Alternatives to Apigee at Pre-seed startups

This is a self-service API security scanner. You submit a URL and receive a risk score from A to F with prioritized findings. The scan is black-box, requiring no agents, no code access, and no SDK integration. It supports any language, framework, or cloud, and completes in under a minute. The scanner uses read-only methods (GET and HEAD) plus text-only POST for LLM probes.

The scanner covers 12 categories aligned to the OWASP API Top 10 (2023). It detects authentication bypass and JWT misconfigurations such as alg=none, HS256, expired tokens, missing claims, and sensitive data in claims. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing. It flags BFLA and privilege escalation through admin endpoint probing and role/permission field leakage. Other categories include property authorization over-exposure, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate limiting and resource consumption signals, and data exposure patterns including PII, Luhn-validated card numbers, context-aware SSNs, API key formats, and error/stack-trace leakage. It also checks encryption posture via HTTPS redirect, HSTS, and cookie flags, SSRF indicators in URL-accepting parameters, inventory management gaps like missing versioning and server fingerprinting, unsafe consumption surfaces, and LLM/AI security probes mapped across three scan tiers.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scanning, support includes Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced through DNS TXT records or an HTTP well-known file so only the domain owner can scan with credentials. A strict header allowlist permits only Authorization, X-API-Key, Cookie, and X-Custom-* headers to be forwarded.

The Web Dashboard centralizes scans, reports, and score trend tracking, with the option to download branded compliance PDFs. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action enables CI/CD gating, failing the build when the score drops below a chosen threshold. The MCP Server allows scans from AI coding assistants like Claude and Cursor. An API client provides programmatic access for custom integrations. Continuous monitoring on the Pro tier includes scheduled rescans every 6 hours, daily, weekly, or monthly; diff detection for new findings, resolved findings, and score drift; email alerts rate-limited to 1 per hour per API; and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures.

The scanner does not fix, patch, block, or remediate. It detects and reports with remediation guidance. It does not perform active SQL injection or command injection, as those require intrusive payloads outside the scope. Business logic vulnerabilities are not detected, as they require domain context best handled by humans. Blind SSRF is out of scope due to the lack of out-of-band infrastructure. The tool does not replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; it is never sold and never used for model training.