Astra for Series B/C companies

At this growth stage, your engineering and security teams need a scanner that balances depth with operational simplicity. This tool is a self-service API security scanner that requires no agents, SDKs, or code access. You submit an API endpoint URL and receive a risk score from A to F along with prioritized findings within roughly one minute. The approach is read-only, using GET and HEAD methods plus text-only POST for LLM probes, and it supports any language, framework, or cloud target without runtime instrumentation.

The scanner covers 12 security categories mapped directly to the OWASP API Top 10 (2023). It also aligns findings to PCI-DSS 4.0 and SOC 2 Type II for audit evidence, while supporting controls described in other frameworks through appropriate alignment language. Detection capabilities include authentication bypass and JWT misconfigurations such as alg=none, HS256, expired or missing claims, and sensitive data in tokens. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, as well as BFLA and privilege escalation through admin endpoint probing and role/permission field leakage. Additional coverage spans property authorization over-exposure, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate limiting and oversized responses, data exposure including PII patterns and API key formats, encryption misconfigurations, SSRF indicators, inventory issues like missing versioning, unsafe consumption surfaces, and LLM/AI security through multi-tier adversarial probes.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, then cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, which are available from the Starter tier upward, you can provide Bearer tokens, API keys, Basic auth, or cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* to reduce noise and potential side effects.

Scan duration is under a minute per API, and the tool never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation; it is never sold or used for model training. The product does not fix, patch, block, or remediate, nor does it perform intrusive tests like active SQL or command injection. Business logic vulnerabilities and blind SSRF are out of scope, and it does not replace a human pentester for high-stakes audits. Instead, it provides prioritized findings with remediation guidance to direct internal or outsourced efforts.

The Web Dashboard centralizes scans, reports, score trends, and branded compliance PDF downloads. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below your chosen threshold. The MCP Server enables scanning from AI coding assistants like Claude and Cursor. For ongoing risk management, the Pro tier offers scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Enterprise tiers add unlimited APIs, custom rules, SSO, audit logs, SLAs, and dedicated support.