Migrating from 42Crunch to Invicti

Try middleBrick free

What middleBrick covers

  • Black-box scanning with no agents or SDK dependencies
  • Under-one-minute scans with prioritized risk findings
  • 12-category coverage aligned to OWASP API Top 10
  • OpenAPI 3.0/3.1 and Swagger 2.0 parsing with $ref resolution
  • Authenticated scans with header allowlist and domain verification
  • Pro-tier continuous monitoring and compliance reporting

Purpose and scope of migration

This guide outlines a peer comparison between a self-service scanner and traditional API security testing approaches when moving from a specialized API scanner to a broader platform. The focus is on data export, rebuilding scan history, and preserving CI wiring. Findings map to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II, and the tool supports audit evidence for relevant controls.

Exporting scan data and historical records

Extracting usable data from the previous solution is the first step. Expect JSON or CSV exports for findings, historical scores, and scan metadata. You will need to map legacy severity and category fields to the current 12-category model, which aligns with OWASP API Top 10. Rebuilding historical trend lines may require manual normalization if field names or statuses differ. The platform stores scan fingerprints; when re-ingesting data, verify timestamps and source tags to preserve chronological accuracy across imported records.

Preserving CI/CD integration patterns

CI wiring typically lives in pipeline configuration files or orchestration scripts. Replicate the same gates using the new platform’s CLI and HTTP API. Use the CLI with a command such as middlebrick scan <url>, requesting JSON output, and evaluate the exit code to enforce quality gates in your build pipeline. If the prior solution used webhooks, replace them with HMAC-SHA256 signed webhooks, noting that the platform auto-disables endpoints after 5 consecutive failures. Adjust thresholds so that a failing build triggers only on meaningful score drops aligned to your risk tolerance.

Known gaps and operational adjustments

Not all prior configurations have a one-to-one mapping. The platform does not perform active SQL injection or command injection testing, nor does it detect business logic vulnerabilities; these require domain-specific manual analysis. Continuous monitoring rescans can be scheduled at 6-hour, daily, weekly, or monthly intervals, with email alerts rate-limited to 1 per hour per API. If you relied on passive discovery or blind SSRF probes in the old setup, understand that out-of-band infrastructure and client-side logic are out of scope here. Plan compensating controls or manual testing for these specific areas.

Authentication, scanning modes, and compliance reporting

The platform supports Bearer, API key, Basic auth, and Cookie authentication for authenticated scans, with domain verification via DNS TXT record or HTTP well-known file to ensure only the domain owner can submit credentials. Header allowlist includes Authorization, X-API-Key, Cookie, and X-Custom-* headers. Scans are read-only, using GET, HEAD, and text-only POST for LLM probes, completing in under a minute. Reporting produces branded compliance PDFs and dashboards that surface findings relevant to PCI-DSS, SOC 2 Type II, and OWASP API Top 10, helping you prepare for audit evidence without claiming certification or compliance guarantees.

See how middleBrick compares See all use cases

Frequently Asked Questions

Can I re-run historical scans to compare results exactly?
Not exactly, because scans are read-only and fingerprinted; re-scanning the same target may surface new findings due to changes in the API or environment. Use score trends and diff detection across scheduled scans to track improvements or regressions over time.
How are webhook payloads protected in transit?
Webhooks are protected with HMAC-SHA256 signatures. The platform disables endpoints automatically after 5 consecutive delivery failures to prevent abuse.
Does the scanner validate compliance for HIPAA or GDPR?
The tool surfaces findings that align with security controls described in various frameworks, but it does not certify compliance. Use the reports as evidence artifacts while engaging qualified auditors for regulatory assessments.
What happens to my scan data if I cancel?
Customer data is deletable on demand and purged within 30 days of cancellation. Data is never sold and is not used for model training.
Can authenticated scans be limited to specific endpoints?
Authentication is applied at the domain level for credentials, but scan coverage depends on API surface exposure. Use the dashboard to manage which APIs are included in each monitoring schedule.

Related Pages

Migrate from Detectify to middleBrickWhat changes when you move from Detectify to middleBrick, and how to not lose anything in transit.Migrate from Noname Security to middleBrickWhat changes when you move from Noname Security to middleBrick, and how to not lose anything in transit.Migrate from Salt Security to middleBrickWhat changes when you move from Salt Security to middleBrick, and how to not lose anything in transit.Nuclei vs Salt SecurityNeutral side-by-side comparison of Nuclei and Salt Security.OWASP ZAP vs Prompt SecurityNeutral side-by-side comparison of OWASP ZAP and Prompt Security.42Crunch vs Lasso SecurityNeutral side-by-side comparison of 42Crunch and Lasso Security.