middleBrick vs Probely

middleBrick is a self-service black-box API security scanner that submits a URL and returns a risk score with prioritized findings. It requires no agents, SDKs, or code access and works across any language, framework, or cloud. Scan duration is under one minute, using read-only methods plus text-only POST for LLM probes. Probely positions itself as a developer-friendly security testing tool; public documentation describes it as an automated scanner that also runs black-box tests without requiring source code or build instrumentation. Both tools aim for low deployment friction, but middleBrick explicitly avoids any runtime instrumentation or persistent agents, which minimizes operational overhead and potential impact on production environments.

middleBrick detects findings across 12 categories aligned to the OWASP API Top 10 (2023), including authentication bypass, JWT misconfigurations, authorization flaws, input validation issues, rate limiting characteristics, data exposure patterns, and SSRF indicators. It also includes an LLM security track with 18 adversarial probes across Quick, Standard, and Deep scan tiers, covering system prompt extraction, jailbreak techniques, and token smuggling. Probely’s public materials describe coverage areas such as authentication, injection, and business logic testing, with a focus on automation and developer self-testing. middleBrick maps findings to the OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II, providing direct alignment to these frameworks. For other regulations, the tool supports audit evidence collection and helps prepare documentation, though it does not claim certification or compliance guarantees.

middleBrick supports authenticated scanning from the Starter tier and above, with support for Bearer tokens, API keys, Basic authentication, and cookies. Domain verification is enforced via DNS TXT records or an HTTP well-known file so that only the domain owner can submit credentials. The scanner uses a strict header allowlist and never sends destructive payloads; unsafe methods, private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation. Probely’s documentation indicates similar safe testing practices, emphasizing non-intrusive checks; however, specific authenticated workflows, header allowlists, and data retention policies are detailed explicitly in middleBrick’s public guidance, giving operators clear control over credentials and scope.

middleBrick provides several consumption paths: a Web Dashboard for managing scans and viewing score trends with downloadable compliance PDFs; a CLI via an npm package for local runs with JSON or text output; a GitHub Action for CI/CD gating that fails builds below a score threshold; an MCP Server for AI coding assistants; and a programmable API for custom integrations. Continuous monitoring in the Pro tier includes scheduled rescans, diff detection, hourly-rate email alerts, and HMAC-SHA256 signed webhooks with auto-disable after repeated failures. Probely offers automated scanning and developer-focused workflows, but middleBrick’s public tiers outline explicit feature sets and pricing. The free tier allows three scans per month with CLI access. Starter at 99 dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server. Pro at 499 dollars per month supports 100 APIs with add-ons, continuous monitoring, GitHub Action integration, Slack or Teams alerts, compliance reports, and signed webhooks. Enterprise is positioned at 2000 dollars per month or higher for unlimited APIs, custom rules, SSO, audit logs, SLAs, and dedicated support. Pricing is usage-based at the public tiers, with per-API add-ons for the Pro plan.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This provides context-aware findings that align the specification with observed behavior. Probely also supports OpenAPI/Swagger import to guide its automated tests; exact implementation details are not specified publicly. middleBrick explicitly does not fix, patch, or block issues; it does not perform active SQL injection or command injection testing; it does not detect business logic vulnerabilities that require domain understanding; it does not provide blind SSRF detection or out-of-band validation; and it does not replace a human pentester for high-stakes audits. These limitations are stated directly, supporting a cautious, evidence-driven evaluation of the tool’s role in a security program.