Alternatives to 42Crunch for NIS2 directive readiness

NIS2 emphasizes risk management and measurable control effectiveness for digital services. This tool supports that posture by detecting issues commonly introduced in public and partner APIs. It focuses on authentication weaknesses, authorization flaws, data exposure, injection surfaces, and security misconfigurations that can degrade availability or confidentiality.

Findings map directly to OWASP API Top 10 (2023) and align with security controls described in PCI-DSS 4.0 and SOC 2 Type II. Detection coverage includes authentication bypass, broken object level authorization, excessive data exposure, insecure direct object references, CORS misconfiguration, unsafe methods, rate limit weaknesses, sensitive data leakage, missing encryption, SSRF indicators, inventory issues, and unsafe consumption patterns. LLM-specific probes cover prompt injection, jailbreak techniques, and data exfiltration scenarios across multiple scan tiers.

The scanner performs black-box testing using read-only methods (GET and HEAD) plus text-only POST for LLM probes. It does not modify state or send destructive payloads. Analysis is performed against OpenAPI 3.0, 3.1, and Swagger 2.0 specs with recursive $ref resolution, cross-referenced against runtime behavior. Limitations include no active SQL injection or command injection testing, no business logic validation, and no blind SSRF detection. Results include a risk grade from A to F with prioritized remediation guidance.

Authenticated scanning supports Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced via DNS TXT record or HTTP well-known file to ensure only domain owners can scan with credentials. A strict header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Scan data is deletable on demand and retained for no longer than necessary.

The scanner is available as a web dashboard for managing scans and reviewing reports, a CLI for local runs, a GitHub Action for CI/CD gating, and an MCP server for integration with AI coding assistants. Pro tier adds scheduled rescans, diff-based detection of new or resolved findings, email alerts, HMAC-SHA256 signed webhooks, and compliance report downloads. These features help you prepare for audit evidence generation and align with security controls expected under relevant regulatory frameworks.