Apigee for CTOs

This scanner is a self-service API security tool that accepts a URL and returns a risk grade from A to F with prioritized findings. It operates as a black-box scanner, requiring no agents, code access, or SDK integration, and supports any language, framework, or cloud. Read-only methods are used, with text-only POST permitted for LLM probes, and scans typically complete in under one minute.

The tool maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It covers authentication bypass and JWT misconfigurations such as alg=none, HS256, expired tokens, missing claims, and sensitive data in claims. It detects BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and identifies BFLA and privilege escalation through admin endpoint probing and role/permission leakage. Property authorization over-exposure, input validation issues like CORS wildcards and dangerous HTTP methods, and rate limiting and resource consumption anomalies are also covered. Data exposure checks for PII patterns, API key formats, and error leakage. Encryption checks include HTTPS redirects, HSTS, and cookie flags. SSRF probes target URL-accepting parameters, and inventory management looks for missing versioning and legacy paths. LLM/AI security includes 18 adversarial probes across Quick, Standard, and Deep tiers. Unsafe consumption surface and server fingerprinting are also assessed.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans at the Starter tier and above, support includes Bearer, API key, Basic auth, and Cookie. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

The Web Dashboard centralizes scans, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI, distributed as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action provides CI/CD gating, failing the build when the score drops below a set threshold. An MCP Server allows scans from AI coding assistants such as Claude and Cursor. An API client supports custom integrations, and continuous monitoring on the Pro tier includes scheduled rescans, diff detection, email alerts, HMAC-SHA256 signed webhooks, and Slack or Teams notifications.

The tool does not fix, patch, block, or remediate; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they require domain-specific human analysis. Blind SSRF is out of scope due to the absence of out-of-band infrastructure. The scanner does not replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking of private IPs, localhost, and cloud metadata endpoints across multiple layers, and strict data handling: customer data is deletable on demand, purged within 30 days of cancellation, never sold, and never used for model training.