Apigee review

This tool is a self-service API security scanner that accepts a URL and returns a risk score from A to F along with prioritized findings. It performs black-box scanning without agents, code access, or SDK integration, and supports any language, framework, or cloud. Scan duration is under one minute, using read-only methods (GET and HEAD) and text-only POST for LLM probes.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10, and it helps you prepare for controls described in HIPAA, GDPR, ISO 27001, NIST, and other regulatory frameworks through relevant findings and audit evidence.

Detection areas include authentication bypass and JWT misconfigurations, broken object level authorization and IDOR, broken function level authorization and privilege escalation, property authorization and over-exposure, input validation issues such as CORS wildcard usage and dangerous methods, rate limiting and resource consumption, data exposure including PII patterns and API key formats, encryption misconfigurations, SSRF indicators, inventory management issues, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths.

OpenAPI analysis supports versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier upward, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced via DNS TXT record or HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a limited allowlist of headers including Authorization, X-API-Key, Cookie, and X-Custom-*.

Safety posture is built around read-only methods only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

The Web Dashboard centralizes scans, reports, score trends, and provides downloadable branded compliance PDFs. The CLI, published as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available for CI/CD gating, failing the build when the score drops below a defined threshold. An MCP Server allows scans from AI coding assistants such as Claude and Cursor, and a dedicated API client supports custom integrations.

Pro tier adds continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. It provides diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Enterprise tier offers unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support.

The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they require human domain understanding, and blind SSRF is out of scope due to the lack of out-of-band infrastructure support.

The scanner does not replace a human pentester for high-stakes audits. Findings should be reviewed in context, and remediation should follow secure development practices and internal policies.