Migrating from 42Crunch to Bright Security

This guide outlines how to move from an existing API security scanning workflow to using a self-service scanner that requires no agents or code access. The focus is on preserving scan coverage, understanding detection differences, and mapping existing CI checks to the new workflow. The tool operates as a black-box scanner that analyzes endpoints using read-only methods and returns a risk score with prioritized findings.

The scanner evaluates APIs against 12 categories aligned to the OWASP API Top 10 (2023), including authentication bypass, broken object level authorization, business logic flaws, property exposure, input validation, rate limiting, data exposure, encryption issues, SSRF, inventory management, unsafe consumption, and LLM/AI security. Findings map to compliance frameworks such as PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10, and the tool surfaces findings relevant to audit evidence for other security controls.

Compared to previous setups, you can validate similar control areas while relying on an automated scanner that performs authentication checks with Bearer tokens, API keys, Basic auth, and cookies. The scanner supports domain verification to ensure only authorized owners can run authenticated scans, and it forwards a limited allowlist of headers to preserve safety and privacy.

To initiate a scan, submit a target URL and receive a risk score within under one minute. The scanner supports OpenAPI 3.0, 3.1, and Swagger 2.0 specs with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to identify undefined security schemes or deprecated operations. If your previous setup used continuous or scheduled scans, you can replicate this using built-in scheduling for every 6 hours, daily, weekly, or monthly intervals.

For teams using CI/CD, integrate the scanner through the CLI with a command such as middlebrick scan https://api.example.com, producing JSON or text output. The GitHub Action can gate merges when the score drops below your defined threshold, and the MCP Server allows scanning from AI coding assistants. These integrations help preserve existing CI wiring while adopting the new tool.

Migrating scan history requires exporting reports and findings from your current system and importing them into the dashboard to track score trends over time. Use the dashboard to download branded compliance PDFs and configure email alerts, which are rate-limited to one notification per hour per API. Webhook notifications use HMAC-SHA256 signatures and auto-disable after five consecutive failures to prevent alert storms.

Note that scan data can be deleted on demand and is purged within 30 days of cancellation. Historical data does not persist beyond this window, so plan your migration to retain evidence for the duration you require. The scanner does not modify, patch, or block endpoints; it reports findings with remediation guidance only.

The scanner does not perform active exploitation such as SQL injection or command injection, as those require intrusive payloads outside its scope. It also does not detect business logic vulnerabilities, blind SSRF, or subtle authorization issues that depend on deep domain knowledge; these areas still require manual review by security professionals.

Additionally, the tool does not replace a human pentester for high-stakes audits and does not provide compliance certifications for HIPAA, GDPR, ISO 27001, NIST, SOC other regulations. Its role is to surface technical findings and support audit preparation, not to guarantee compliance or remediate issues automatically.