42Crunch for Customer SOC 2 questionnaire prep

This scanner is a black-box API security assessment service that returns a risk score and prioritized findings. It supports SOC 2 Type II audit evidence by surfacing concrete API risks and related control observations. The tool focuses on detection and reporting; it does not remediate, patch, or certify compliance.

The scanner checks 12 security categories mapped to the OWASP API Top 10 (2023) and aligns findings with SOC 2 control relevance. Detected categories include authentication bypass, broken object level authorization, broken function level authorization, sensitive data exposure, input validation issues, rate limiting, encryption misconfigurations, SSRF indicators, inventory and versioning gaps, unsafe consumption surfaces, and LLM/AI security probes. Where applicable, findings map to PCI-DSS 4.0 and SOC 2 Type II control references to help you prepare audit evidence.

Authenticated scans are available in paid tiers and support Bearer tokens, API keys, Basic auth, and cookies. Before credentials are accepted, a domain verification gate confirms ownership via DNS TXT record or an HTTP well-known file. Only a limited set of headers is forwarded: Authorization, X-API-Key, Cookie, and X-Custom-* headers. This approach reduces noise while enabling deeper assessment of protected endpoints.

Scans complete in under a minute using read-only methods and text-only POST probes, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. The tool does not perform intrusive injection tests, business logic validation, or blind SSRF checks, and it does not replace a human pentester for high-stakes audits. Findings include descriptive evidence and remediation guidance rather than automated fixes.

The scanner provides multiple integration options for SOC 2 workflows. The web dashboard centralizes scans, score trends, and downloadable compliance PDFs. The CLI supports on-demand scans with structured output, and the GitHub Action can gate CI/CD when scores fall below a defined threshold. The MCP server enables API scanning from AI-assisted development environments, and the API client supports custom automation. Continuous monitoring tiers add scheduled rescans, diff detection, email alerts, signed webhooks, and Slack or Teams notifications.

Free tier allows 3 scans per month with CLI access, while Starter adds 15 APIs, dashboard access, email alerts, and MCP Server. Pro includes continuous monitoring, GitHub Action gates, compliance reports, and signed webhooks. Enterprise offers unlimited APIs, custom rules, SSO, audit logs, SLAs, and dedicated support. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold or used for model training. Because the tool surfaces technical findings and control-related evidence, it helps you prepare sections of SOC 2 questionnaires that involve API security, but it does not audit or certify organizational controls.