Migrating from 42Crunch to StackHawk

Try middleBrick free

What middleBrick covers

  • Black-box API scanning with no agents or SDKs
  • Risk scoring from A to F with prioritized findings
  • OWASP API Top 10 (2023) and mapping to PCI-DSS and SOC 2
  • Authenticated scans with header allowlist controls
  • CI/CD integration via GitHub Action and MCP server
  • Continuous monitoring with diff detection and webhooks

Overview of migration goals

This guide focuses on moving your API security assessment practice from 42Crunch to middleBrick. The objective is to preserve scan coverage, understand data differences, and rewire integrations with minimal disruption. middleBrick is a self-service scanner that emphasizes read-only testing and a concise result format, so expectations and workflows will shift in nuanced ways.

Data and scan history considerations

Historical scan data and configurations do not transfer automatically. middleBrick stores results as scored findings with prioritized remediation guidance rather than narrative reports. You will need to recreate inventories and schedules using the dashboard or API, and map legacy severity labels to the A–F risk scoring model. Plan for manual reconciliation of findings, especially around false-positive tuning and custom test cases that do not have direct equivalents.

Technical coverage and detection scope

middleBrick covers the OWASP API Top 10 (2023) and maps findings to PCI-DSS 4.0 and SOC 2 Type II controls. Detection includes authentication bypasses, IDOR, privilege escalation, data exposure patterns such as PII and API keys, injection surface indicators, SSRF probes, and LLM security testing across multiple tiers. Unlike intrusive active exploitation, middleBrick focuses on observability and configuration issues, and it does not perform active SQL injection or command injection testing.

Authenticated scanning and access controls

For authenticated scans, provide Bearer tokens, API keys, Basic auth, or cookies via approved headers only. middleBrick requires domain verification through DNS TXT records or a well-known HTTP file to ensure credentials are used by the rightful owner. Only a limited set of headers is forwarded, and destructive payloads are never sent. This contrasts with some tools that rely on agents or extensive runtime instrumentation.

Integrations and automation workflow

Replace 42Crunch pipeline hooks with middleBrick equivalents. The CLI supports scripted scanning with JSON output, the GitHub Action enforces score gates in CI/CD, and the MCP server allows AI-assisted scanning. Pro tier features such as scheduled rescans, diff detection, HMAC-SHA256 signed webhooks, and email alerts can be used to rebuild continuous monitoring logic. Use the API client for custom orchestration, and adjust thresholds to match your risk appetite.

Compliance, limitations, and next steps

middleBrick surfaces findings relevant to audit evidence and helps you prepare for assessments aligned with PCI-DSS, SOC 2, and OWASP API Top 10. It does not guarantee compliance, certify controls, or replace a human pentester for high-stakes engagements. Not in scope are business logic flaws, blind SSRF requiring out-of-band infrastructure, and deep authentication bypass chains that need manual exploration. Review the scanner settings, define your header allowlist, and run a pilot against a non-production API before full migration.

See how middleBrick compares See all use cases

Frequently Asked Questions

Can I import existing 42Crunch scan reports into middleBrick?
No, there is no import functionality. You must re-run scans in middleBrick to generate findings and scores.
How are false positives handled compared to 42Crunch?
middleBrick does not provide built-in false-positive suppression. Use the risk score and remediation guidance to manually triage findings, and adjust test configurations via dashboard settings.
Will authenticated scans preserve my existing CI/CD pipeline approvals?
You need to reconfigure authentication in middleBrick. Ensure domain verification is completed and only approved headers are allowed before reusing pipeline credentials.
Does middleBrick map findings to frameworks other than PCI-DSS, SOC 2, and OWASP API Top 10?
Mappings are limited to those three frameworks. For other regulations, the tool supports alignment language only and does not provide compliance guarantees.
Is there a way to automatically fail a build if a new high-risk finding appears?
Yes, the GitHub Action can fail the build when the score drops below a set threshold. Combine this with Pro tier diff detection to alert on new high-severity findings.

Related Pages

Migrate from Detectify to middleBrickWhat changes when you move from Detectify to middleBrick, and how to not lose anything in transit.Migrate from Noname Security to middleBrickWhat changes when you move from Noname Security to middleBrick, and how to not lose anything in transit.Migrate from Salt Security to middleBrickWhat changes when you move from Salt Security to middleBrick, and how to not lose anything in transit.Nuclei vs Salt SecurityNeutral side-by-side comparison of Nuclei and Salt Security.OWASP ZAP vs Prompt SecurityNeutral side-by-side comparison of OWASP ZAP and Prompt Security.42Crunch vs Lasso SecurityNeutral side-by-side comparison of 42Crunch and Lasso Security.