Astra for Pre-seed startups

For teams validating an API-first product before launch, scanning early reduces rework. The tool is a self-service API security scanner that accepts a URL and returns a letter-grade risk score with prioritized findings within a minute. It operates as a black-box scanner, requiring no agents, SDKs, or code access, and supports any language, framework, or cloud target. The scan uses read-only methods plus text-only LLM probes, avoiding intrusive payloads.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), including Authentication bypass, BOLA and BFLA, Property Authorization, Input Validation, Rate Limiting, Data Exposure, Encryption, SSRF, Inventory Management, Unsafe Consumption, and LLM / AI Security. It maps findings to OWASP API Top 10 and supports audit evidence for SOC 2 Type II and PCI-DSS 4.0 by surfacing relevant control observations.

• Authentication checks multi-method bypass and JWT misconfigurations such as alg=none, HS256, expired tokens, missing claims, and sensitive data in claims.
• BOLA and IDOR detect sequential ID patterns and active adjacent-ID probing.
• BFLA and Privilege Escalation probe admin endpoints and flag role or permission field leakage.
• Data Exposure identifies PII patterns including email, Luhn-validated card numbers, context-aware SSN, and API key formats for AWS, Stripe, GitHub, and Slack.
• LLM / AI Security runs 18 adversarial probes across Quick, Standard, and Deep tiers, targeting system prompt extraction, instruction override, jailbreaks, data exfiltration, and token smuggling.

It parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing the spec against runtime behavior to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, support includes Bearer, API key, Basic auth, and Cookie, gated by a domain verification step that requires DNS TXT or an HTTP well-known file to confirm ownership. Only a curated allowlist of headers is forwarded, including Authorization, X-API-Key, Cookie, and X-Custom-*.

middlebrick scan https://api.example.com --auth-type bearer --token YOUR_TOKEN --output json

The Web Dashboard centralizes scans, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI, published as an npm package, enables scriptable scans with JSON or text output. A GitHub Action can gate CI/CD, failing builds when scores drop below a defined threshold. An MCP Server allows scans from AI coding assistants, and a programmable API supports custom integrations. Continuous monitoring (Pro tier) adds scheduled rescans, diff detection, hourly rate-limited email alerts, HMAC-SHA256 signed webhooks, and Slack or Teams notifications.

The scanner does not fix, patch, block, or remediate issues; it detects and provides remediation guidance. It does not execute active SQL injection or command injection tests, which fall outside its read-only scope, nor does it detect business logic vulnerabilities that require domain context. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.