FAQ

General

Is it safe to scan my API?

Yes. middleBrick is a read-only, non-destructive scanner. It sends targeted HTTP requests to analyze responses. It never modifies data, creates resources, or sends destructive payloads. The scan is equivalent to what any unauthenticated user could already do with curl.

For AI/LLM endpoints, active probes send adversarial text prompts (not malware or exploit code) to test resilience. If you’re concerned about probe traffic on production, scan your staging endpoint first.

How long does a scan take?

Most scans complete in under a minute. Complex endpoints with OpenAPI specs or LLM probing may take slightly longer. The dashboard, CLI, and API all show real-time progress.

Does middleBrick store my data?

Scan results and response metadata are stored in tenant-isolated storage on Cloudflare’s edge network. Each customer’s data is logically separated per account.

We store:

Your scan results (score, findings, categories)
Response metadata (headers, status codes, response structure)
Timestamps and scan configuration
The target URL you submitted

We do not store:

Full response bodies beyond what’s needed for analysis
Your API credentials (we don’t need them)
Source code or infrastructure details

Your data, your control:

You can delete individual scan results at any time from the dashboard or API
All data is deleted within 30 days of account cancellation
We do not use your scan data to train models or share it with third parties

Data is retained for the duration of your account. See our Privacy Policy for details.

What APIs can I scan?

Any REST/JSON API accessible over HTTPS from the public internet. The endpoint must:

Be reachable from Cloudflare’s network
Return a valid HTTP response
Use HTTPS (HTTP-only endpoints can be scanned but will receive encryption findings)

Currently supported: REST APIs (JSON), GraphQL endpoints, and AI/LLM APIs (OpenAI, Anthropic, and generic formats). On the roadmap: gRPC and WebSocket APIs.

Can I scan internal or private APIs?

Not yet. middleBrick currently requires a publicly accessible endpoint. The scanner runs on Cloudflare’s edge, not inside your network.

Workarounds:

Scan your staging or preview environment (if publicly accessible)
Use a temporary tunnel (e.g., Cloudflare Tunnel) to expose the endpoint during scanning

Private network scanning with an agent is planned for a future release.

Scanning

Do I need an OpenAPI spec?

No. middleBrick works without a spec by analyzing the live endpoint. However, providing an OpenAPI or Swagger spec enables significantly deeper analysis:

Checks that security schemes in the spec are actually enforced
Identifies mass assignment risks from writable sensitive fields
Flags deprecated operations still active
Detects mismatches between documented and actual behavior

Many teams see 2–5 additional findings when they provide their spec. We support OpenAPI 3.0, 3.1, and Swagger 2.0.

How often should I scan?

On every deploy is ideal. Security can regress with any code change. A new endpoint without auth, an accidentally exposed field, or a misconfigured CORS header can appear in any release.

Recommended cadences:

Approach	When to use
Every PR (GitHub Action)	Best. Catches issues before merge.
Every deploy (CI/CD)	Good. Catches issues before production.
Weekly (scheduled scan)	Minimum. Catches drift and external changes.
Monthly	Not recommended. Too much can change.

Pro plan customers get continuous monitoring that scans automatically on a schedule.

What does the context parameter do?

The context parameter (financial, medical, public, internal) tells the engine what type of API you’re scanning. It adjusts the analysis priorities:

financial: extra weight on authentication, data exposure, and encryption. Designed for banking, payments, and fintech APIs.
medical: extra weight on data exposure, authentication, and encryption. For healthcare and HIPAA-regulated APIs.
public: extra weight on rate limiting and inventory management. For high-traffic, public-facing APIs.
internal: extra weight on function-level authorization and property authorization. For internal microservices.

Without context, the engine uses balanced default weights.

Can I scan the same URL multiple times?

Yes. Each scan is independent and captures a snapshot of your API’s security at that moment. This is how you track improvement over time. Your scan history in the dashboard shows the score trend for each URL.

What if my API is behind authentication?

middleBrick currently scans the unauthenticated attack surface, meaning what an attacker without credentials can see. This is valuable because:

Unauthenticated vulnerabilities are the most critical (no barrier to exploitation)
Many APIs accidentally expose endpoints without auth
Headers, error messages, and metadata leak even when the main data is protected

Authenticated scanning (where you provide credentials to test behind auth) is available on paid plans (Starter and above).

Scoring

What’s the difference between categories and findings?

Categories are the 12 security areas middleBrick checks (authentication, data exposure, encryption, etc.). Findings are the specific issues discovered within each category.

Example: the Data Exposure category might produce two findings: “Email addresses in response body” (high) and “Stack trace in error response” (medium).

Your overall score is computed from findings across all categories, weighted by severity and category importance.

Why did my score change between scans?

Several things can cause score changes:

Code changes: a new deploy may introduce or fix vulnerabilities
Infrastructure changes: certificate renewals, header changes, CDN updates
Spec changes: if you updated your OpenAPI spec between scans
Context changes: different context values produce different weights

If you didn’t change anything and the score shifted, check the findings diff. It usually reveals an external factor (expired cert, CDN header change, etc.).

Can I get a perfect 100?

It’s possible but rare, and not necessarily the goal. A score of 100 means zero findings across all 12 categories, including info-level observations. In practice, scores above 90 (grade A) represent excellent security posture with minimal risk. Focus on fixing critical/high findings rather than chasing a perfect score.

Plans & Billing

What’s included in the free plan?

3 scans per month, same engine, same 12 checks, no features disabled
Dashboard access to view results and scan history
API access to automate scans programmatically
CLI access to scan from your terminal

The free plan runs the exact same analysis as paid plans. It’s rate-limited, not feature-limited.

What happens if I exceed my scan limit?

The API returns a 429 rate_limit_exceeded error. Your existing scan results remain accessible, but you can’t submit new scans until the next billing cycle. Upgrade your plan for more scans.

Can I cancel anytime?

Yes. Plans are month-to-month with no commitments. Cancel from the dashboard and your plan remains active until the end of the billing period.

Privacy & Compliance

middleBrick processes only publicly accessible API response data. We don’t access your databases, source code, or internal systems. All data is processed on Cloudflare’s edge network within the regions you configure.

Contact [email protected] for:

Data Processing Agreement (DPA)
Data export: request a copy of all your scan data
Data deletion: request complete deletion of your account and scan history

SOC 2

We’re built on Cloudflare’s SOC 2 certified infrastructure. middleBrick’s own SOC 2 certification is in progress.

Where is my data processed?

All scanning and data storage happens on Cloudflare’s global edge network. There is no centralized origin server. Your data is processed at the edge location closest to the target API.

Comparisons

How is middleBrick different from a pentest?

	middleBrick	Manual pentest
Time	Under a minute	2–4 weeks
Cost	From $0/month	$5k–$50k+
Frequency	Every deploy	Annually
Coverage	OWASP API Top 10 + LLM security	Custom scope
Business logic	No	Yes
Authenticated testing	Not yet	Yes
Report turnaround	Instant	Days to weeks

middleBrick is not a replacement for a full pentest, but it catches the most common API vulnerabilities instantly, continuously, and affordably. Use it as your continuous baseline and pentest annually for deeper analysis.

How is middleBrick different from SAST/DAST tools?

middleBrick is a specialized API DAST (Dynamic Application Security Testing) tool:

vs. SAST (Snyk, Semgrep): SAST scans source code. middleBrick scans the running API. They’re complementary. SAST catches code issues, middleBrick catches runtime and configuration issues.
vs. General DAST (OWASP ZAP, Burp Suite): General DAST tools crawl web applications. middleBrick is purpose-built for APIs and understands REST, JSON, OpenAPI specs, and LLM endpoints natively.
vs. API gateways (Kong, Apigee): Gateways enforce policies at runtime. middleBrick tests whether those policies are actually working.

FAQ