API security for Series A startups

At Series A, security must fit limited budgets and small engineering teams while still providing meaningful risk reduction. This tool is a self-service API security scanner designed for that reality: submit a URL and receive a risk score with prioritized findings in under a minute. Because it is black-box, it requires no agents, no code access, and no SDK integration, so it works across any language, framework, or cloud environment. The scanner uses only read-only methods, including GET and HEAD, plus text-only POST for LLM probes, ensuring no destructive payloads are sent.

The scanner detects issues across 12 categories aligned to OWASP API Top 10 (2023). These include authentication bypass and JWT misconfigurations such as alg=none, HS256, expired or missing claims, and sensitive data in claims, as well as security header and WWW-Authenticate compliance checks. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA and privilege escalation through admin endpoint probing and role/permission field leakage. Additional categories cover property authorization over-exposure, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate limiting and resource consumption signals, data exposure including PII patterns and API key formats, encryption misconfigurations, SSRF indicators, inventory management gaps, unsafe consumption surfaces, and LLM/AI security probes across three scan tiers.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scanning, it supports Bearer, API key, Basic auth, and Cookie methods, gated by domain verification using DNS TXT records or an HTTP well-known file so that only the domain owner can scan with credentials. The request header allowlist is restricted to Authorization, X-API-Key, Cookie, and X-Custom-* headers to minimize exposure during scans.

The Web Dashboard centralizes scans, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package, enables commands such as middlebrick scan <url> with JSON or text output for scripting. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a chosen threshold. For continuous monitoring in Pro tiers, scheduled rescans run on intervals from 6 hours to monthly, with diff detection across scans, email alerts rate-limited to 1 per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures.

Free tier offers 3 scans per month with CLI access, Starter provides 15 API scans plus dashboard and alerts, Pro adds continuous monitoring and CI/CD integration for up to 100 APIs with per-API overage, and Enterprise supports unlimited APIs with custom rules and SLA-backed support. The scanner maintains a strict safety posture: it uses read-only methods only, blocks private IPs, localhost, and cloud metadata endpoints at multiple layers, and deletes customer data on demand within 30 days of cancellation. It does not fix, patch, block, or remediate, nor does it perform active SQL injection or command injection testing. It surfaces findings relevant to audit evidence and helps you prepare for compliance checks against PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10, but it is not an auditor and cannot certify compliance.