Apigee for Series A startups

As a Series A startup, your API surface expands quickly while engineering bandwidth remains constrained. middleBrick is a self-service API security scanner designed for this phase: submit a URL and receive a risk score with prioritized findings in under a minute. The scanner performs black-box checks using only read-only methods, requiring no agents, code access, or SDK integration, and it works across languages and frameworks.

The scanner covers 12 security categories aligned to the OWASP API Top 10 (2023), including authentication bypass, JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, and data exposure patterns like emails and context-aware SSNs. It maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), helping you prepare for audits and validate controls without claiming certification.

Additional checks include CORS wildcard misconfigurations, dangerous HTTP methods, debug endpoints, rate-limit header visibility, PII leakage, API key fingerprinting for AWS and Stripe, HTTPS redirect issues, HSTS, mixed content, SSRF indicators involving internal IPs, and inventory issues such as missing versioning. The LLM / AI Security category runs 18 adversarial probes across Quick, Standard, and Deep tiers to surface risks like system prompt extraction, jailbreak techniques, token smuggling, and data exfiltration patterns.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime behavior. This highlights undefined security schemes, sensitive fields exposed in responses, deprecated operations, and missing pagination that can lead to data overfetching.

For teams using an API-first workflow, the CLI provides a direct way to initiate scans: middlebrick scan https://api.example.com. Output is available in JSON or text, enabling integration into scripts or pipelines. The scanner enforces a domain verification gate so that only the domain owner can scan endpoints that require authentication, and it strictly limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

For ongoing risk management, the Pro tier offers scheduled rescans every 6 hours, daily, weekly, or monthly. It tracks score drift and delivers diff detection to highlight new findings, resolved issues, and changes in risk ratings. Alerts are rate-limited to one email per hour per API, and webhooks use HMAC-SHA256 signing with auto-disable after 5 consecutive failures to reduce noise.

Integration options include a web dashboard for tracking score trends and downloading branded compliance PDFs, a GitHub Action that can fail CI/CD builds when scores drop below a threshold, and an MCP server for use with AI coding assistants. An API client enables custom integrations for teams with existing security tooling.

middleBrick is a scanner, not a remediator; it detects and reports with guidance but does not patch, block, or fix issues. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside scope, nor does it detect business logic vulnerabilities that demand domain understanding. Blind SSRF and advanced persistent attacker simulations are also out of scope.

Customer data is deletable on demand and purged within 30 days of cancellation. The tool does not replace a human pentester for high-stakes audits, and pricing reflects tiers from Free to Enterprise, with costs scaling by API count and monitoring features rather than promising compliance outcomes.