42Crunch for Security architects

What middleBrick covers

Black-box scanning with a risk score in under a minute
Detection aligned to OWASP API Top 10, PCI-DSS, and SOC 2
OpenAPI 3.0/3.1 and Swagger 2.0 parsing with $ref resolution
Authenticated scans with strict header allowlists
Continuous monitoring with diff detection and webhook alerts
CI/CD integration via GitHub Action and MCP server support

Black-box scanning for security architects

The scanner operates as a self-service black-box tool. You submit an API endpoint, and within under a minute you receive a risk score from A to F with prioritized findings. It uses read-only methods such as GET and HEAD, with text-only POST allowed for LLM probes. There are no agents, SDKs, or code access required, and it supports any language, framework, or cloud environment.

Coverage aligned to major frameworks

The scanner detects issues mapped to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It covers authentication bypass, JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, and sensitive data exposure including PII and API key formats. It also identifies unsafe consumption surfaces, SSRF indicators, and LLM-specific adversarial probes across multiple scan tiers.

OpenAPI and authenticated scan workflows

It parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime behavior. Authenticated scanning supports Bearer, API key, Basic auth, and cookies, gated by domain verification through DNS TXT records or HTTP well-known files. Only a restricted set of headers is forwarded, ensuring controlled credential usage while preserving scan integrity.

Continuous monitoring and integration options

Pro tier provides scheduled rescans at intervals of six hours, daily, weekly, or monthly, with diff detection to highlight new findings, resolved items, and score drift. Alerts are delivered via email at a rate-limited frequency of one per hour per API, and HMAC-SHA256 signed webhooks can auto-disable after five consecutive failures. Integration options include a web dashboard, a CLI via an npm package, a GitHub Action for CI/CD gating, an MCP server for AI coding assistants, and a programmatic API for custom workflows.

Limitations and safety posture

The tool does not fix, patch, or remediate findings; it reports with remediation guidance. It does not execute active SQL injection or command injection tests, detect business logic vulnerabilities, or perform blind SSRF checks. Destructive payloads are never sent, private IPs and cloud metadata endpoints are blocked at multiple layers, and customer data is deletable on demand and never used for model training.

Frequently Asked Questions

How does authenticated scanning work?

Authenticated scanning supports Bearer, API key, Basic auth, and cookies. Domain verification via DNS TXT record or HTTP well-known file ensures only the domain owner can scan with credentials, and a strict header allowlist controls what is forwarded.

What frameworks does it map findings to?

It maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it supports audit evidence collection and alignment with described security controls.

Can it replace a human pentester for high-stakes audits?

No. The tool does not detect business logic vulnerabilities or blind SSRF, and it is not a substitute for a human pentester when audit scope and risk are high.

What happens to scan data after cancellation?

Customer scan data is deletable on demand and is purged within 30 days of cancellation. It is never sold and is not used for model training.