API security for Series B/C companies

As API surfaces expand, maintaining a clear risk baseline becomes essential. The scanner submits a URL and returns a risk score from A to F with prioritized findings, enabling teams to compare security posture across environments. Black-box scanning requires no agents, SDKs, or code access, and supports any language or framework. Read-only methods are used, and scans complete in under a minute, providing quick insight without disrupting production traffic.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It detects issues across 12 categories, including authentication bypass, JWT misconfigurations such as alg=none or expired tokens, BOLA and IDOR via sequential ID enumeration, and BFLA through admin endpoint probing. It surfaces data exposure patterns like emails, Luhn-validated card numbers, context-aware SSN formats, and API key formats for AWS, Stripe, GitHub, and Slack. Input validation checks include CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints. Rate limiting and resource consumption findings highlight missing rate-limit headers and oversized responses. Error and stack-trace leakage, missing versioning, legacy path patterns, and unsafe third-party webhook surfaces are also covered.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, cross-referencing spec definitions against runtime behavior. It identifies undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination. For authenticated scans at the Starter tier and above, Bearer tokens, API keys, Basic auth, and cookies are supported. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can submit credentials. A strict header allowlist permits only Authorization, X-API-Key, Cookie, and X-Custom-* headers to be forwarded.

Pro tier adds continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift between scans. Alerts are rate-limited to one email per hour per API, and HMAC-SHA256 signed webhooks disable automatically after 5 consecutive failures. The platform integrates into existing workflows via a web dashboard for reporting and trend tracking, a CLI using middlebrick scan <url> with JSON or text output, and a GitHub Action that can fail CI/CD builds when scores drop below a defined threshold. An MCP server enables scanning from AI coding assistants, and a programmatic API supports custom integrations.

The scanner includes 18 adversarial probes across three scan tiers for LLM and AI security, covering system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. These probes operate as read-only checks and do not modify models or data. Important boundaries include no active SQL injection or command injection testing, no business logic validation, no blind SSRF detection, and no replacement for human pentesters in high-stakes audits. Findings come with remediation guidance, but the tool does not fix, patch, block, or remediate issues directly.