Bright Security for Series A startups

As a Series A startup, your API surface expands quickly while engineering resources remain constrained. middleBrick provides a self service scanner that returns a letter grade from A to F and prioritized findings in under a minute. The approach is black box, requiring no agents, SDKs, or access to source code, and it supports any language, framework, or cloud deployment.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023), including Authentication bypass, BOLA and BFLA, Property Authorization, Input Validation, Rate Limiting, Data Exposure, Encryption, SSRF, Inventory Management, Unsafe Consumption, and LLM / AI Security. It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10, helping you prepare for audits and controls reviews across these frameworks.

OpenAPI 3.0, 3.1, and Swagger 2.0 files are parsed with recursive $ref resolution, and spec definitions are cross referenced against runtime behavior to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. The tool does not perform active SQL injection or command injection testing, as those are outside its design scope.

With Starter tier and above, you can enable authenticated scans using Bearer tokens, API keys, Basic auth, or cookies. Domain verification is enforced through a DNS TXT record or an HTTP well known file, ensuring only the domain owner can submit credentials. Allowed headers are limited to Authorization, X-API-Key, Cookie, and X-Custom-*, and read-only methods are used exclusively.

Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation. The scanner does not fix, patch, block, or remediate issues; it reports findings with remediation guidance and does not replace a human pentester for high-stakes audits.

The Web Dashboard centralizes scans, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below your chosen threshold.

The MCP Server enables scanning from AI coding assistants like Claude and Cursor. For ongoing risk management, Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts at a rate limited pace, and HMAC-SHA256 signed webhooks that auto disable after 5 consecutive failures.

The scanner includes specific testing for LLM and AI Security across three tiers: Quick, Standard, and Deep. It runs 18 adversarial probes targeting system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation embedded injection, few shot poisoning, markdown injection, multi turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction.

These probes surface risks relevant to AI integrated products and help you understand how model interfaces may be abused. As with other findings, the tool reports the issue and suggests remediation but does not perform active exploitation or guarantee mitigation.