Is Kong worth it?

Try middleBrick free

What middleBrick covers

  • Black-box scanning with under one minute scan time
  • OWASP API Top 10 (2023) coverage plus LLM adversarial probes
  • OpenAPI 3.0/3.1/Swagger 2.0 spec parsing with $ref resolution
  • Prioritized findings mapped to PCI-DSS, SOC 2, and OWASP
  • Authenticated scans with domain verification and header allowlists
  • CI/CD integration via GitHub Action and MCP server support

What this scanner is and is not

This tool is a black-box API security scanner. You submit an endpoint, receive a risk score from A to F, and get prioritized findings. It performs read-only testing with GET and HEAD methods, and text-only POST for LLM probes. Scan duration is under one minute. The scope covers the OWASP API Top 10 (2023), with additional coverage for LLM-specific adversarial testing and OpenAPI specification analysis.

Detection capabilities and mapping to standards

The scanner covers 12 security categories and maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection includes authentication bypass and JWT misconfigurations, broken object level authorization, function level authorization abuse, property level authorization issues, input validation problems such as CORS misconfigurations and dangerous methods, rate limiting and resource consumption issues, data exposure including PII and API key leakage, encryption and transport security, SSRF indicators, inventory management gaps, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths.

OpenAPI analysis supports versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, comparing spec definitions against runtime behavior to identify undefined security schemes, deprecated operations, and missing pagination. For other regulations, the tool aligns with described security controls and supports audit evidence collection, but does not certify compliance.

Authenticated scanning and operational constraints

Authenticated scanning is available in paid tiers and supports Bearer tokens, API keys, Basic auth, and cookies. Domain verification is required, allowing only the domain owner to run credentialed scans. The scanner forwards a restricted header set: Authorization, X-API-Key, Cookie, and X-Custom-*. Read-only methods are enforced; no destructive payloads are sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data can be deleted on demand and is purged within 30 days of cancellation.

Limitations and responsible use

The tool does not fix, patch, or block issues; it reports findings with remediation guidance. It does not perform active SQL injection or command injection testing, as those fall outside the read-only scope. Business logic vulnerabilities require domain expertise and are not detectable automatically. Blind SSRF and certain infrastructure-level issues are out of scope. The scanner does not replace a human pentester for high-stakes audits. Results should be interpreted as part of a broader security program, not a standalone compliance guarantee.

Product offerings and integration options

The Web Dashboard provides scan management, score trends, and downloadable compliance PDFs. The CLI, distributed as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing builds when scores drop below a set threshold. An MCP server enables scanning from AI coding assistants. Programmatic access is available via an API client for custom integrations. Pro tier adds scheduled rescans, diff detection, email alerts, and webhook delivery with HMAC-SHA256 signing.

See how middleBrick compares See all use cases

Frequently Asked Questions

Who is this scanner a good fit for?
Security and engineering teams that need a fast, repeatable way to validate API posture before deployment or during periodic reviews. It is well suited for organizations that already have a mature security program and need evidence to support internal assessments.
When should you not rely on this tool?
Do not rely on it when regulatory certification is required, when business logic nuances must be tested, or when infrastructure-level vulnerabilities like blind SSRF are in scope. It is not a replacement for expert manual review for critical systems.
How does pricing scale with usage?
The free tier allows three scans per month with CLI access. Starter adds dashboard and email alerts for 15 APIs. Pro scales to 100 APIs with continuous monitoring and CI/CD integration. Enterprise offers unlimited APIs, custom rules, SSO, and audit logs.
Can authenticated scans be trusted with sensitive environments?
Authenticated scanning requires domain verification and follows strict header allowlists. It uses read-only methods and excludes sensitive infrastructure targets, but credentials should only be provided by owners who understand the access level.

Related Pages

middleBrick vs DetectifyHonest comparison between middleBrick and Detectify for API security.middleBrick vs Noname SecurityHonest comparison between middleBrick and Noname Security for API security.middleBrick vs Salt SecurityHonest comparison between middleBrick and Salt Security for API security.Alternatives to TenableViable alternatives to Tenable for API security — including middleBrick.Alternatives to PyntViable alternatives to Pynt for API security — including middleBrick.Alternatives to WallarmViable alternatives to Wallarm for API security — including middleBrick.