Migrating from 42Crunch to Akto

This guide focuses on moving from a prior API security scanner to a self-service API security scanner. The scope is peer comparison: data exports, rebuilding scan history, and preserving CI wiring. The target tool does not fix, patch, block, or remediate; it detects and reports with remediation guidance. You are responsible for mapping findings to frameworks such as PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).

Begin by exporting findings and configuration from your current deployment. Typical sources include the dashboard UI, admin APIs, and underlying databases or storage volumes. Prioritize artifacts such as scan definitions, schedules, and historical result sets. Normalize timestamps to UTC and retain raw JSON for later cross-reference. The target environment supports importing findings via its API client, but you must map fields such as severity, confidence, and location to the new schema. Rebuilding scan history is an approximation; exact timelines may differ due to differing detection models and scan timing.

• Export scan results as JSON/CSV from the source console or API.
• Map legacy severity and confidence fields to the new score model (A–F).
• Retain raw requests/responses if available for retrospective analysis.

Replicate your CI wiring by recreating pipeline steps in the new environment. If you used pre-commit hooks or CI jobs to trigger scans, translate them to equivalent calls to the new CLI, API client, or GitHub Action. The CLI accepts a URL and returns JSON or text output; the GitHub Action can gate merges when the score drops below a threshold. Note that scan triggers and failure semantics must be reconfigured to match the new tool’s capabilities and limits. The tool supports authenticated scans with Bearer, API key, Basic auth, and Cookie methods, provided domain verification passes a DNS TXT record or HTTP well-known file gate.

middlebrick scan https://api.example.com --format json --out results.json

Compare detection coverage against your prior setup. The target tool performs black-box scanning using read-only methods (GET and HEAD) plus text-only POST for LLM probes, completing scans in under a minute. It detects 12 categories aligned to OWASP API Top 10 (2023), including Authentication bypass, BOLA/IDOR, BFLA/Privilege Escalation, and LLM/AI Security across Quick, Standard, and Deep tiers with 18 adversarial probes. It parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions to runtime findings. Unlike prior setups, it does not perform active SQL injection or command injection tests, does not detect business logic vulnerabilities, and does not replace a human pentester for high-stakes audits.

Understand operational constraints before cutover. Scans are read-only; destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Continuous monitoring in Pro tier supports scheduled rescans (6 hours to monthly), diff detection across scans, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Customer data is deletable on demand and purged within 30 days of cancellation; it is never sold or used for model training. The scanner does not fix issues, does not perform intrusive injection testing, and does not detect blind SSRF or business logic flaws.

• How do I export findings from my current scanner? Use the source dashboard or admin API to export JSON/CSV, retaining timestamps and raw request/response pairs for later mapping.
• Can authenticated scans be reused from existing CI pipelines? Yes, you can reuse credentials by configuring Bearer, API key, Basic auth, or Cookie methods, provided domain verification via DNS TXT or a well-known file is completed.
• Will scan timings remain consistent after migration? Scan time is generally under a minute, but exact duration may vary due to network conditions and the tool’s detection models.
• Can the tool detect business logic or blind SSRF vulnerabilities? No. It does not detect business logic vulnerabilities or blind SSRF; these require human expertise and out-of-band infrastructure respectively.
• What happens to my data after I cancel the service? Data is deletable on demand and purged within 30 days of cancellation; it is never sold or used for model training.