Migrating from 42Crunch to middleBrick for LLM gateway boundary test

If you are using 42Crunch for LLM gateway boundary testing, your workflow likely depends on its dashboard for scan management and its policy engine to block or transform requests. You initiate a scan, review findings in the UI, and adjust policies iteratively. This model works when your focus is enforcement at the gateway, but it creates dependencies on the vendor UI for visibility and report generation.

Migrating to middleBrick shifts the pattern to an API-centric workflow where scans are invoked programmatically and results are consumed as structured data. Instead of configuring policies inside a proprietary dashboard, you call the middleBrick API or CLI, provide the target URL and authentication context, and receive a risk score with prioritized findings. The change moves responsibility for orchestration to your team, enabling integration into CI/CD pipelines and automated monitoring rather than manual dashboard checks.

middleBrick maps findings directly to OWASP API Top 10 (2023), which covers the common categories relevant to LLM gateway boundary tests. The scanner runs black-box checks against the public surface of your gateway, including authentication schemes, input validation, and error handling behavior.

For LLM-specific concerns such as prompt injection, jailbreak attempts, and data exfiltration probes, middleBrick includes an LLM Security section with 18 adversarial probes across Quick, Standard, and Deep scan tiers. These probes test for system prompt extraction, instruction override, DAN and roleplay jailbreaks, token smuggling, and multi-turn manipulation, among others. Because the scanner is read-only, it sends no destructive payloads and does not attempt to patch or block anything; it surfaces findings and remediation guidance for your team to act on.

42Crunch allows policy definitions tightly coupled to its platform, whereas middleBrick requires explicit authentication details when you need to test authenticated paths. Supported methods include Bearer tokens, API keys, Basic auth, and cookies. For authenticated scans at the Starter tier and above, you provide credentials and pass a domain verification gate, typically via DNS TXT record or an HTTP well-known file, ensuring only the domain owner can submit credentials for scanning.

middleBrick forwards only a limited allowlist of headers: Authorization, X-API-Key, Cookie, and X-Custom-*. This design keeps the boundary test focused on the gateway behavior without leaking unrelated headers. In contrast, 42Crunch may enforce policies at the gateway level with broader header manipulation capabilities that are configured inside its proprietary rule set.

With 42Crunch, scans and policy tuning are often driven through the UI, and reports are downloaded manually. middleBrick enables infrastructure-as-code style workflows. You can trigger scans via the CLI with a command such as:

middlebrick scan https://api.example.com

Results are returned in JSON or text, making it straightforward to parse findings in scripts or custom dashboards. For continuous monitoring, Pro tier adds scheduled rescans, diff detection across scans, and email alerts rate-limited to one per hour per API. If you require integration into CI/CD, the GitHub Action can fail builds when the score drops below your chosen threshold, providing a direct enforcement point without relying on the 42Crunch dashboard.

middleBrick does not fix, patch, or block findings; it detects and reports with remediation guidance. This means you must implement your own remediation workflow and policy enforcement, for example by updating gateway rules or adjusting code. The scanner also does not perform active SQL injection or command injection tests, as those fall outside its read-only scope, and it does not detect business logic vulnerabilities, which require domain-specific human analysis.

On data governance, customer scan data is deletable on demand and purged within 30 days of cancellation. It is never sold and is not used for model training. If you need compliance evidence, middleBrick helps you prepare for audits aligned with SOC 2 Type II and PCI-DSS 4.0, and it surfaces findings relevant to controls described in frameworks such as OWASP API Top 10 (2023). It does not claim certification or compliance for HIPAA, GDPR, ISO 27001, or other regulations.