Alternatives to Apigee at Mid-market companies

This tool is a self-service API security scanner designed to surface risks quickly. Submit a URL and receive a risk score from A to F with prioritized findings. It performs black-box scanning only, using read-only methods such as GET and HEAD, plus text-only POST for LLM probes. Scan times remain under one minute, and no agents, SDKs, or code access are required. It works with any language, framework, or cloud target.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). Detection capabilities include authentication bypass and JWT misconfigurations, such as alg=none, HS256 usage, expired tokens, missing claims, and sensitive data in claims. It checks security headers and WWW-Authenticate compliance, identifies Broken Object Level Authorization (BOLA) and IDOR via sequential ID enumeration and active adjacent-ID probing, and flags Broken Function Level Authorization (BFLA) and privilege escalation through admin endpoint probing and role/permission leakage. Property authorization issues such as over-exposure and internal field leakage are surfaced, alongside input validation checks for CORS wildcard configurations (with and without credentials), dangerous HTTP methods, and debug endpoints. The scanner detects rate limiting and resource consumption signals, including rate-limit header presence, oversized responses, and unpaginated arrays. Data exposure coverage includes PII patterns like email addresses, Luhn-validated card numbers, context-aware SSN formats, common API key formats for AWS, Stripe, GitHub, and Slack, and error or stack-trace leakage. Encryption checks cover HTTPS redirects, HSTS, cookie flags, and mixed content. SSRF detection targets URL-accepting parameters and body fields, checks for internal IP patterns, and probes for IP-bypass attempts. Inventory management checks for missing versioning, legacy path patterns, and server fingerprinting. Unsafe consumption surfaces excessive third-party URLs and webhook/callback exposure. LLM and AI security testing includes 18 adversarial probes across Quick, Standard, and Deep tiers, addressing system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. Findings from these checks can help you prepare for controls defined in PCI-DSS 4.0, SOC 2 Type II, and the OWASP API Top 10 (2023). They also align with security controls described in other frameworks, supporting audit evidence for your internal reviews.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents, resolving recursive $ref references. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scanning, available from Starter tier and above, supports Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. A strict header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI, distributed as an npm package named middlebrick, enables command-line scans with JSON or text output using a command such as middlebrick scan <url>. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a chosen threshold. An MCP Server allows scanning from AI coding assistants including Claude and Cursor, and a dedicated API client supports custom integrations. For ongoing risk management, the Pro tier provides scheduled rescans at intervals of six hours, daily, weekly, or monthly. It detects diffs between scans, reporting new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks are supported with auto-disable after five consecutive failures.

The scanner uses read-only methods and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation. It is never sold and is not used for model training. Because this is a scanning tool, it does not fix, patch, block, or remediate findings. It does not perform active SQL injection or command injection testing, which would require intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or all subtle authorization issues, as these require domain context best handled by human experts. It does not replace a human pentester for high-stakes audits.