Migrating from APIsec to Checkmarx

Try middleBrick free

What middleBrick covers

  • Black-box API scanning with a risk score and prioritized findings
  • Supports OpenAPI 3.0, 3.1, and Swagger 2.0 with $ref resolution
  • Covers OWASP API Top 10 (2023) and maps to PCI-DSS 4.0 and SOC 2
  • CLI and GitHub Action for CI/CD integration and build gating
  • Continuous monitoring with scheduled rescans and diff detection
  • Authenticated scanning with header allowlist and domain verification

Overview of migration goals

This guide outlines the practical steps to move from APIsec to middleBrick when changing tools. The focus is on data export, rebuilding scan history, and preserving CI wiring while recognizing inherent gaps between distinct scanning approaches. middleBrick is a black-box scanner that submits a URL and returns a risk score with prioritized findings, using read-only methods only.

Data export and baseline reconstruction

Export findings from APIsec in a structured format such as JSON or CSV, including severity, endpoint, parameter, and evidence fields. Recreate a comparable baseline in middleBrick by running scans against the same API endpoints and versions. Note that middleBrick maps findings to frameworks such as PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), which helps you prepare for audits without claiming certification or compliance.

Because black-box scanning does not require code or SDK integration, you can rerun scans in middleBrick with minimal environment changes. Reconciling differences requires mapping APIsec rule identifiers to middleBrick categories, acknowledging that some business logic vulnerabilities may not transfer due to differing detection methodologies.

Preserving CI wiring and automation

Update your CI pipelines to call the middleBrick CLI (middlebrick scan <url>) with JSON output, and configure thresholds that fail the build when the score drops below your chosen level. For hosted platforms, use the GitHub Action to enforce gates, or integrate the MCP Server with AI coding assistants to retain scan visibility in developer workflows.

Ensure that authenticated scans use a domain verification gate, where only the domain owner can submit credentials. Limit forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*, and rotate credentials periodically. The CLI supports JSON and text output, making it straightforward to script comparisons against historical runs stored in the dashboard.

Known gaps and operational differences

APIsec and middleBrick differ in scope and methodology. middleBrick performs black-box scanning with read-only methods and does not execute intrusive payloads, so it does not perform active SQL injection or command injection testing. Detection coverage is bounded to categories aligned to OWASP API Top 10, and it does not detect business logic vulnerabilities, blind SSRF, or all server-side injection classes.

Because scanning is read-only, findings that rely on destructive or out-of-band confirmation may be incomplete. The tool surfaces findings relevant to audit evidence but does not replace a human pentester for high-stakes audits. Plan for manual validation of edge cases, especially around authorization logic and business workflows.

Ongoing monitoring and reporting

Enable continuous monitoring in middleBrick to schedule rescans at intervals of 6 hours, daily, weekly, or monthly. Use diff detection to track new findings, resolved findings, and score drift over time. Configure email alerts at a rate-limited frequency of 1 per hour per API, and set up HMAC-SHA256 signed webhooks with auto-disable after 5 consecutive failures.

For compliance reporting, leverage the dashboard to download branded PDFs that reference mappings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Understand that middleBrick is a scanning tool and not an auditor, so it cannot certify findings or guarantee any compliance status.

See how middleBrick compares See all use cases

Frequently Asked Questions

Can I directly transfer scan findings from APIsec to middleBrick?
You can export findings and map them to middleBrick categories, but exact transfer is not possible due to different detection methods. Use the exported data to establish a baseline and rerun scans in middleBrick for comparable coverage.
Will my CI pipelines break during migration?
Yes, pipelines will break until updated to use the middleBrick CLI, dashboard gates, or GitHub Action. Plan for a controlled rollout and update threshold rules to match your risk appetite.
Does middleBrick support authenticated scans for migration users?
Yes, authenticated scanning is supported with Bearer, API key, Basic auth, and Cookie methods, provided domain verification is completed to ensure credential ownership.
Can the tool prove compliance with regulations?
The tool surfaces findings relevant to audit evidence and maps to frameworks such as PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It does not certify compliance or guarantee adherence to any regulatory framework.

Related Pages

Migrate from Detectify to middleBrickWhat changes when you move from Detectify to middleBrick, and how to not lose anything in transit.Migrate from Noname Security to middleBrickWhat changes when you move from Noname Security to middleBrick, and how to not lose anything in transit.Migrate from Salt Security to middleBrickWhat changes when you move from Salt Security to middleBrick, and how to not lose anything in transit.Nuclei vs Salt SecurityNeutral side-by-side comparison of Nuclei and Salt Security.OWASP ZAP vs Prompt SecurityNeutral side-by-side comparison of OWASP ZAP and Prompt Security.42Crunch vs Lasso SecurityNeutral side-by-side comparison of 42Crunch and Lasso Security.