API security for Mid-market companies

API security for mid-market organizations requires a balance between coverage and operational practicality. This scanner is a self-service black-box solution that submits a URL and returns a letter-grade risk score from A to F with prioritized findings. It completes a scan in under a minute using only read-only methods such as GET and HEAD, with text-only POST for LLM probes, ensuring minimal operational impact. The approach avoids any need for agents, code access, or SDK integration, making it applicable to any language, framework, or cloud environment.

The scanner evaluates APIs against 12 categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 to support audit evidence and controls reviews. Detection capabilities include authentication bypass and JWT misconfigurations, broken object level authorization and IDOR, business logic flaws related to privilege escalation, property authorization and over-exposed fields, input validation issues such as CORS misconfigurations and dangerous methods, rate limiting and resource consumption indicators, data exposure including PII patterns and API key formats, encryption and transport security checks, SSRF indicators, inventory and versioning issues, unsafe consumption surface, and LLM/AI security probes across multiple tiers.

OpenAPI specifications in versions 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution, and spec definitions are cross-referenced against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination controls.

Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic authentication, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can scan with credentials. A strict header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers. The scanner maintains a strong safety posture by using read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints at multiple layers, and allowing customer data deletion on demand with a purge window of 30 days after cancellation.

The platform provides a web dashboard for scanning, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available for CI/CD gating, failing the build when the score drops below a defined threshold. An MCP Server allows scans from AI coding assistants, and a programmatic API supports custom integrations.

For ongoing risk management, the Pro tier adds scheduled rescans at intervals of six hours, daily, weekly, or monthly, diff detection across scans to highlight new and resolved findings and score drift, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. Enterprise tiers support unlimited APIs, custom rules, SSO, audit logs, SLAs, and dedicated support.

The scanner does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside its scope. Business logic vulnerabilities and blind SSRF are also out of scope, as they typically demand domain understanding and out-of-band infrastructure. The tool does not replace a human pentester for high-stakes audits and is designed to complement broader security programs rather than substitute comprehensive manual assessments.