Migrating from 42Crunch to middleBrick for ISO 27001 API control evidence

Migrating to middleBrick shifts your approach from agent-based instrumentation to black-box risk discovery. You submit any API endpoint, and within a minute the scanner returns a risk score from A to F with prioritized findings. Because the tool is read-only, it does not modify configurations or deploy agents, making it suitable for production environments where change control is strict. The workflow fits naturally into an ISO 27001 evidence collection cadence: define scope, run scans, and capture the risk score and ordered findings as auditable artifacts.

middleBrick maps findings directly to ISO 27001 control objectives and to the OWASP API Top 10 (2023), providing structured evidence for your information security management system. Each finding includes severity, description, and remediation guidance that you can cite when demonstrating control effectiveness. The scanner also aligns with PCI-DSS 4.0 and SOC 2 Type II by surfacing authentication issues, data exposure, and input validation classes relevant to those frameworks. For other regulations, you can use the tool to align with security controls described in audit materials, supporting your evidence without asserting certification or compliance guarantees.

For environments that require authenticated views, middleBrick supports Bearer tokens, API keys, Basic auth, and cookies at the Starter tier and above. Before scanning with credentials, a domain verification gate checks DNS TXT records or an HTTP well-known file to confirm you control the domain. The scanner forwards only a strict header allowlist, including Authorization, X-API-Key, Cookie, and X-Custom-*, reducing exposure while still enabling coverage of protected endpoints. This controlled authenticated flow helps you gather deeper evidence while maintaining separation of duties and least privilege.

With Pro tier, you can schedule rescans every 6 hours, daily, weekly, or monthly to track security posture over time. Continuous monitoring produces diffs between scans, highlighting new findings, resolved findings, and score drift so you can quantify improvement or regression. Alerts are rate-limited to one per hour per API and delivered via email; webhooks are HMAC-SHA256 signed and auto-disabled after five consecutive failures. These mechanisms give you repeatable evidence for ongoing control monitoring without overwhelming incident response teams.

middleBrick is a scanning tool and does not fix, patch, block, or remediate issues. It does not perform active SQL injection or command injection tests, which require intrusive payloads outside its scope, and it does not detect business logic vulnerabilities that demand domain understanding. Blind SSRF and certain advanced infrastructure issues are also out of scope, and the tool does not replace a human pentester for high-stakes audits. Use it as one layer of defense, complementing code review, architecture checks, and expert assessments to build a resilient API security program.