Migrating from APIsec to Traceable

This guide outlines the practical steps to move from APIsec to middleBrick when you are coordinating a team effort. The focus is on scan data, CI wiring, and ongoing operations rather than feature feature parity, because the tools approach security differently. You should expect to reconfigure workflows, not simply transfer reports.

APIsec does not expose a bulk export for historical scan records through its UI, so you must plan for manual or scripted extraction before migration. Export findings as JSON or CSV per project, noting severity, endpoint, and parameter details. In middleBrick, scans are managed through the dashboard or the CLI; there is no direct import of prior findings, so use the exported data to create a baseline document. Track mapping of old scan IDs to new scan URLs so that stakeholders can reference prior results when reviewing score trends.

In APIsec, CI gates are typically implemented with curl calls to a REST API and custom scripts that interpret exit codes. In middleBrick, the equivalent for most pipelines is the GitHub Action, which fails the build when the score drops below a configured threshold. Replace APIsec scripts with the middleBrick CLI in your pipeline: middlebrick scan <url> --format json. Ensure your pipeline passes the correct authentication tokens and that domain verification has been completed for any credentials, which requires a DNS TXT record or an HTTP well-known file at the domain root.

Authenticated scans in middleBrick support Bearer, API key, Basic auth, and Cookie credentials. When migrating credentialed checks, confirm that the domains are owner-verified via the domain verification gate; only then can scans validate authorization logic with provided credentials. Note that middleBrick enforces a strict header allowlist, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers. If your APIsec tests rely on additional headers, replicate them at the gateway or adjust expectations accordingly.

After migration, decide which tier aligns with your API inventory. The free tier supports CLI usage with limited scans, while Starter adds dashboard reporting and email alerts. Pro tier provides continuous monitoring with scheduled rescans, diff detection across scans, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. If you had custom alerting rules in APIsec, recreate them using middleBrick’s alerting options and rate limits, which cap email notifications to 1 per hour per API.

middleBrick is a scanner that detects and reports findings with remediation guidance; it does not fix, patch, block, or remediate. Unlike APIsec, it does not perform active SQL injection or command injection tests, nor does it detect blind SSRF via out-of-band channels. Business logic vulnerabilities are also outside automated detection scope. Use the output to prioritize manual review and to map findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), while using alignment language for other frameworks such as helping you prepare for HIPAA or GDPR where applicable.