Migrating from 42Crunch to Escape

This document describes how to move from a previous API security scanner to middleBrick. It focuses on practical data export, rebuilding scan workflows, and preserving CI integrations. The goal is to reduce downtime while maintaining consistent security coverage.

Begin by extracting findings from your current platform using its export capabilities. Most tools provide JSON or CSV formats for findings, scan metadata, and policy configurations. Normalize severity levels to align with the A–F risk score used by middleBrick, mapping thresholds consistently across tools. Retain timestamps and scan context to preserve historical trend lines when you rebuild dashboards.

• Export full scan records including endpoint paths, parameters, and assigned risk scores.
• Map existing severity scales to middleBrick risk grades using documented criteria.
• Archive raw payload samples and evidence artifacts for future reference.

After export, validate sample records against middleBrick scan results to confirm fidelity before decommissioning the old system.

Recreate your API inventory in middleBrick by importing or manually adding API endpoints. Use the OpenAPI/Swagger import where available to accelerate coverage definition. Configure scan frequency to match previous cadence, choosing between hourly, daily, or weekly schedules in the Pro continuous monitoring tier. For authenticated areas, supply Bearer tokens, API keys, or Basic credentials through the domain verification gate to ensure scans execute with appropriate permissions.

Leverage the CLI for scripted onboarding, for example:

middlebrick scan https://api.example.com/openapi.json --auth-type bearer --auth-token <token>

Use the GitHub Action to gate CI/CD pipelines, failing builds when the score drops below your defined threshold. This preserves the quality gates that were previously enforced in the old toolchain.

Reconnect notification and ticketing integrations that were previously in use. middleBrick supports email alerts with rate limiting, signed webhooks with HMAC-SHA256 verification, and native GitHub Action status reporting. Reconfigure webhook consumers to validate signatures and handle the retry behavior after consecutive failures. For collaboration tools, enable Slack or Teams alerts through the Pro tier, ensuring responsible disclosure channels remain intact.

Ensure alert routing rules are re-established, such as notifying specific teams per API surface or escalating critical risk scores to security responders. Test end-to-end delivery using manual triggers before relying on automated flows.

Note that scan histories are not automatically transferred between systems. You will need to rebuild trend lines and custom dashboards based on exported data. middleBrick does not perform active exploitation, so vulnerabilities requiring intrusive testing or business logic validation remain outside automated detection. Plan for supplemental manual reviews where high-asset risk or complex workflows are involved.

Observe that authenticated scanning requires domain ownership verification. Prepare DNS TXT records or well-known verification files before enabling credentialed scans. Keep the header allowlist in mind when integrating with services that inject custom headers, as only specific headers are forwarded by design.

Finally, align compliance evidence generation with the frameworks supported by middleBrick. Findings map to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Use these mappings to support audit evidence collection while understanding that the tool itself does not confer certification.