42Crunch for VP of Engineerings

As a VP of engineering, you need a security signal that fits into existing toolchains without forcing developers to change languages, frameworks, or deployment environments. middleBrick is a self-service API security scanner that you can introduce as a lightweight gate. Provide a URL, receive a letter grade from A to F, and a prioritized list of findings. The scan completes in under a minute, uses only read-only methods such as GET and HEAD, and avoids any need for agents, SDKs, or code instrumentation.

The workflow is straightforward. Submit the public or authenticated surface, review the dashboard or export the results, and track score trends over time. For teams that automate checks, the CLI and CI/CD integrations allow scans to run on demand or on schedule. Because the scanner operates without persistent access to your code, it avoids long-term operational overhead while still surfacing misconfigurations that commonly lead to insecure exposure.

middleBrick maps findings directly to three frameworks relevant to executive reporting: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection focuses on the API layer, where many organizations lack visibility.

• Authentication issues such as JWT misconfigurations, alg=none, missing claims, and security header problems.
• BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing.
• BFLA and privilege escalation through admin endpoint probing and role leakage.
• Property authorization problems including over-exposure and mass-assignment surface.
• Input validation gaps like CORS wildcards, dangerous HTTP methods, and debug endpoints.
• Rate limiting and resource consumption signals such as missing headers and oversized responses.
• Data exposure including PII patterns, API key leakage, and error/stack-trace disclosure.
• Encryption misconfigurations such as missing HSTS or mixed content.
• SSRF indicators involving URL-accepting parameters and internal IP probing.
• Inventory management issues like missing versioning and server fingerprinting.
• Unsafe consumption surface from excessive third-party URLs and webhook endpoints.
• LLM and AI security probes spanning multiple tiers, including prompt injection, data exfiltration attempts, and token smuggling.

For environments that require authenticated checks, middleBrick supports Bearer tokens, API keys, Basic auth, and cookies. Access is gated by domain verification, ensuring that only the domain owner can run scans with credentials. The scanner forwards a strict allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers, which limits the blast radius of credential use.

OpenAPI specifications are parsed in full, including recursive $ref resolution for 3.0, 3.1, and Swagger 2.0. The scanner cross-references the spec against runtime behavior, highlighting undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This combination helps you validate controls without requiring intrusive testing that could disrupt production services.

The platform offers multiple interfaces to fit team preferences. The Web Dashboard centralizes scans, report viewing, score history, and the ability to download branded compliance PDFs. The CLI, distributed as an npm package, supports a simple command such as middlebrick scan <url> with JSON or text output for scripting. A GitHub Action allows scans to run in CI/CD pipelines and can fail the build when the score drops below a defined threshold.

For AI-assisted development, an MCP Server enables scanning from coding assistants such as Claude or Cursor. An API client is available for custom integrations, giving you programmatic access to results so you can embed security checks into existing workflows and dashboards.

Pro tier deployments enable scheduled rescans at intervals of six hours, daily, weekly, or monthly. Each new scan is compared against prior results to surface new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and webhooks are HMAC-SHA256 signed, with automatic disabling after five consecutive failures to reduce noise.

Customer data is handled with strict governance. Scan data is deletable on demand and purged within 30 days of cancellation. The platform does not sell data, nor does it use customer scan data for model training. These controls help you maintain accountability while using automated scanning as part of a broader security program.