Is Apigee worth it?

middleBrick maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023) through its detection set. The scanner is a black-box tool that submits read-only requests to an API surface and returns a risk score with prioritized findings. It does not perform intrusive exploitation such as active SQL injection or command injection, and it does not test business logic in a domain-specific manner. For controls that require proof of configuration or runtime behavior, the scanner surfaces findings relevant to audit evidence but does not replace an auditor or a human pentester for high-stakes assessments.

The scanner runs in under a minute and supports authentication via Bearer tokens, API keys, Basic auth, and cookies after domain verification. It uses read-only methods (GET and HEAD) plus text-only POST for LLM probes, and blocks private IPs, localhost, and cloud metadata endpoints at multiple layers. Detection categories include authentication bypass and JWT misconfigurations, broken object level authorization (BOLA/IDOR), broken function level authorization (BFLA/privilege escalation), property authorization exposure, input validation issues such as CORS wildcard usage and dangerous HTTP methods, rate limiting and resource consumption signals, data exposure including PII patterns and API key formats, encryption and transport misconfigurations, SSRF indicators, inventory and versioning issues, unsafe consumption surface, and LLM/AI security probes across Quick, Standard, and Deep tiers. The LLM testing includes system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, token smuggling, and other adversarial techniques across defined tiers.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution and cross-references spec definitions against runtime observations. This comparison can highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, only a limited header allowlist is forwarded: Authorization, X-API-Key, Cookie, and X-Custom-* headers. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can submit credentials. These constraints keep the scan read-only but also limit the depth of stateful interaction that a full API contract might require.

Results are accessed through a web dashboard that supports scan management, score trend tracking, and downloadable branded compliance PDFs. The CLI offers a straightforward command such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a set threshold. The MCP server enables scanning from AI coding assistants. For ongoing monitoring, the Pro tier provides scheduled rescans, diff detection across runs, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. These features help integrate security checks into existing workflows without claiming to remediate issues automatically.

Free tier offers three scans per month and CLI access. Starter at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP server. Pro at 499 dollars per month covers 100 APIs with additional APIs billed separately, continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. Enterprise at 2000 dollars per month or more provides unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold and is not used for model training.