Alternatives to 42Crunch for DORA ICT risk evidence

middleBrick is a self-service API security scanner designed to surface findings that support DORA ICT risk evidence. Submit a URL, receive a letter-grade risk score and prioritized findings. The scanner is black-box: no agents, no code access, and no SDK integration are required. It operates via read-only methods (GET and HEAD) and text-only POST for LLM probes, completing a scan in under a minute.

middleBrick maps findings directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). These mappings let you use findings as audit evidence for common compliance expectations. The scanner also helps you prepare for other security frameworks by aligning with security controls described in their requirements, while clearly noting that it does not certify or guarantee any compliance outcome.

Detection covers 12 categories, including Authentication bypasses, JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation through admin endpoint probing, sensitive data exposure including PII patterns and API key formats, input validation issues like CORS wildcard usage, rate-limiting and oversized response detection, encryption checks including HTTPS redirect and HSTS, SSRF probes against URL-accepting parameters, inventory issues such as missing versioning, unsafe consumption surfaces, and LLM / AI security adversarial probes across Quick, Standard, and Deep scan tiers.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For deeper validation, authenticated scanning is available at Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie credentials.

Authenticated scans require a domain verification gate, such as a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a restricted header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Pro tier enables scheduled rescans at intervals of 6 hours, daily, weekly, or monthly, with diff detection across scans to surface new findings, resolved findings, and score drift. Alerts are delivered via email at a rate-limited frequency of 1 per hour per API, and HMAC-SHA256 signed webhooks auto-disable after 5 consecutive failures.

The scanner integrates with common workflows through a Web Dashboard for scanning and report management, a CLI via the middlebrick npm package using middlebrick scan <url> with JSON or text output, a GitHub Action that fails the build when the score drops below a threshold, an MCP Server for use with AI coding assistants such as Claude and Cursor, and a programmatic API client for custom integrations.

middleBrick is a scanning tool and does not fix, patch, block, or remediate. It does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, and does not detect blind SSRF due to the absence of out-of-band infrastructure. It is not a replacement for a human pentester in high-stakes audits.

The scanner follows a strict safety posture by using read-only methods only and blocking private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold and never used for model training.