Alternatives to 42Crunch for LLM agent tool exposure audit

LLM agent workflows that call external tools expand the attack surface beyond traditional API endpoints. Tool exposure audits must validate that agents cannot be coerced into invoking internal services, bypassing authorization, or exfiltrating data through indirect channels. These audits focus on prompt paths, tool definitions, and runtime behavior rather than source code, making them suitable for black-box assessment.

An effective audit maps which endpoints, file systems, or network services are reachable via agent tooling, and whether safeguards prevent unintended operations. Because agents can encode payloads, the scanner must probe encoding variants such as base64 and ROT13, as well as multi-turn strategies that chain tool usage across conversational turns.

middleBrick scans API surfaces used by LLM agents to discover and grade exposure of tools, callbacks, and execution pathways. The engine runs 18 adversarial probes across three scan tiers: Quick, Standard, and Deep. These probes test for system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, and indirect prompt injection, including token smuggling and nested instruction injection.

The scanner also exercises unsafe consumption patterns such as excessive third-party URLs and webhook/callback surfaces, and it checks inventory management issues like missing versioning and legacy path patterns. All findings are mapped to OWASP API Top 10 (2023) to provide a familiar risk framework.

middlebrick scan https://api.example.com --tier deep --output json

middleBrick operates as a black-box scanner with no agents, SDKs, or code access, making it applicable to any language, framework, or cloud environment. It uses read-only methods (GET and HEAD) and text-only POST for LLM probes, ensuring no destructive payloads are sent.

Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers, and customer data is deletable on demand and never retained for model training. This approach supports compliance evidence collection for frameworks such as SOC 2 Type II without claiming certification.

OpenAPI 3.0, 3.1, and Swagger 2.0 specifications are parsed with recursive $ref resolution, allowing cross-reference between defined security schemes and runtime behavior. The scanner highlights undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination.

For endpoints that require authentication, middleBrick supports Bearer tokens, API keys, Basic auth, and cookies at the Starter tier and above. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can submit credentials for scanning.

When credentials are provided, only a strict header allowlist is forwarded: Authorization, X-API-Key, Cookie, and X-Custom-* headers. This restriction minimizes risk while still enabling realistic authenticated probe scenarios, including role and privilege escalation checks.

The Web Dashboard provides scan results, score trends, and branded compliance PDFs aligned with PCI-DSS 4.0 and SOC 2 Type II. The CLI allows on-demand scans with JSON or text output, and the GitHub Action can gate CI/CD pipelines when scores drop below a configured threshold.

For ongoing monitoring, Pro tier subscriptions offer scheduled rescans, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures. The MCP Server enables scanning from AI coding assistants such as Claude and Cursor, while the API client supports custom integrations.

Remediation guidance is supplied with each finding, but the tool does not fix, patch, block, or remediate issues. Business logic vulnerabilities require human review aligned with the specific domain context.