Migrating from 42Crunch to middleBrick for Customer SOC 2 questionnaire prep

middleBrick maps findings directly to SOC 2 control objectives and to OWASP API Top 10 (2023). Each scan produces a risk score and prioritized findings that align with these frameworks, so you can reference specific detections as audit evidence when preparing questionnaire responses.

For SOC 2, findings support descriptions of logical access controls, monitoring, and risk management activities. For OWASP API Top 10, the scanner covers the full set of categories including Authentication, Broken Object Level Authorization, Input Validation, Data Exposure, and LLM / AI Security. You can trace individual issues to the relevant requirement or control statement without claiming certification or compliance.

The scanner performs a read-only black-box assessment without agents, SDKs, or code access. You submit a URL and receive a risk score with prioritized findings within under a minute, using GET, HEAD, and text-only POST methods. This workflow fits naturally into a SOC 2 questionnaire preparation cadence, providing repeatable, objective evidence of surface-level security posture.

Because no intrusive payloads are sent, the approach avoids disruption to production environments while still validating authentication mechanisms, security headers, and common configuration issues. Scan results can be exported as structured reports to document current states and track changes over time.

With Starter tier or higher, authenticated scanning is available using Bearer tokens, API keys, Basic auth, and cookies. Domain verification ensures only the domain owner can scan with credentials, and a strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

Authenticated scans surface findings relevant to access control depth, session management, and privilege boundaries required by SOC 2. You can evaluate how authentication and authorization mechanisms behave when valid credentials are present, and capture screenshots and evidence that support questionnaire responses without modifying backend systems.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents, resolving recursive $ref references. It cross-references spec definitions against runtime behavior to highlight undefined security schemes, sensitive fields in responses, deprecated operations, and missing pagination or rate-limiting definitions.

This capability helps you demonstrate that questionnaire responses are grounded in both documentation and observed behavior. You can point to specific discrepancies between declared and actual security controls as objective evidence when auditors ask for alignment between design and implementation.

Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection that highlights new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks notify systems of significant changes, auto-disabling after five consecutive failures.

For SOC 2 questionnaires, this shows continuous oversight and timely awareness of regressions. You can correlate scan results with change management records to illustrate how security posture evolves across development cycles, though the tool does not perform remediation or configuration changes itself.