Pricing alternative to Escape

The platform offers a free tier at zero cost, with three scans per month and CLI access. The Starter tier is priced at 99 US dollars per month, supporting scans for up to 15 APIs, monthly assessments, a web dashboard, email alerts, and the MCP Server. The Pro tier is priced at 499 US dollars per month for 100 APIs, with additional APIs billed at 7 US dollars each, adding continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. The Enterprise tier is typically 2000 US dollars per month or higher, providing unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support.

The scanner performs black-box assessments aligned to the OWASP API Top 10 (2023), covering authentication bypass, JWT misconfigurations such as alg none and expired tokens, BOLA and IDOR via adjacent ID probing, BFLA and privilege escalation through admin endpoint discovery, and property authorization over-exposure. It identifies input validation issues like CORS wildcards and dangerous HTTP methods, rate limiting and resource consumption signals, and data exposure patterns including PII such as email and context-aware SSN, as well as API key formats for AWS, Stripe, GitHub, and Slack. Encryption checks include HTTPS redirects, HSTS, and cookie flags. SSRF probes target URL-accepting parameters and internal IP bypass attempts. The scanner also covers inventory management issues like missing versioning and server fingerprinting, unsafe consumption surfaces, and 18 LLM adversarial probe categories across Quick, Standard, and Deep tiers. Findings are mapped to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).

Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification requires a DNS TXT record or an HTTP well-known file to ensure only the domain owner can submit credentials. A strict header allowlist is enforced, permitting only Authorization, X-API-Key, Cookie, and X-Custom-* headers. OpenAPI 3.0, 3.1, and Swagger 2.0 specifications are parsed with recursive $ref resolution, and findings are cross-referenced against spec definitions to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

The web dashboard centralizes scan management, enabling review of reports, tracking score trends, and downloading branded compliance PDFs. The CLI, distributed as an npm package named middlebrick, is invoked with the command middlebrick scan <url> and supports JSON or text output. A GitHub Action is provided to act as a CI/CD gate, failing the build when the score drops below a configured threshold. An MCP Server allows scans from AI coding assistants such as Claude and Cursor. A programmatic API client supports custom integrations for continuous workflows.

Scanning is read-only, and no destructive payloads are ever sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Scan duration is typically under one minute. Continuous monitoring on the Pro tier executes scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection to surface new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API. HMAC-SHA256 signed webhooks are delivered, with auto-disable after 5 consecutive failures. Customer data can be deleted on demand and is purged within 30 days of cancellation; data is never sold and is not used for model training.