Lasso Security review

Lasso Security positions itself as a self-service API security scanner that accepts a URL and returns a risk score on an A–F scale with prioritized findings. It performs black-box scanning, requiring no agents, SDKs, or code access, and supports any language, framework, or cloud. Scan duration is under one minute, using read-only methods such as GET and HEAD, with text-only POST for LLM probes. The tool emphasizes ease of initial assessment rather than remediation.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023), including Authentication bypass and JWT misconfigurations such as alg=none, HS256, expired tokens, missing claims, and sensitive data in claims. It detects BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA and privilege escalation through admin endpoint probing and role/permission field leakage. Property over-exposure, input validation issues like CORS wildcards and dangerous HTTP methods, and rate-limiting behaviors such as missing rate-limit headers are also assessed. Data exposure checks for PII patterns including email, Luhn-validated card numbers, context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack. Additional categories cover encryption misconfigurations, SSRF indicators, inventory management gaps, unsafe consumption surfaces, and LLM/AI security with 18 adversarial probes across Quick, Standard, and Deep tiers, addressing system prompt extraction, instruction override, jailbreak techniques, data exfiltration, and token smuggling.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scanning, supported methods include Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced via DNS TXT records or an HTTP well-known file, ensuring only domain owners can submit credentials. A strict header allowlist permits only Authorization, X-API-Key, Cookie, and X-Custom-* headers to be forwarded during scans.

The Web Dashboard centralizes scan management, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package named middlebrick, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available for CI/CD gating, failing builds when scores drop below a defined threshold. The MCP Server allows scans from AI coding assistants including Claude and Cursor. Programmatic access is provided via an API client for custom integrations. Continuous monitoring in higher tiers supports scheduled rescans at intervals ranging from 6 hours to monthly, diff detection across scans, rate-limited email alerts, HMAC-SHA256 signed webhooks with auto-disable after 5 consecutive failures, and Slack or Teams notifications.

middleBrick maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), using direct language such as maps findings to and validates controls from for these frameworks. For other standards, the tool aligns with security controls described in or supports audit evidence, without asserting certification or compliance. The scanner adopts a read-only posture, never sending destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is neither sold nor used for model training.

The tool does not fix, patch, block, or remediate findings; it reports with remediation guidance. It does not perform active SQL injection or command injection testing, which falls outside its non-intrusive scope. Business logic vulnerabilities are not detected, as these require domain-specific human analysis, and blind SSRF is out of scope due to the absence of out-of-band infrastructure. The scanner does not replace human pentesters for high-stakes audits. Pricing follows a tiered model from free with limited monthly scans to Enterprise with unlimited APIs, custom rules, SSO, audit logs, SLAs, and dedicated support.