Pricing alternative to Lasso Security

The primary contrast with Lasso Security is the per-API pricing structure and included features. Monthly cost scales with the number of APIs you choose to scan, with no per-scan fees. The Free tier supports basic CLI scanning for low-volume use. Starter at 99 dollars per month includes dashboard, email alerts, and scheduled monthly scans for up to 15 APIs. Pro at 499 dollars per month adds continuous monitoring for up to 100 APIs, with additional APIs billed at 7 dollars each. Enterprise at 2000 dollars per month provides unlimited APIs, SSO, and audit logs.

When comparing to Lasso Security, consider operational overhead: black-box scanning removes the need for agent deployment, code access, or SDK integration, which can reduce internal engineering time. Scan execution is under one minute, and authenticated scanning requires only a domain verification gate. There are no recurring per-scan charges, which can make usage-based models more cost-effective for teams with variable testing frequency.

Each tier is designed to align with different stages of maturity. Free tier provides CLI access and 3 scans per month, suitable for initial proof-of-concept. Starter includes a web dashboard, monthly scans, email alerts, and the MCP Server for AI-assisted workflows. It supports Bearer, API key, Basic auth, and Cookie authentication after domain verification, with a restricted header allowlist to limit risk during credentialed tests.

Pro tier adds continuous monitoring with configurable intervals of 6 hours, daily, weekly, or monthly. It includes diff detection between scans, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Enterprise adds unlimited APIs, custom rules, SSO, audit logs, and dedicated support. Across tiers, the scanner maps findings to OWASP API Top 10 and supports OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution.

The scanner covers 12 security categories aligned to OWASP API Top 10 2023, including Authentication bypass, BOLA and BFLA, Property Authorization over-exposure, Input Validation issues such as CORS misconfigurations, and Data Exposure patterns like PII, API keys, and error leakage. It also detects SSRF indicators in URL-accepting parameters and validates encryption controls including HTTPS redirects, HSTS, and cookie flags.

For LLM and AI-facing APIs, 18 adversarial probe types are supported across Quick, Standard, and Deep scan tiers, targeting system prompt extraction, instruction override, jailbreak techniques, data exfiltration, and token smuggling. Because the approach is read-only, it does not perform active SQL injection or command injection testing, and business logic vulnerabilities are not detected. This helps you prioritize remediation effort while understanding the tool’s limits.

middleBrick maps findings directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 2023. For other regulations, the platform helps you prepare for audit evidence and aligns with security controls described in relevant standards. The web dashboard supports branded compliance PDF downloads, which can streamline internal reporting without implying certification or guaranteed compliance.

Reports include prioritized findings with risk scores from A to F, evidence, and remediation guidance. You can track score trends over time, review diff results between scans, and integrate with CI/CD via the GitHub Action, which fails the build when the score drops below a defined threshold. This enables security gates without requiring a dedicated full-time auditor for every scan cycle.

The scanner uses read-only methods (GET and HEAD) plus text-only POST for LLM probes, and destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation. It is never sold and is not used for model training, which can simplify data governance discussions.

Authenticated scanning requires domain verification to ensure only the domain owner can submit credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. These constraints reduce noise and accidental impact on production environments while providing repeatable, measurable results.