Cheapest API security scanner

A self-service API security scanner that accepts a URL and returns a risk score from A to F with prioritized findings. It operates as a black-box scanner without agents, SDKs, or code access, supporting any language, framework, or cloud. Scan times remain under one minute using read-only methods such as GET and HEAD, with text-only POST for LLM probes. This approach provides a low-cost entry point without requiring changes to your runtime or deployment pipeline.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection categories include authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation attempts, and property authorization over-exposure. It also covers input validation issues like CORS misconfigurations, rate-limiting behavior, data exposure patterns including PII and API key formats, encryption missettings, SSRF indicators, inventory management gaps, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings such as undefined security schemes or missing pagination. Authenticated scanning (Starter tier and above) supports Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced through DNS TXT records or HTTP well-known files to ensure only domain owners can scan with credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The Web Dashboard centralizes scans, reports, and score trends with downloadable branded compliance PDFs. The CLI via the middlebrick npm package supports commands like middlebrick scan with JSON or text output. A GitHub Action can gate CI/CD, failing builds when scores drop below a set threshold. The MCP Server enables scanning from AI coding assistants. Continuous monitoring in Pro tier provides scheduled rescans every six hours to monthly, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

Free tier offers three scans per month with CLI access. Starter at 99 dollars per month supports 15 APIs, monthly scans, dashboard, email alerts, and MCP Server. Pro at 499 dollars per month covers 100 APIs with options for additional APIs at 7 dollars each, adding continuous monitoring, GitHub Action gates, CI/CD integration, Slack or Teams alerts, compliance reports, and signed webhooks. Enterprise at 2000 dollars or more per month provides unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support. Safety measures include read-only methods only, blocking of private IPs, localhost, and cloud metadata endpoints at multiple layers, and strict data handling: scan data is deletable on demand, purged within 30 days of cancellation, never sold, and never used for model training.