Is 42Crunch good for AppSec headcount-gap coverage?

middleBrick is a self-service API security scanner that you can run without internal agents, SDKs, or code access. You submit a URL and receive a letter-grade risk score with prioritized findings. The scan is black-box, uses only read-only methods (GET and HEAD) plus text-only POST for LLM probes, and typically completes in under a minute. Because it does not modify systems, it is suitable for environments where intrusive testing is not permitted.

The tool maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulations, it supports audit evidence for or aligns with security controls described in frameworks such as ISO 27001 or NIST, but it does not certify compliance. The scanner does not fix, patch, block, or remediate; it detects and provides remediation guidance.

The scanner covers 12 security categories aligned to OWASP API Top 10 (2023). It detects authentication bypasses, JWT misconfigurations such as alg=none or expired tokens, and security header issues. It probes for Broken Object Level Authorization (BOLA/IDOR) via sequential ID enumeration and adjacent-ID testing, and identifies BFLA and privilege escalation by checking for admin endpoints and role/permission leakage.

Additional checks include over-exposed properties and internal field leakage, input validation issues like CORS wildcards and dangerous HTTP methods, and rate-limiting misconfigurations. It identifies data exposure patterns such as emails, Luhn-validated card numbers, context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack. Encryption checks validate HTTPS redirects, HSTS, and cookie flags. The scanner also tests for SSRF via URL-accepting parameters and includes an inventory management assessment covering versioning and legacy paths.

The scanner includes specific checks for LLM and AI security across three scan tiers: Quick, Standard, and Deep. It runs 18 adversarial probes designed to surface risks such as system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, cost exploitation, and various encoding bypasses. It also tests for prompt injection techniques, including translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction.

These tests help you understand whether an API surface might be leveraged to subvert model behavior or extract sensitive information through indirect or chained prompts. The findings highlight configurations that could make AI integrations more fragile or prone to misuse.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents and resolves recursive $ref entries. It cross-references the spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This comparison helps identify gaps between documented behavior and actual implementation.

For authenticated scans at the Starter tier and above, support includes Bearer, API key, Basic auth, and Cookie-based authentication. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a restricted set of headers, including Authorization, X-API-Key, Cookie, and X-Custom-*.

The Web Dashboard centralizes scans, report viewing, trend tracking, and branded compliance PDF downloads. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available for CI/CD gating, failing builds when scores drop below a defined threshold. The MCP Server enables scanning from AI coding assistants such as Claude or Cursor.

Continuous monitoring in the Pro tier provides scheduled rescans every six hours, daily, weekly, or monthly, with diff detection for new findings, resolved issues, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks auto-disable after five consecutive failures. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold or used for model training.