Is 42Crunch worth it?

The tool is a black-box API security scanner that submits a URL and returns a risk score from A to F with prioritized findings. It uses read-only methods (GET and HEAD) and text-only POST for LLM probes, completing a scan in under a minute without agents, code access, or SDKs. It supports any language, framework, or cloud target. The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulations, it helps you prepare for or aligns with security controls described in those frameworks, without claiming certification or guarantees.

The scanner covers 12 categories aligned to OWASP API Top 10. It detects authentication bypasses, JWT misconfigurations such as alg=none or expired tokens, security header issues, and WWW-Authenticate compliance. It identifies BOLA and IDOR via sequential ID enumeration and adjacent ID probing, and BFLA through admin endpoint probing and privilege escalation indicators. Property over-exposure, input validation issues like CORS wildcards and dangerous methods, and rate-limiting weaknesses such as missing headers or oversized responses are also covered. Data exposure checks for PII patterns, API key formats, and error leakage. Encryption checks include HTTPS redirects, HSTS, and cookie flags. SSRF probes target URL-accepting parameters and internal IP bypass attempts. Inventory management flags missing versioning and legacy paths. Unsafe consumption surfaces third-party URL and webhook exposure. LLM security includes 18 adversarial probes across Quick, Standard, and Deep tiers covering jailbreaks, data exfiltration, and token smuggling.

Authenticated scanning is available from Starter tier onward, supporting Bearer, API key, Basic auth, and cookies. Domain verification requires a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a restricted header allowlist: Authorization, X-API-Key, Cookie, and X-Custom-* headers. OpenAPI 3.0, 3.1, and Swagger 2.0 specs are parsed with recursive $ref resolution, and findings are cross-referenced against the spec for undefined security schemes or deprecated operations. Note that the tool does not perform intrusive payloads, active SQL or command injection testing, or detect business logic vulnerabilities; these require human expertise and are out of scope.

The Web Dashboard centralizes scans, reports, score trends, and allows branded compliance PDF downloads. The CLI via the middlebrick npm package runs middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing builds when the score drops below a set threshold. The MCP Server enables scanning from AI coding assistants such as Claude or Cursor. Programmatic access through an API client supports custom integrations.

Pro tier adds continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. It provides diff detection across scans to highlight new or resolved findings and score drift. Email alerts are rate-limited to one per hour per API. HMAC-SHA256 signed webhooks are sent with auto-disable after five consecutive failures. Enterprise tier supports unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support.

Scanning is read-only, and destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at three layers. Customer data is deletable on demand and purged within 30 days of cancellation. It is not sold and is never used for model training.

The scanner does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not detect blind SSRF or conduct active injection tests. It cannot replace a human pentester for high-stakes audits and surfaces findings relevant to compliance evidence but does not certify any organization as compliant.