findings, resolved items, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks auto-disable after five consecutive failures.

The scanner includes specific protections and testing for LLM/AI security, conducting 18 adversarial probes across Quick, Standard, and Deep tiers. These include system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration probes, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction.

OpenAPI analysis is supported for versions 3.0, 3.1, and Swagger 2.0, with recursive $ref resolution. The scanner cross-references spec definitions against runtime findings to surface issues such as undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination.