Migrating from 42Crunch to middleBrick for Customer hand-off validation

When teams move from a specialized scanner to a broader platform, the critical question is how the hand-off between security and engineering is validated. Customer hand-off validation is the process of confirming that the API surface exposed to clients is consistent with the documented contract and security expectations before production traffic is allowed. This page focuses on how migrating from a specialized scanner to middleBrick changes that workflow in terms of coverage, evidence, and ongoing verification.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 files and resolves recursive $ref structures to build a canonical model of the API. It then compares this model against runtime behavior to surface deviations that matter for hand-off validation. You can validate that required security schemes are defined and that operations using them are reachable, and detect undefined security schemes or deprecated operations that would weaken a hand-off package.

Example of an undefined security scheme in the spec:

components:
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key
paths:
  /users:
    get:
      security: []

In this example, the path does not reference the defined scheme, which can be a red flag for hand-off reviewers. middleBrick reports such inconsistencies to help you prepare for audits aligned with OWASP API Top 10 and supports evidence collection for SOC 2 Type II and PCI-DSS 4.0.

Because middleBrick is a black-box scanner, it does not require agents, SDKs, or access to source code. You provide a reachable URL and receive a risk score with prioritized findings within under a minute. This makes it practical to validate customer hand-offs across multiple environments without coordinating builds or deployments. The scanner uses read-only methods and text-only POST for LLM probes, and it blocks private IPs, localhost, and cloud metadata endpoints at multiple layers.

For authenticated hand-off validation, provide credentials within the Starter tier or higher. The domain verification gate ensures that only the domain owner can run authenticated scans, and the header allowlist restricts forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

The scanner evaluates 12 security categories aligned to OWASP API Top 10 (2023), including authentication bypass, over-exposed properties, sensitive data exposure such as PII and API keys, and SSRF indicators. It also maps findings to PCI-DSS 4.0 and SOC 2 Type II controls, which helps you prepare evidence for those frameworks without claiming compliance.

For LLM-facing APIs, the Deep scan tier runs 18 adversarial probes across three tiers to test for system prompt extraction, instruction override, jailbreak patterns, data exfiltration attempts, token smuggling, and other AI-specific risks that commonly appear in customer hand-off scenarios involving model integration.

After migration, Pro tier features enable continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift so that validation does not regress between releases. You can configure email alerts at a rate of 1 per hour per API and set up HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures, which supports reliable integration into existing workflows.

For teams using CI/CD, the GitHub Action can gate merges when the score drops below a chosen threshold. The CLI provides JSON and text output for scripting, and the MCP Server enables scanning from AI coding assistants. These options reduce manual overhead while preserving the discipline needed for sound hand-off validation.

middleBrick detects and reports but does not fix, patch, block, or remediate. It does not perform active SQL injection or command injection testing, and it cannot identify business logic vulnerabilities that require domain context. Blind SSRF and out-of-band confirmation checks are out of scope, and the tool does not replace a human pentester for high-stakes audits.

Use the scanner to surface findings relevant to security reviews and to strengthen your hand-off evidence, but plan for complementary testing methods and manual review where business logic and advanced threat modeling are required.