Detectify review

The tool operates as a black-box scanner that requires only a target URL. It does not need agents, SDKs, or access to source code and supports any language, framework, or cloud stack. Scans are read-only and limited to GET and HEAD requests, with text-only POST used for LLM probes. Each scan completes in under one minute and returns a risk score on an A–F scale with prioritized findings.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). It maps findings to this standard to validate controls relevant to API security. Detection coverage includes:

• Authentication bypass and JWT misconfigurations such as alg=none, HS256 usage, expired tokens, missing claims, and sensitive data in token payloads.
• Authorization flaws like BOLA and IDOR through sequential ID enumeration and active adjacent-ID probing.
• BFLA and privilege escalation via admin endpoint probing and role or permission field leakage.
• Property authorization issues including over-exposure, internal field leakage, and mass-assignment surface.
• Input validation checks for dangerous HTTP methods, CORS wildcard usage with and without credentials, and debug endpoints.
• Rate limiting and resource consumption analysis through rate-limit header detection and oversized response detection.
• Data exposure patterns identifying PII such as email and context-aware SSN, API key formats for AWS, Stripe, GitHub, and Slack, and error or stack-trace leakage.
• Encryption checks for HTTPS redirects, HSTS, cookie flags, and mixed content.
• SSRF probes targeting URL-accepting parameters and body fields with internal IP detection.
• Inventory management issues like missing versioning and legacy path patterns.
• Unsafe consumption surfaces from excessive third-party URLs and webhook endpoints.
• LLM and AI security with 18 adversarial probes across Quick, Standard, and Deep tiers covering system prompt extraction, instruction override, jailbreak techniques, data exfiltration, and token smuggling.

OpenAPI specifications in versions 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier upward for Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file to ensure only the domain owner can submit credentials. The scanner forwards a restricted set of headers including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Safety is maintained through read-only methods only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data can be deleted on demand and is purged within 30 days of cancellation. Data is never sold and is not used for model training.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI, distributed as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available for CI/CD gating, failing builds when scores drop below a defined threshold. An MCP Server enables scanning from AI coding assistants like Claude and Cursor. A programmatic API client supports custom integrations.

Pro tier adds scheduled rescans at intervals of six hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift between scans. Email alerts are rate-limited to one per hour per API. HMAC-SHA256 signed webhooks are supported with auto-disable after five consecutive failures. Enterprise tiers provide unlimited APIs, custom rules, SSO, audit logs, SLA-backed support, and dedicated assistance.

The tool does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they require human domain understanding. Blind SSRF is out of scope due to the absence of out-of-band infrastructure. The scanner does not replace a human pentester for high-stakes audits.