Akto review

middleBrick is a self-service API security scanner designed for teams that want to assess public endpoints without exposing internal tooling. You submit a URL and receive a risk score from A to F along with prioritized findings. The scanner operates in black-box mode, requiring no agents, SDKs, or code access, and supports any language, framework, or cloud target. Scan execution completes in under a minute, using read-only methods such as GET and HEAD, with text-only POST allowed for LLM probe checks. This approach suits environments where intrusive testing is restricted or where quick feedback is preferred over deep exploit validation.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), covering both traditional security issues and AI-specific probe surfaces. Detection capabilities include authentication bypass attempts, JWT misconfigurations such as alg=none or expired tokens, security header misconfigurations, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation indicators, over-exposed properties and mass-assignment risks, input validation checks like CORS wildcard usage and dangerous HTTP methods, rate-limiting header visibility, and data exposure patterns including email, Luhn-validated card numbers, SSN-like context, and API key formats for AWS, Stripe, GitHub, and Slack. Error and stack-trace leakage, HTTPS redirect issues, HSTS presence, cookie flags, mixed content, SSRF indicators involving internal IP probing, and inventory management concerns such as missing versioning are also evaluated. For AI workloads, the tool runs 18 adversarial probes across Quick, Standard, and Deep scan tiers, testing system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool-abuse patterns, nested instruction injection, and PII extraction.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents, resolving recursive $ref structures and cross-referencing spec definitions against runtime observations. This comparison highlights undefined security schemes, unexpected sensitive fields, deprecated operations, and missing pagination controls. Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic auth, and cookies. Before credentials are accepted, a domain verification gate using DNS TXT records or an HTTP well-known file ensures that only the domain owner can run authenticated scans. The scanner forwards a restricted set of headers, specifically Authorization, X-API-Key, Cookie, and X-Custom-* headers, limiting exposure of sensitive tokens during testing.

Results are accessed through a web dashboard that displays scans, report views, score trend lines, and allows branded compliance PDF downloads. The CLI, distributed as an npm package named middlebrick, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available for CI/CD gating, failing builds when the score drops below a defined threshold. An MCP Server enables scanning from AI coding assistants including Claude and Cursor. Programmatic access is provided via an API client for custom integrations. Continuous monitoring in the Pro tier includes scheduled rescans every six hours, daily, weekly, or monthly, diff detection across scans to highlight new or resolved findings, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

middleBrick maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), using language that indicates alignment or support for audit evidence rather than certification. For frameworks outside this set, the tool helps you prepare for and aligns with security controls described in relevant standards, while avoiding claims of certification or guaranteed compliance with HIPAA, GDPR, ISO 27001, NIST, CIS, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, FERPA, or similar regulations. As a scanner, middleBrick does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not execute active SQL injection or command injection tests, which require intrusive payloads outside its scope, and it does not identify business logic vulnerabilities that demand domain-specific human analysis. Blind SSRF detection is also out of scope due to the absence of out-of-band infrastructure probes.

The Free tier provides three scans per month with CLI access. The Starter tier at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. The Pro tier at 499 dollars per month covers 100 APIs, with additional APIs billed at 7 dollars each, and adds continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. Enterprise plans start at 2000 dollars per month for unlimited APIs, custom rules, SSO, audit logs, SLAs, and dedicated support. Safety measures include read-only testing methods, blocking of destructive payloads, filtering of private IPs, localhost, and cloud metadata endpoints at multiple layers, and a clear data policy where customer scan data is deletable on demand, purged within 30 days of cancellation, never sold, and never used for model training.