42Crunch review

42Crunch is presented as a self-service API security scanner that accepts a URL and returns a risk grade from A to F along with prioritized findings. It operates as a black-box scanner, requiring no agents, SDKs, or code access, and supports any language, framework, or cloud. Scan duration is under one minute, using read-only methods such as GET and HEAD, with limited text-only POST for LLM probes. The tool focuses on detection rather than remediation, mapping findings to established security frameworks.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), covering authentication bypass, JWT misconfigurations, BOLA and IDOR, BFLA and privilege escalation, property authorization, input validation, rate limiting, data exposure, encryption issues, SSRF, inventory management, and unsafe consumption. It also includes 18 LLM/AI security probe tiers targeting jailbreaks, prompt injection, and data exfiltration. OpenAPI 3.0, 3.1, and Swagger 2.0 specs are parsed with recursive $ref resolution, enabling cross-referencing of defined security schemes against runtime behavior to identify undefined configurations and deprecated operations.

Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic authentication, and cookies. Domain verification via DNS TXT or HTTP well-known file ensures only domain owners can scan with credentials, and a strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*. Integrations include a Web Dashboard for reporting and trend tracking, a CLI via an npm package, a GitHub Action for CI/CD gating, an MCP Server for AI coding assistants, and a programmable API for custom workflows. Pro tier adds scheduled rescans, diff detection, email alerts, HMAC-SHA256 signed webhooks, and compliance report downloads.

The scanner adopts a read-only posture, avoiding destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data can be deleted on demand and is purged within 30 days of cancellation, with no sale or use for model training. The tool does not fix, patch, or block issues, nor does it perform active SQL injection or command injection testing. Business logic vulnerabilities, blind SSRF, and certain infrastructure-based attacks are out of scope, and it does not replace a human pentester for high-stakes audits.

middleBrick maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), helping you prepare for audits and aligning with security controls described in other frameworks. Pricing includes a free tier with three scans per month and CLI access, Starter at 99 dollars per month for 15 APIs with dashboard and alerts, Pro at 499 dollars per month for 100 APIs with monitoring and CI/CD integration, and Enterprise at 2000 dollars per month for unlimited APIs, custom rules, and dedicated support.