Apigee for IoT / OT

What middleBrick covers

Black-box scanning with no agents or code access
Read-only methods to protect operational stability
Detection of authentication and authorization flaws
Mapping findings to OWASP API Top 10, PCI-DSS, SOC 2
LLM adversarial probe testing for AI surface risks
Programmatic access for custom integrations

API Security Posture for IoT and OT Environments

IoT and OT environments expose APIs that were often designed for local, physical access and not for internet-facing threats. These APIs frequently lack strong authentication, expose sensitive operational data, and inherit legacy protocol behaviors that increase risk. The scanner evaluates the public-facing surface of these APIs using read-only methods to avoid any impact on device availability or control systems.

Coverage of Standards and Frameworks

Findings from the scan map directly to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II controls. This alignment helps you prepare for audit evidence related to access control, encryption, and monitoring requirements. For other frameworks, the tool surfaces findings relevant to security controls described in HIPAA, GDPR, ISO 27001, NIST, and CCPA, using alignment language rather than compliance guarantees.

Black-Box Scanning Approach for Operational Safety

The scanner operates as a black-box solution with no agents, SDKs, or code access required. It works with any language, framework, or cloud deployment by probing only read-only methods such as GET and HEAD, plus text-only POST for LLM probes. No active exploitation or mutation testing is performed, ensuring that device operations remain undisturbed while still identifying authentication misconfigurations, data exposure, and input validation issues.

Authenticated Scanning and Safe Credential Handling

When enabled, authenticated scanning supports Bearer tokens, API keys, Basic auth, and cookies. Access requires domain verification through DNS TXT records or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner strictly forwards a header allowlist containing Authorization, X-API-Key, Cookie, and X-Custom-* headers to prevent credential leakage to unintended endpoints.

Detection Scope and Limitations

The scanner detects issues such as JWT misconfigurations, IDOR patterns, privilege escalation indicators, CORS misconfigurations, unsafe data exposure like PII and API keys, SSRF indicators, and LLM-specific adversarial probes. It does not perform active SQL injection or command injection testing, does not fix or remediate findings, and does not detect business logic vulnerabilities that require domain context. It also does not replace a human pentester for high-stakes audits.

Frequently Asked Questions

Can the scanner test APIs that control physical devices in an OT network?

The scanner evaluates HTTP and text-based API surfaces using read-only methods. It does not send commands to physical devices and is designed to avoid any operational impact.

Does the scanner validate compliance certifications such as HIPAA or GDPR?

The tool uses alignment language to highlight findings relevant to security controls described in various frameworks. It does not certify compliance with HIPAA, GDPR, or any other regulation.

How does the scanner handle proprietary or binary protocols?

It focuses on HTTP and similar text-based protocols. Proprietary binary protocols are outside its detection scope, and findings are limited to what can be observed through standard API interactions.

Can authenticated scans be run continuously in CI/CD pipelines?

Yes, authenticated scanning is supported in Pro and Enterprise tiers, including integration with GitHub Actions and configurable score thresholds for CI/CD gates.