Akto for DevSecOps engineers

Try middleBrick free

What middleBrick covers

  • Black-box scanning without agents or code access
  • Risk scoring from A to F with prioritized findings
  • Coverage of 12 OWASP API Top 10 (2023) categories
  • Authenticated scans with strict header allowlists
  • CI/CD integration via GitHub Action and MCP Server
  • Continuous monitoring with signed webhooks and alerts

Black-box security scanning for API-first workflows

middleBrick is a self-service API security scanner designed for environments where APIs are the primary product. Submit a target URL, receive a risk score from A to F, and review prioritized findings. The scanner operates as a black-box solution with no agents, no SDKs, and no access to source code. It supports any language, framework, or cloud stack and completes most scans in under one minute.

Detection aligned to industry standards and common frameworks

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023), covering authentication bypass, authorization flaws, input validation, data exposure, SSRF, and LLM-specific risks. Findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 controls, helping you prepare for audits and validate implemented controls.

Authenticated scanning and strict header controls

With Starter tier and above, you can configure authenticated scans using Bearer tokens, API keys, Basic auth, or cookies. Domain verification requires a DNS TXT record or an HTTP well-known file to ensure only domain owners can scan with credentials. The scanner forwards a strict allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers, reducing unintended data exposure.

Developer-friendly integrations and continuous monitoring

The platform integrates into existing workflows through a Web Dashboard for reporting and score trends, a CLI with JSON and text output, a GitHub Action for CI/CD gates, and an MCP Server for AI coding assistants. Pro tier adds scheduled rescans, diff detection, email alerts at configurable rates, HMAC-SHA256 signed webhooks, and compliance report downloads.

Limitations and safety posture

middleBrick is a scanner and does not fix, patch, or remediate issues. It does not perform active SQL injection or command injection tests, does not detect business logic vulnerabilities, and does not replace a human pentester for high-stakes audits. Read-only methods are used during scans, destructive payloads are never sent, and private IPs, localhost, and cloud metadata endpoints are blocked. Customer scan data is deletable on demand and is never sold or used for model training.

See how middleBrick compares See all use cases

Frequently Asked Questions

Which authentication methods are supported for authenticated scans?
Bearer tokens, API keys, Basic auth, and cookies. Domain ownership must be verified before credentials are accepted.
What standards do the findings map to?
Findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, the tool surfaces findings relevant to audit evidence using alignment language.
Does the scanner perform intrusive testing like SQL injection?
No. The scanner uses read-only methods and does not send destructive payloads. SQL injection and command injection testing are outside scope.
How are continuous monitoring alerts delivered?
Pro tier supports scheduled rescans, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

Related Pages

API security for SREsThe API security playbook for SREs: what to check, how often, and what to automate.API security for CTOsThe API security playbook for CTOs: what to check, how often, and what to automate.API security for VP of EngineeringsThe API security playbook for VP of Engineerings: what to check, how often, and what to automate.middleBrick vs DetectifyHonest comparison between middleBrick and Detectify for API security.middleBrick vs Noname SecurityHonest comparison between middleBrick and Noname Security for API security.middleBrick vs Salt SecurityHonest comparison between middleBrick and Salt Security for API security.