Akto for Security architects

middleBrick is a self-service API security scanner that operates without agents, SDKs, or access to source code. You submit a target URL and receive a risk score from A to F with prioritized findings. The scanner uses read-only methods (GET and HEAD) and text-only POST for LLM probes, completing a scan in under a minute. Because it is black-box, it works with any language, framework, or cloud provider.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023), including Authentication bypass, JWT misconfigurations such as alg=none and HS256, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation attempts, and sensitive data exposure including PII patterns and API key formats. It maps findings to OWASP API Top 10, supports audit evidence for SOC 2 Type II, and maps findings to PCI-DSS 4.0 controls. It also validates controls from relevant standards where applicable.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is required via DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a strict header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers to minimize exposure.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. With Pro tier, continuous monitoring performs scheduled rescans every 6 hours, daily, weekly, or monthly. It detects diffs between scans, provides email alerts rate-limited to one per hour per API, and supports HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures.

Integration options include a Web Dashboard for scanning and tracking score trends with branded compliance PDFs, a CLI via the middlebrick npm package for JSON or text output, a GitHub Action that fails CI/CD builds when the score drops below a threshold, and an MCP Server for use with AI coding assistants. The API client enables custom integrations. Pricing starts with a Free tier at zero cost for 3 scans per month and CLI access, moving to Starter at 99 dollars per month for 15 APIs, Pro at 499 dollars per month for 100 APIs with continuous monitoring and CI/CD gates, and Enterprise at 2000 dollars per month for unlimited APIs and SSO.

middleBrick is a scanner that detects and reports with remediation guidance; it does not fix, patch, block, or remediate. It does not perform active SQL injection or command injection, does not detect business logic vulnerabilities, and does not replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints at multiple layers, and allowing customer data deletion on demand within 30 days of cancellation. Scan data is never sold and is not used for model training.