Best alternative to Salt Security

middleBrick serves as a direct alternative to Salt Security for teams that need a fast, black-box API risk scanner without agent-based deployment. Submit a URL and receive a letter-grade risk score with prioritized findings in under a minute. The scanner exercises endpoints using read-only methods such as GET and HEAD, and text-only POST for LLM probes, avoiding destructive payloads. It is designed for security and engineering teams that want lightweight coverage without requiring code access, SDKs, or runtime instrumentation.

middleBrick maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II controls, providing audit-relevant evidence rather than claiming compliance. Detection categories include authentication bypass and JWT misconfigurations, broken object level authorization and IDOR, business logic abuse indicators, property over-exposure, input validation issues like CORS wildcard misconfigurations, rate limiting and resource consumption signals, and sensitive data exposure such as PII and API key patterns. The scanner also covers transport security checks, SSRF indicators in URL-accepting parameters, inventory issues like missing versioning, unsafe consumption surfaces, and LLM/AI security probes across multiple tiers.

• Authentication — multi-method bypass, JWT alg=none, expired tokens, missing claims, sensitive data in payloads, security and WWW-Authenticate header compliance.
• BOLA / IDOR — sequential ID enumeration and active adjacent-ID probing.
• BFLA / Privilege Escalation — admin endpoint discovery and role/permission leakage.
• Property Authorization — over-exposure and internal field leakage, mass-assignment surface.
• Input Validation — CORS wildcard with and without credentials, dangerous HTTP methods, debug endpoints.
• Rate Limiting & Resource Consumption — rate-limit header presence, oversized responses, unpaginated arrays.
• Data Exposure — email, Luhn-validated card numbers, context-aware SSN, API key formats, error and stack trace leakage.
• Encryption — HTTPS redirect, HSTS, cookie flags, mixed content.
• SSRF — URL-accepting parameters and body fields, internal IP detection patterns.
• Inventory Management — missing versioning, legacy path patterns, server fingerprinting.
• Unsafe Consumption — excessive third-party URLs, webhook and callback surface.
• LLM / AI Security — 18 adversarial probes across Quick, Standard, and Deep scan tiers, including system prompt extraction, instruction override, jailbreaks, data exfiltration, token smuggling, and multi-turn manipulation.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 files with recursive $ref resolution, then cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, which are available from Starter tier onward, the scanner supports Bearer, API key, Basic auth, and Cookie credentials. A domain verification gate ensures that only the domain owner can scan with credentials, and a strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

middlebrick scan https://api.example.com --auth-type bearer --auth-token <token> --output json

The Web Dashboard centralizes scans, score trends, and branded compliance PDF downloads. The CLI, published as the middlebrick npm package, enables scripting and local execution with JSON or text output. A GitHub Action acts as a CI/CD gate, failing builds when the score drops below a configurable threshold. An MCP server allows scanning from AI coding assistants such as Claude and Cursor, and a programmatic API supports custom integrations. Continuous monitoring in Pro tier includes scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, hourly-rate-limited email alerts, HMAC-SHA256 signed webhooks with auto-disable after 5 consecutive failures, and integrations with Slack and Teams.

middleBrick is a scanner that detects and reports; it does not fix, patch, block, or remediate findings. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside scope, nor does it detect business logic vulnerabilities that demand domain understanding. Blind SSRF and other out-of-band infrastructure issues are not in scope, and the tool does not replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints at multiple layers, and allowing customer data deletion on demand with purges within 30 days of cancellation. No scan data is sold or used for model training.