Is Protect AI worth it?

The platform is a self-service API security scanner that submits a URL and returns a risk score from A to F with prioritized findings. It operates as a black-box scanner, requiring no agents, no code access, and no SDK integration. Any language, framework, or cloud can be targeted, and scans complete in under a minute. The scanner uses read-only methods, primarily GET and HEAD, with text-only POST for LLM probes. This design avoids intrusive testing while still surfacing a broad set of configuration and vulnerability categories aligned to the OWASP API Top 10 (2023).

The scanner evaluates 12 categories and maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and the OWASP API Top 10 (2023). Detection capabilities include authentication bypass and JWT misconfigurations such as alg=none, weak key choices, expired tokens, and missing claims. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, as well as BFLA and privilege escalation through admin endpoint probing and role/permission leakage. Additional coverage spans property authorization over-exposure, input validation issues like CORS wildcard usage and dangerous methods, rate limiting and resource consumption signals, and data exposure patterns including PII, credit card Luhn checks, API key formats, and error/stack-trace leakage. Encryption misconfigurations, SSRF indicators, inventory management gaps, unsafe consumption surfaces, and LLM/AI security adversarial probes across multiple tiers are also assessed.

Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic auth, and cookies. A domain verification gate, such as a DNS TXT record or an HTTP well-known file, ensures that only the domain owner can scan with credentials. To limit exposure, the scanner forwards a strict header allowlist consisting of Authorization, X-API-Key, Cookie, and X-Custom-* headers. OpenAPI 3.0, 3.1, and Swagger 2.0 specifications are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

The platform provides a web dashboard for scanning, viewing reports, tracking score trends, and downloading branded compliance PDFs. The CLI, published as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD pipelines, failing the build when the score drops below a chosen threshold. An MCP server allows scans from AI coding assistants like Claude and Cursor, and a programmatic API supports custom integrations. For continuous monitoring, Pro tier subscriptions offer scheduled rescans at intervals ranging from every 6 hours to monthly, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which would require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they demand domain-specific human analysis, and blind SSRF is out of scope due to the lack of out-of-band infrastructure. The scanner does not replace a human pentester for high-stakes audits. It is well suited for teams that need frequent, automated checks across many public or semi-public endpoints and want ongoing score tracking. It is less suitable for organizations that expect an auditor to certify compliance or that require deep, intrusive exploitation without additional tooling.