Alternatives to Apigee at Series B/C companies

This tool is a self-service API security scanner designed for teams that need continuous visibility into public-facing APIs. Submit a URL and receive a risk score from A to F along with prioritized findings. The scanner is black-box, requiring no agents, code access, or SDK integration, and supports any language, framework, or cloud. All scans complete in under a minute using read-only methods (GET and HEAD) and text-only POST for LLM probes.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). It maps findings to compliance frameworks such as PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10, and it helps you prepare for audits by surfacing findings relevant to SOC 2 and other security frameworks. Specific detections include authentication bypass and JWT misconfigurations, broken object-level authorization and IDOR, business logic flaws and privilege escalation, over-exposed data and mass assignment, input validation issues like unsafe CORS and dangerous methods, rate limiting and resource consumption, data exposure including PII and API key leakage, encryption and transport security, SSRF probes, inventory and versioning issues, unsafe consumption surfaces, and LLM/AI security through adversarial probes across Quick, Standard, and Deep tiers.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans at the Starter tier and above, support includes Bearer, API key, Basic auth, and Cookie, with domain verification via DNS TXT or HTTP well-known file to ensure only domain owners can scan with credentials. A strict header allowlist is enforced, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The Web Dashboard centralizes scans, reports, score trends, and downloadable compliance PDFs. The CLI, available as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing builds when scores drop below a defined threshold. The MCP Server allows scans from AI coding assistants. Continuous monitoring on the Pro tier provides scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts at a rate-limited frequency of 1 per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures.

Pricing tiers include a Free plan with 3 scans per month and CLI access, Starter at $99 per month for 15 APIs with monthly scans and dashboard features, Pro at $499 per month for 100 APIs with continuous monitoring and CI/CD integrations, and Enterprise at $2,000 per month for unlimited APIs, custom rules, SSO, and dedicated support.

The scanner does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside scope. Business logic vulnerabilities and blind SSRF are also out of scope, and the tool does not replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints at multiple layers, and allowing customer data deletion on demand with purges within 30 days of cancellation. Customer data is never sold or used for model training.

Teams can begin with the free tier to validate API exposure and then scale with Pro continuous monitoring for production-critical services. The CLI provides scriptable scans for local use, the GitHub Action integrates security into development pipelines, and the MCP Server supports AI-assisted workflows. Organizations that need deeper coverage can combine this tool with manual testing and formal assessments, using the scanner for ongoing monitoring and evidence collection rather than one-off audits.