APIsec for IoT / OT

middleBrick is a self-service API security scanner designed for environments where deploying agents is impractical. You submit a URL and receive a risk score from A to F with prioritized findings. The scanner operates in read-only mode using GET and HEAD methods plus text-only POST for LLM probes, completing in under a minute. This approach suits IoT and OT endpoints that cannot accept SDKs or runtime instrumentation.

The scanner detects 12 security categories aligned to OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0 and SOC 2 Type II through direct coverage of authentication, encryption, and input validation controls. Detection includes authentication bypass, JWT misconfigurations such as alg=none, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation attempts, data exposure including PII and API key patterns, SSRF probes targeting internal endpoints, and unsafe consumption surfaces. The OpenAPI parser supports versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime behavior.

The scanner includes LLM / AI Security testing with 18 adversarial probes across Quick, Standard, and Deep tiers. Probes exercise system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. These tests help you surface risks specific to AI-enabled interfaces without performing intrusive exploit activities.

Authenticated scanning is available from Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a restricted allowlist of headers and blocks private IPs, localhost, and cloud metadata endpoints at multiple layers. Findings related to compliance requirements can be supported for audit evidence, and scan data is deletable on demand and never used for model training.

The Web Dashboard centralizes scans, report downloads, and score trends with branded compliance PDFs. The CLI via the middlebrick npm package supports JSON and text output, and the GitHub Action can gate CI/CD when scores drop below a threshold. The MCP Server enables scanning from AI coding assistants. Pro tier adds scheduled rescans at six-hour to monthly intervals, diff detection for score drift, email alerts limited to one per hour per API, HMAC-SHA256 signed webhooks, and Slack or Teams notifications. Enterprise tiers provide unlimited APIs, custom rules, SSO, audit logs, SLAs, and dedicated support.