Alternatives to Burp Suite at Pre-seed startups

The scanner covers 12 categories aligned to OWASP API Top 10. It checks authentication bypasses and JWT misconfigurations such as alg=none, weak algorithms, expired tokens, and sensitive data in claims. It probes for BOLA and IDOR via sequential ID enumeration and adjacent-ID testing, and identifies BFLA and privilege escalation through admin endpoint probing and role leakage.

• Property authorization over-exposure and internal field leakage
• Input validation issues including CORS wildcard usage and dangerous HTTP methods
• Rate limiting detection via headers and oversized response analysis
• Exposure of PII patterns such as emails and context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack
• Encryption checks including HTTPS redirects, HSTS, and cookie flags
• SSRF indicators like URL-accepting parameters and internal IP probing
• Inventory issues such as missing versioning and legacy paths
• Unsafe consumption surfaces and webhook exposure
• LLM-specific adversarial probes across Quick, Standard, and Deep tiers, including system prompt extraction, jailbreak patterns, data exfiltration attempts, and token smuggling

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents and resolves recursive $ref references. It cross-references the spec definitions against runtime behavior to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This helps identify mismatches between documented and actual behavior without requiring access to source code.

Authenticated scans are available starting at the Starter tier and require one of the following methods: Bearer tokens, API keys, Basic auth, or cookies. Before credentials are accepted, the tool performs a domain verification gate using a DNS TXT record or an HTTP well-known file to confirm that you control the domain. Only the allowed headers Authorization, X-API-Key, Cookie, and X-Custom-* are forwarded during scans.

You can run scans from the web dashboard to view reports and track score trends, or install the CLI via the middlebrick npm package with a command such as middlebrick scan <url>. The GitHub Action can gate CI/CD, failing the build when the score drops below a set threshold. An MCP server enables scanning from AI coding assistants, and an API client supports custom integrations.

Scan data is read-only and retained only as long as needed. Customer data can be deleted on demand and is purged within 30 days of cancellation. The tool does not sell data and does not use scan data for model training. Sensitive findings are reported in-product so that you can manage remediation with your team.