42Crunch for NIS2 directive readiness

The NIS2 directive emphasizes significant management attention on operational resilience and security of essential services. For APIs, this translates to requirements around access control, incident detection, and evidence of ongoing risk assessment. middleBrick maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), and it helps you prepare for audit evidence relevant to NIS2 by highlighting misconfigurations and data exposures that affect availability and integrity.

Because middleBrick is a black-box scanner, it imposes minimal integration friction and delivers results in under a minute. This supports timely reassessment after infrastructure changes, a practical need under NIS2 incident monitoring expectations. The tool surfaces findings such as weak authentication, over-exposed data, and unsafe consumption surfaces, enabling teams to prioritize remediation based on observable risk rather than theoretical review.

Authentication weaknesses are a common root cause of API incidents. middleBrick detects multi-method bypasses, JWT misconfigurations including alg=none and HS256 usage, expired tokens, missing claims, and sensitive data present in token payloads. It also checks security headers and WWW-Authenticate compliance, which are relevant to access control robustness under audit considerations.

For authenticated scanning at the Starter tier and above, Bearer tokens, API keys, Basic auth, and Cookies are supported. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can submit credentials. The scanner forwards a restricted allowlist of headers, limiting exposure while validating how authorization is enforced in practice.

BOLA and IDOR issues are identified through sequential ID enumeration and active adjacent-ID probing, revealing insecure direct object references that can lead to unauthorized data access. BFLA and privilege escalation are detected by probing admin endpoints and analyzing role or permission field leakage, which can indicate insufficient authorization checks.

Property authorization risks, such as over-exposure of internal fields and mass-assignment surfaces, are surfaced alongside runtime spec cross-references. By comparing the OpenAPI specification against live behavior, middleBrick highlights undefined security schemes and deprecated operations, supporting evidence collection for access control reviews aligned with security controls described in SOC 2 and OWASP API Top 10.

Input validation findings include dangerous HTTP methods, CORS wildcard usage with and without credentials, and debug endpoints that can aid reconnaissance. Rate-limiting misconfigurations and oversized responses are flagged, along with unpaginated arrays that can contribute to resource exhaustion.

Data exposure checks identify PII patterns such as email addresses, Luhn-validated card numbers, context-aware SSN formats, and API key values for AWS, Stripe, GitHub, and Slack. Encryption checks cover HTTPS redirects, HSTS presence, and cookie flags. Middlebox also probes for SSRF indicators, including URL-accepting parameters and internal IP detection, while blocking known private and cloud metadata endpoints at multiple layers to preserve scan safety.

For AI-driven APIs, middleBrick runs 18 adversarial probes across three scan tiers labeled Quick, Standard, and Deep. These probes assess system prompt extraction, instruction override attempts, DAN and roleplay jailbreaks, data exfiltration patterns, cost exploitation, encoding bypasses, prompt injection variants, token smuggling, tool abuse, nested instruction injection, and PII extraction, providing visibility into model and endpoint behavior.

OpenAPI analysis supports versions 3.0, 3.1, and Swagger 2.0, with recursive $ref resolution and cross-referencing of definitions against runtime findings. Continuous monitoring in the Pro tier offers scheduled rescans, diff detection for new or resolved findings, email alerts rate-limited to one per hour, and HMAC-SHA256 signed webhooks that auto-disable after repeated failures. This helps teams maintain security posture between major releases and supports audit evidence for ongoing control reviews.