middleBrick vs Prompt Security

middleBrick is a black-box API security scanner that submits read-only methods (GET and HEAD) plus text-only POST for LLM probes. Submit a URL to receive a risk score from A to F with prioritized findings. Scan time is under one minute, and no agents, SDKs, or code access are required. The tool operates without language or framework dependencies.

Prompt Security focuses on prompt injection and LLM safety testing. Its scope centers on adversarial prompts, jailbreak techniques, and input validation for LLM endpoints. It does not perform broad API endpoint discovery or asset inventory.

For API security coverage, middleBrick maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II. Prompt Security aligns with security controls described in LLM-specific threat models but does not validate broader API compliance requirements.

middleBrick detects 12 categories relevant to production APIs, including authentication bypass, BOLA and BFLA, property authorization over-exposure, input validation issues such as CORS wildcard and dangerous methods, rate limiting characteristics, data exposure patterns including PII and API key formats, encryption misconfigurations, SSRF indicators, inventory management gaps, unsafe consumption surfaces, and LLM security probes across tiered scan depths.

Its OpenAPI analysis parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Prompt Security does not perform active SQL injection or command injection testing, and it does not detect business logic vulnerabilities, blind SSRF, or infrastructure-level exploits. Those require intrusive payloads or out-of-band channels outside its stated scope.

middleBrick does not fix, patch, block, or remediate. It provides detection and contextual remediation guidance. It is not a pentest replacement for high-stakes audits.

Authenticated scanning is available at the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie credentials. Domain verification is enforced via DNS TXT record or HTTP well-known file, ensuring only the domain owner can scan with credentials.

Header forwarding is limited to an allowlist: Authorization, X-API-Key, Cookie, and X-Custom-* headers. This design reduces unintended data exposure during scans.

Customer scan data is deletable on demand and purged within 30 days of cancellation. Data is never sold and is not used for model training. Sensitive targets such as private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers.

The Web Dashboard enables scan management, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, published as an npm package, supports commands such as middlebrick scan <url> with JSON or text output.

A GitHub Action is available for CI/CD gating, failing the build when the score drops below a defined threshold. An MCP Server allows scanning from AI coding assistants including Claude and Cursor. A programmable API supports custom integrations.

Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API. HMAC-SHA256 signed webhooks are supported with auto-disable after five consecutive failures.

The Free tier provides three scans per month and CLI access at no cost. Starter at 99 US dollars per month supports 15 APIs, monthly scans, dashboard access, email alerts, and the MCP Server.

Pro at 499 US dollars per month covers 100 APIs with additional APIs billed at 7 US dollars each. It adds continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks.

Enterprise starts at 2000 US dollars per month with unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support. Pricing models are subscription-based and scale with API count and feature requirements.