APIsec for LLM chat endpoints

LLM chat endpoints introduce unique risks because prompts travel over HTTP and model behavior is influenced by attacker-controlled content. APIsec scans these endpoints with a catalog of 18 adversarial probes organized in three tiers: Quick, Standard, and Deep. The scanner probes for system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses such as base64 and ROT10, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction.

Because the scan is read-only and does not execute destructive payloads, it evaluates how endpoints reflect on prompt structure, handle malformed or malicious inputs, and expose internal instructions or sensitive data through responses. Coverage is broad but does not reach blind or out-of-band channels, which remain out of scope.

findings from LLM chat endpoint scans map to OWASP API Top 10 (2023), helping you prepare for SOC 2 Type II audit evidence and aligning with security controls described in PCI-DSS 4.0. Each finding includes a risk score from A to F and prioritized remediation guidance relevant to prompt-injection and model-misuse scenarios.

For frameworks outside these specific mappings, middleBrick supports audit evidence for relevant controls and surfaces findings that align with security controls described in regulations such as HIPAA, GDPR, ISO 27001, NIST, CCPA, and others without asserting compliance or certification.

When credentials are provided, the scanner validates domain ownership through a DNS TXT record or an HTTP well-known file before proceeding. Only safe headers are forwarded: Authorization, X-API-Key, Cookie, and X-Custom-*. This approach supports Bearer, API key, Basic auth, and Cookie authentication for endpoints that require it while maintaining a strict read-only posture.

OpenAPI 3.0, 3.1, and Swagger 2.0 specs are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination that may amplify risk around chat interactions.

APIsec detects injection attempts, encoding obfuscation, prompt leakage, and anomalies in response behavior across scan tiers. It identifies risky HTTP methods, CORS misconfigurations, error leakage, and missing rate limiting that can facilitate abuse of LLM interfaces.

The scanner does not perform active SQL injection or command injection, does not fix or patch findings, and does not detect business logic vulnerabilities that require domain context. Blind SSRF and out-of-band exfiltration paths are also out of scope. It is a detection tool, not a remediation or replacement for human review in high-stakes audits.

The platform delivers results through a web dashboard with score trends, branded compliance PDFs, and exportable reports. The CLI supports single scans with JSON or text output, and the GitHub Action can gate CI/CD when scores fall below defined thresholds. The MCP Server enables scanning from AI coding assistants such as Claude and Cursor.

Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts at a rate-limited cadence of 1 per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.