Apigee for Pre-seed startups

Try middleBrick free

What middleBrick covers

  • Risk scoring across 12 OWASP API categories with prioritized findings
  • Black-box scanning without agents or code access
  • Under one minute scan time with read-only methods
  • Authenticated scans with domain verification guardrails
  • CI/CD integration via GitHub Action and API client
  • Continuous monitoring with diff detection and HMAC-SHA256 webhooks

API Security Posture for Early Stage Products

Pre-seed products ship with limited security instrumentation and public facing APIs that evolve quickly. The scanner provides a consistent risk score from A to F that summarizes API exposure in a single view. Black-box scanning requires no agents, SDKs, or code changes and works across any language or cloud stack. Scan completion occurs under one minute using read-only methods, with text-only support for LLM probes.

Detection Coverage Linked to Industry Standards

Findings map directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection covers authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, and sensitive data exposure including PII patterns, Luhn-validated card numbers, and API key formats for AWS, Stripe, GitHub, and Slack. The scanner also identifies insecure encryption settings, SSRF indicators, inventory issues like missing versioning, and unsafe consumption surfaces.

Authenticated Scanning and Safe Operation

Authenticated scanning is available from the Starter tier, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification requires DNS TXT record or HTTP well-known file proof to ensure only the domain owner can scan with credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* to minimize exposure. The scanner operates read-only, with destructive payloads never sent and private IPs, localhost, and cloud metadata endpoints blocked at multiple layers.

Developer Friendly Integration Options

Results are accessible through a web dashboard that organizes findings, tracks score trends, and generates branded compliance PDFs. The CLI npm package supports commands such as middlebrick scan <url> with JSON or text output for scripting. A GitHub Action can gate CI/CD, failing builds when scores drop below a defined threshold. An MCP server enables scans from AI coding assistants, and an API client supports custom integrations for existing workflows.

Continuous Monitoring and Data Governance

Pro tier adds scheduled rescans at intervals of six hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift between cycles. Email alerts are rate-limited to one per hour per API, and webhooks use HMAC-SHA256 signing with auto-disable after five consecutive failures. Customer scan data can be deleted on demand and is purged within 30 days of cancellation; data is never sold or used for model training.

See how middleBrick compares See all use cases

Frequently Asked Questions

What is the difference between the Free and Starter tiers?
The Free tier allows 3 scans per month with CLI access, while Starter adds 15 API scans, monthly dashboard reports, email alerts, and the MCP Server for AI tooling.
Can authenticated scans be run in CI without exposing credentials?
Yes, authenticated scanning requires domain verification and only approved headers are forwarded. Credentials are never stored beyond the scan session.
Does the scanner perform active exploitation like SQL injection?
No. The scanner does not perform active SQL injection or command injection, as those require intrusive payloads outside its scope.
How are findings mapped to compliance requirements?
Findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, the scanner surfaces findings relevant to audit evidence and helps prepare security controls descriptions.
What happens to scan data after cancellation?
Customer scan data is deletable on demand and fully purged within 30 days of cancellation. It is never sold or used for model training.

Related Pages

API security for Pre-seed startupsWhat API security looks like at the Pre-seed startups stage.API security for Series B/C companiesWhat API security looks like at the Series B/C companies stage.API security for Mid-market companiesWhat API security looks like at the Mid-market companies stage.middleBrick vs DetectifyHonest comparison between middleBrick and Detectify for API security.middleBrick vs Noname SecurityHonest comparison between middleBrick and Noname Security for API security.middleBrick vs Salt SecurityHonest comparison between middleBrick and Salt Security for API security.