Migrating from Akto to middleBrick

Begin by exporting findings from Akto in a structured format such as JSON or CSV. Map Akto findings to the 12 detection categories used by this scanner, noting which correspond to authentication issues, IDOR, business logic risks, and data exposure. Use this mapping to prioritize scans and to define severity thresholds in the new environment.

Verify domain ownership before enabling authenticated scans. The system requires a DNS TXT record or an HTTP well-known file challenge. Only after verification can you add Bearer, API key, Basic auth, or Cookie credentials for authenticated scans, ensuring that only the domain owner can submit credentials.

Historical data from Akto does not transfer automatically. Import your exported findings into a tracking spreadsheet or lightweight database and tag each item with API name, endpoint, and severity. Create a baseline by running the new scanner across all production APIs and storing the initial reports. Compare future scans against this baseline to track resolved findings and new detections.

The dashboard supports trend tracking and downloadable compliance PDFs. Use these features to reconstruct audit trails. Note that precise historical graphs depend on consistent scan schedules and stable API inventories; significant changes in endpoints or authentication methods will affect continuity of metrics.

Update CI/CD pipelines to use the new scanner CLI or API. Example with the CLI:

middlebrick scan https://api.example.com --auth-type bearer --auth-value <token> --output json

In GitHub Actions, replace Akto-specific steps with the middleBrick action, adjusting thresholds to match your risk tolerance. During the transition, run both tools in parallel on a small set of services, compare scores, and refine alerting rules before fully disabling Akto webhooks and notifications.

The scanner does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF via out-of-band channels, or subtle authorization bypasses that depend on complex workflows. These gaps must be filled by domain-focused manual review or specialized tools.

Additionally, the tool does not fix, patch, block, or remediate findings. It reports with remediation guidance. It also does not replace a human pentester for high-stakes audits. Plan for supplementary testing where compliance or risk policies demand deeper assurance.

You gain a black-box scanner that requires no agents, SDKs, or code access. Scan time stays under a minute, and the system covers 12 categories aligned to OWASP API Top 10 (2023), mapping findings to PCI-DSS 4.0 and SOC 2 Type II. The OpenAPI parser resolves $ref chains and cross-references spec definitions against runtime behavior.

For authenticated workflows, header allowlisting is strict: only Authorization, X-API-Key, Cookie, and X-Custom-* headers are forwarded. Continuous monitoring (Pro tier) provides scheduled rescans, diff detection, email alerts, HMAC-SHA256 signed webhooks, and compliance reports. These capabilities help you prepare for security reviews and support audit evidence without claiming certification.