APIsec for VP of Engineerings

This scanner is a self-service API security tool that accepts a URL and returns a risk grade from A to F with prioritized findings. It performs black-box testing using only read-only methods such as GET and HEAD, plus text-only POST for LLM probes, and completes a scan in under one minute. The solution does not require agents, SDKs, or access to source code, so it works across any language, framework, or cloud environment.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0 and SOC 2 Type II, and supports audit evidence for these frameworks. Detection coverage includes:

• Authentication bypass and JWT misconfigurations such as alg=none, HS256 use, expired tokens, missing claims, and sensitive data in claims.
• BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing.
• BFLA and privilege escalation through admin endpoint probing and role/permission field leakage.
• Property authorization issues including over-exposure, internal field leakage, and mass-assignment surface.
• Input validation checks for CORS wildcard usage (with and without credentials) and dangerous HTTP methods.
• Rate limiting and resource consumption analysis using rate-limit headers and oversized response detection.
• Data exposure patterns for PII, Luhn-validated card numbers, context-aware SSNs, API key formats, and error/stack-trace leakage.
• Encryption hygiene such as HTTPS redirects, HSTS, cookie flags, and mixed content.
• SSRF probes against URL-accepting parameters and body fields, including internal IP detection.
• Inventory issues like missing versioning, legacy path patterns, and server fingerprinting.
• Unsafe consumption surfaces, including excessive third-party URLs and webhook/callback exposure.
• LLM and AI security with 18 adversarial probes across Quick, Standard, and Deep tiers, targeting jailbreaks, data exfiltration, and token smuggling.

OpenAPI analysis is supported for versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings.

Authenticated scans are available from the Starter tier onward, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a strict allowlist of headers, limited to Authorization, X-API-Key, Cookie, and X-Custom-*.

The tool maintains a safety posture by using read-only methods only, blocking destructive payloads, and filtering private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

Results are delivered through a web dashboard where scans can be managed, trends tracked, and branded compliance PDFs downloaded. The CLI, published as an npm package, enables scripted workflows with the command middlebrick scan <url>, supporting JSON or text output. A GitHub Action is available to gate CI/CD pipelines, failing the build when the score drops below a configured threshold. The MCP Server allows integration with AI coding assistants such as Claude and Cursor.

For ongoing monitoring, the Pro tier offers scheduled rescans at intervals of 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift, with email alerts rate-limited to one per hour per API. HMAC-SHA256 signed webhooks are provided, with auto-disable after five consecutive failures.

The scanner does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside scope. Business logic vulnerabilities are also out of scope, as they require domain-specific human analysis. Blind SSRF is not detected due to the absence of out-of-band infrastructure in scope, and the tool does not replace a human pentester for high-stakes audits.

Pricing tiers are structured as follows:

• Free at $0 per month, with 3 scans and CLI access.
• Starter at $99 per month for 15 APIs, monthly scans, dashboard, email alerts, and MCP Server.
• Pro at $499 per month for 100 APIs, with additional APIs at $7 each, continuous monitoring, GitHub Action gates, CI/CD integration, Slack/Teams alerts, compliance reports, and signed webhooks.
• Enterprise at $2000 per month for unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support.