Probely review

This tool is a self-service API security scanner that accepts a target URL and returns a risk grade from A to F along with prioritized findings. It performs black-box scanning only, requiring no agents, code access, or SDK integration. The scanner operates with read-only methods such as GET and HEAD, and text-only POST for LLM probes, completing a scan in under one minute. It supports any language, framework, or cloud environment without requiring runtime instrumentation.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), including Authentication bypasses, JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation attempts, and sensitive data exposure including PII patterns, API key formats, and error leakage. It also covers Input Validation, Rate Limiting, Encryption, SSRF, Inventory Management, Unsafe Consumption, and LLM/AI Security through multi-tier adversarial probes.

OpenAPI analysis is included for OpenAPI 3.0, 3.1, and Swagger 2.0, with recursive $ref resolution. The scanner cross-references spec definitions against runtime behavior to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. These capabilities help you prepare for compliance with security controls described in PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10.

Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic auth, and Cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a strict header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Scan safety is maintained through read-only methods only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.

The Web Dashboard provides scan management, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available for CI/CD gating, failing the build when the score drops below a defined threshold.

An MCP Server allows scanning from AI coding assistants such as Claude and Cursor, and a programmable API supports custom integrations. Continuous monitoring in the Pro tier includes scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after 5 consecutive failures.

Pricing tiers range from Free with 3 scans per month and CLI access, to Starter at $99 per month for 15 APIs, Pro at $499 per month for 100 APIs with continuous monitoring and CI/CD integration, and Enterprise at $2000 per month for unlimited APIs with SSO and audit logs. Each tier scales by adding more APIs and monitoring capabilities.

middleBrick maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it aligns with security controls described in relevant standards and supports audit evidence for review. The tool does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, and does not replace a human pentester for high-stakes audits.

The scanner does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection, does not detect business logic vulnerabilities, and does not detect blind SSRF involving out-of-band infrastructure. It is not designed to replace a human pentester for high-risk assessments.