Migrating from 42Crunch to middleBrick for NIS2 directive readiness

Try middleBrick free

What middleBrick covers

  • Black-box scanning without agents or code access
  • Risk score A–F with prioritized findings
  • Detection aligned to OWASP API Top 10 (2023)
  • Supports OpenAPI 3.0, 3.1, and Swagger 2.0
  • Authenticated scanning with strict header allowlist
  • Continuous monitoring and CI/CD integration

Current state with 42Crunch for NIS2

Many teams use 42Crunch to enforce gateway policies and surface common API issues. Its deployment model relies on a managed cloud control plane and injected proxies, which introduces dependency on the vendor for policy updates and runtime behavior. When assessing NIS2 directive readiness, you need to map existing detections and response playbooks to specific technical controls, and understand what evidence you can retain and reproduce independently.

Shift to black-box scanning with middleBrick

middleBrick is a self-service API security scanner that operates as a black-box tool: no agents, no SDKs, and no code access are required. You submit a URL and receive a risk score from A to F with prioritized findings. Scans complete in under a minute using read-only methods plus text-only POST for LLM probes. This approach supports any language, framework, or cloud target, which reduces operational coupling and aligns with NIS2 emphasis on asset inventory and independent verification.

Coverage against OWASP API Top 10 and mapping to frameworks

The scanner evaluates 12 categories aligned to OWASP API Top 10 (2023), including authentication bypass, BOLA and BFLA, property authorization, input validation, rate limiting, data exposure, encryption, SSRF, inventory management, unsafe consumption, and LLM/AI security. Findings map directly to OWASP API Top 10 (2023) and support controls described in SOC 2 Type II and PCI-DSS 4.0. For other frameworks, the tool helps you prepare for and aligns with security controls described in relevant standards, while providing audit evidence through exportable reports.

Authenticated scanning and domain verification for NIS2 evidence

With Starter tier and above, you can enable authenticated scanning using Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring that only the domain owner can scan with credentials. The scanner forwards a restricted allowlist of headers, and all scan data is deletable on demand, supporting evidence retention and data minimization requirements under NIS2.

Continuous monitoring and integration into NIS2 workflows

Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection to highlight new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks can notify monitoring systems, with auto-disable after five consecutive failures. The CLI and GitHub Action allow CI/CD gating, so risk thresholds can be integrated into your NIS2 compliance workflows. Note that the tool detects and reports with remediation guidance, but does not fix, patch, block, or remediate issues.

See how middleBrick compares See all use cases

Frequently Asked Questions

Does middleBrick perform intrusive tests like SQL injection or command injection?
No. The scanner uses read-only methods and does not send destructive payloads. Intrusive tests such as active SQL injection or command injection are outside scope.
Can the scanner detect business logic vulnerabilities required by NIS2?
No. Business logic vulnerabilities require domain context and human expertise. The tool surfaces findings relevant to such reviews but does not detect them automatically.
Does the tool claim compliance certifications such as HIPAA or GDPR?
No. The tool is used to assess and gather evidence, and it aligns with controls described in standards, but it does not certify or guarantee compliance with any regulation.
What happens to scan data after account cancellation?
Customer scan data is deletable on demand and purged within 30 days of cancellation. Data is never sold and is not used for model training.

Related Pages

Tool abuse audit — API securityTool abuse audit: what to check, how to automate it, and how middleBrick covers it.Vendor risk assessment — API securityVendor risk assessment: what to check, how to automate it, and how middleBrick covers it.Webhook receiver hardening — API securityWebhook receiver hardening: what to check, how to automate it, and how middleBrick covers it.Migrate from Detectify to middleBrickWhat changes when you move from Detectify to middleBrick, and how to not lose anything in transit.Migrate from Noname Security to middleBrickWhat changes when you move from Noname Security to middleBrick, and how to not lose anything in transit.Migrate from Salt Security to middleBrickWhat changes when you move from Salt Security to middleBrick, and how to not lose anything in transit.