Cheapest CLI API security scanner

CLI API security scanners run black-box tests against reachable endpoints using read-only methods such as GET and HEAD, with text-only POST for LLM probes. They require only a target URL and return a risk score with prioritized findings within under a minute. This approach avoids code access, agents, and SDKs, making it applicable to any language, framework, or cloud deployment. The results serve as an initial indicator of security posture rather than a final verdict.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It detects 12 security categories, including authentication bypass, broken object level authorization, broken function level authorization, property authorization issues, input validation flaws, rate limiting and resource consumption concerns, data exposure such as PII and API key patterns, encryption misconfigurations, SSRF indicators, inventory management problems, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths. For other frameworks, the tool helps you prepare for audits by aligning with security controls described in their requirements and supports audit evidence collection.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file to ensure only domain owners can scan with credentials. The scanner limits header forwarding to Authorization, X-API-Key, Cookie, and X-Custom-* headers. Read-only methods are used exclusively, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers, and customer data is deletable on demand and never sold or used for model training.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Integration options include a Web Dashboard for reporting and trend tracking, a CLI via the middlebrick npm package using middlebrick scan <url> with JSON or text output, a GitHub Action for CI/CD gating, an MCP Server for AI coding assistants, and a programmatic API for custom integrations. Continuous monitoring on the Pro tier supports scheduled rescans, diff detection, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures.

The Free tier provides three scans per month and CLI access. The Starter tier at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. The Pro tier at 499 dollars per month covers 100 APIs with additional APIs billed at 7 dollars each, adding continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. The Enterprise tier at 2000 dollars per month offers unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support. These tiers represent a subset of paid options in the CLI API security scanner space, balancing cost against feature depth and scale.