Traceable review

The tool is a self-service API security scanner that accepts a target URL and returns a risk score graded A through F along with prioritized findings. It operates as a black-box scanner, requiring no agents, code access, or SDK integration, and supports any language, framework, or cloud. Read-only methods such as GET and HEAD are used by default, with text-only POST allowed for LLM probes, and scans typically complete in under a minute.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), including authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation attempts, property over-exposure, input validation issues like CORS wildcard usage, rate limiting and resource consumption signals, data exposure including PII patterns and API key formats, encryption and cookie settings, SSRF probes on URL-accepting parameters, inventory management concerns, and LLM/AI security probes. Findings map to OWASP API Top 10 (2023) and support compliance evidence for PCI-DSS 4.0 and SOC 2 Type II.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime results to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scanning, available from Starter tier and above, supports Bearer, API key, Basic auth, and Cookie methods, and requires domain verification via DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. A strict header allowlist is enforced, permitting only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The Web Dashboard provides scan management, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available for CI/CD gating, failing builds when the score drops below a chosen threshold. The MCP Server enables scanning from AI coding assistants, and an API client supports custom integrations. Continuous monitoring in Pro tier includes scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Pricing tiers range from Free with 3 scans per month and CLI access, to Starter at 15 APIs with monthly scans and dashboard, Pro with 100 APIs and continuous monitoring plus GitHub Action gates and Slack/Teams alerts, to Enterprise with unlimited APIs, custom rules, SSO, audit logs, and dedicated support.

The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which falls outside its non-intrusive scope, nor does it detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace human pentesters for high-stakes audits. Safety measures include read-only methods only, blocking destructive payloads, and filtering private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.