Intruder review

This tool is a self-service API security scanner that accepts a URL and returns a risk score on an A to F scale along with prioritized findings. It performs black-box scanning without requiring agents, code access, or SDK integration, and supports any language, framework, or cloud target. Scan duration is under one minute, using read-only methods such as GET and HEAD, with text-only POST allowed for LLM probes.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). Specific detections include authentication bypass and JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation via admin endpoint probing, property over-exposure and internal field leakage, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate limiting and resource consumption signals, exposure of PII and API key patterns, encryption misconfigurations, SSRF indicators in URL-accepting parameters, inventory issues such as missing versioning, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths.

OpenAPI specifications in versions 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution, and spec definitions are cross-referenced against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier upward, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a restricted header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The product maintains a read-only safety posture; destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is not used for model training.

Results are accessed through a web dashboard that supports scanning, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI, published as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available for CI/CD gating, failing builds when the score drops below a set threshold. An MCP Server allows scanning from AI coding assistants.

Pro tier features continuous monitoring with configurable reschedule intervals, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. The tool maps findings to compliance evidence for PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10, and supports audit evidence collection for other frameworks through alignment.

The tool does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which would require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they require human context. Blind SSRF is out of scope due to the absence of out-of-band infrastructure, and the tool does not replace a human pentester for high-stakes audits.

The Free tier provides 3 scans per month and CLI access. The Starter tier at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. The Pro tier at 499 dollars per month covers 100 APIs with additional APIs priced at 7 dollars each, adding continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. Enterprise tiers start at 2000 dollars per month with unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support.