Migrating from 42Crunch to Kong

Try middleBrick free

What middleBrick covers

  • Black-box scanning with no agents or SDK dependencies
  • Risk scoring with prioritized findings in under a minute
  • Detection of OWASP API Top 10 and related compliance mappings
  • Authenticated scanning with header allowlist controls
  • CI/CD integration via GitHub Action and CLI
  • Continuous monitoring with diff detection and alerts

Overview of migration goals

This guide focuses on moving API security workflows from 42Crunch to middleBrick when evaluating a self-service scanner. The comparison centers on data export, rebuilding scan history, preserving CI wiring, and known gaps. middleBrick operates as a black-box scanner that requires no agents, SDKs, or code access and returns a risk score with prioritized findings. It does not fix, patch, or block findings, but provides remediation guidance.

Data export and scan history

Begin by exporting findings and metadata from 42Crunch using its native tools, which typically include JSON or CSV formats for findings, test cases, and configuration. When rebuilding scan history in middleBrick, understand that scan records are not automatically imported; you will re-scan endpoints to generate new reports. To maintain continuity, correlate exported data with new scans by timestamp and endpoint, and use the middleBrick dashboard to track score trends over time. The CLI supports JSON output to integrate findings into external storage or logging pipelines.

Preserving CI wiring and automation

Review existing CI pipelines to identify how 42Crunch is invoked, including any flags, environment variables, or gating logic. In middleBrick, replicate similar automation using the CLI or GitHub Action. The CLI command middlebrick scan <url> can be dropped into scripts, and the GitHub Action can enforce score thresholds to fail builds. Note that middleBrick enforces domain verification for authenticated scans, requiring a DNS TXT record or HTTP well-known file to confirm ownership before credentials are accepted. Preserve existing secrets management for tokens and keys, and map 42Crunch environment variables to middleBrick’s supported headers and authentication methods.

Feature coverage and limitations

middleBrick maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), and helps you prepare for other frameworks by aligning with security controls described in them. It detects 12 categories including authentication bypass, BOLA, BFLA, input validation, rate limiting, data exposure, SSRF, LLM/AI security, and more. However, it does not perform active SQL injection or command injection testing, discover business logic vulnerabilities, detect blind SSRF, or replace a human pentester for high-stakes audits. The scanner is read-only and does not alter runtime behavior.

Known gaps and migration considerations

Some 42Crunch-specific configurations, such as custom policy rules or proprietary test modules, may not have direct equivalents in middleBrick. Plan for manual validation of edge cases that rely on those rules, and use the middleBrick API client for custom integrations if needed. Continuous monitoring features like scheduled rescans, diff detection, email alerts, and signed webhooks can replace similar capabilities in 42Crunch, but you must reconfigure schedules and notification targets. Budget time to retrain teams on the dashboard, CLI, and CI thresholds, and validate that compliance reporting needs align with the available export formats.

See how middleBrick compares See all use cases

Frequently Asked Questions

Can I import 42Crunch scan reports directly into middleBrick?
No. middleBrick does not accept external scan imports; you must re-scan endpoints to generate findings within the platform.
Will migrating preserve my existing CI gate logic?
You can replicate gating by using the middleBrick GitHub Action or CLI in your pipelines, mapping the same thresholds and conditions that 42Crunch enforces.
Does middleBrick support authenticated scans for my APIs?
Yes, including Bearer, API key, Basic auth, and cookies, with domain verification required to ensure only the domain owner can scan with credentials.
How are compliance mappings handled during migration?
middleBrick maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it supports audit evidence and aligns with described controls.
What happens to data after I cancel middleBrick?
Customer scan data is deletable on demand and purged within 30 days of cancellation. It is never sold and is not used for model training.

Related Pages

Migrate from Detectify to middleBrickWhat changes when you move from Detectify to middleBrick, and how to not lose anything in transit.Migrate from Noname Security to middleBrickWhat changes when you move from Noname Security to middleBrick, and how to not lose anything in transit.Migrate from Salt Security to middleBrickWhat changes when you move from Salt Security to middleBrick, and how to not lose anything in transit.Nuclei vs Salt SecurityNeutral side-by-side comparison of Nuclei and Salt Security.OWASP ZAP vs Prompt SecurityNeutral side-by-side comparison of OWASP ZAP and Prompt Security.42Crunch vs Lasso SecurityNeutral side-by-side comparison of 42Crunch and Lasso Security.