APIsec as a Continuous API monitor

A continuous API monitor runs repeated scans on a schedule to track changes in security posture over time rather than providing a single snapshot. It surfaces new findings, resolves fixed findings, and reports score drift between scan cycles. This approach supports ongoing risk management and audit evidence collection by maintaining a historical record of each assessment, including the date, time, and result of every scan.

Findings map to OWASP API Top 10 (2023), and the tool supports controls relevant to PCI-DSS 4.0 and SOC 2 Type II through detection patterns aligned with those frameworks. It helps you prepare for audits by surfacing findings relevant to security controls described in HIPAA, GDPR, ISO 27001, NIST, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, FERPA and other regulations, using alignment language rather than certification or guarantees of compliance.

Authenticated scanning allows the tool to validate behavior behind authentication mechanisms using Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can scan with credentials. A strict header allowlist forwards only Authorization, X-API-Key, Cookie, and X-Custom-* headers, limiting the request surface during scans.

The scanner covers 12 categories aligned to OWASP API Top 10, including authentication bypass, broken object level authorization, excessive property exposure, input validation, rate limiting, data exposure, encryption, SSRF, inventory management, unsafe consumption, LLM/AI security, and OpenAPI spec validation. It does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, does not perform blind SSRF, and does not replace a human pentester for high-stakes audits. It also does not fix, patch, block, or remediate findings, but instead provides detection and guidance.

The platform provides a Web Dashboard for scanning, viewing reports, tracking score trends, and downloading branded compliance PDFs. The CLI enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a chosen threshold. An MCP Server allows scans from AI coding assistants. Continuous monitoring is available in Pro tiers with scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Pricing includes a free tier at 3 scans per month, Starter at $99 per month for 15 APIs, Pro at $499 per month for 100 APIs plus per-API add-ons, and Enterprise at $2000 per month for unlimited APIs with custom rules and SSO.