Bright Security for Enterprise organizations

As a self-service API security scanner, this tool submits a URL and returns a letter-grade risk score with prioritized findings. Because it operates as a black-box scanner, it requires no agents, SDKs, or code access. It supports any language, framework, or cloud deployment and completes a scan in under a minute using read-only methods.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It detects 12 security categories, including authentication bypass, broken object level authorization, privilege escalation, property over-exposure, input validation issues, rate limiting anomalies, data exposure patterns, encryption misconfigurations, SSRF indicators, inventory management gaps, unsafe consumption surfaces, and LLM/AI security probes across multiple depth tiers.

OpenAPI specifications in versions 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to identify undefined security schemes or deprecated operations.

Authenticated scans are available from the Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

The scanner maintains a strict read-only posture. Destructive payloads are never sent, private IPs and localhost are blocked at multiple layers, and customer data is deletable on demand and purged within 30 days of cancellation.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI accepts commands such as middlebrick scan <url> and outputs structured JSON or text. A GitHub Action can gate CI/CD pipelines, failing builds when scores drop below a defined threshold.

The Pro tier enables scheduled rescans at intervals ranging from 6 hours to monthly, with diff detection to surface new or resolved findings. HMAC-SHA256 signed webhooks and rate-limited email alerts provide automated feedback, while the MCP Server allows scans from AI-assisted coding environments.

The tool does not fix, patch, or remediate issues; it reports findings with remediation guidance. It does not perform intrusive tests such as active SQL or command injection, nor does it detect business logic vulnerabilities that require domain context. It also does not replace a human pentester for high-stakes audits.

For other frameworks, the scanner helps you prepare for and supports audit evidence collection, aligning with security controls described in relevant standards. It is important to note that the scanner is a testing tool and is not a certified auditor, capable of guaranteeing or ensuring compliance with any regulatory regime.