When Auditor demand

What middleBrick covers

Black-box scanning with read-only methods under one minute
Twelve detection categories aligned to OWASP API Top 10
OpenAPI 3.0/3.1/Swagger 2.0 parsing with $ref resolution
Authenticated scans with strict header allowlist
Continuous monitoring with diff detection and HMAC-SHA256 webhooks
Integrations including CLI, GitHub Action, dashboard, and MCP server

How the scanner works

Black-box assessment requires no agents, SDKs, or code access. The scanner probes your API surface using read-only methods (GET and HEAD) and text-only POST for LLM probes. Submission of a target URL yields a risk score from A to F with prioritized findings in under a minute.

Detection coverage aligned to major frameworks

Findings map to OWASP API Top 10 (2023), and the tool validates controls relevant to PCI-DSS 4.0 and SOC 2 Type II. Detection categories include authentication bypass, broken object level authorization, broken function level authorization, property authorization, input validation, rate limiting, data exposure, encryption, SSRF, inventory management, unsafe consumption, and LLM/AI security. For each category, the scanner surfaces specific indicators such as JWT alg=none, IDOR via sequential ID probing, admin endpoint exposure, CORS wildcard with credentials, sensitive data patterns, and TLS misconfigurations.

Authenticated scanning and scope controls

With a paid tier, authenticated scanning is available using Bearer tokens, API keys, Basic auth, or cookies. Domain verification requires a DNS TXT record or an HTTP well-known file to ensure only the domain owner can submit credentials. Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* to reduce unintended side effects.

OpenAPI contract analysis

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. It cross-references spec definitions against runtime behavior to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This analysis helps identify discrepancies between documented and actual behavior without modifying the service.

Continuous monitoring and integrations

Pro tier enables scheduled rescans at intervals of six hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift. Alerts are delivered via email at a rate-limited cadence of one per hour per API, and HMAC-SHA256 signed webhooks disable automatically after five consecutive failures. Integration options include a web dashboard, an npm CLI, a GitHub Action that fails the build when the score drops below a threshold, and an MCP server for AI coding assistants.

Frequently Asked Questions

Can authenticated scans be run safely?

Yes. Authenticated scans use read-only methods and a limited header allowlist. Domain verification ensures scans are run by the domain owner, and sensitive data is never used to train models.

What is the difference between Starter and Pro tiers?

Starter supports up to 15 APIs with dashboard, email alerts, and MCP Server. Pro extends to 100 APIs with continuous monitoring, GitHub Action gates, compliance reports, and signed webhooks. Enterprise offers unlimited APIs and custom rules.

Does the tool perform active exploitation like SQL injection?

No. The scanner does not perform active SQL injection or command injection, as those require intrusive payloads outside its scope.

How are findings mapped to compliance frameworks?

Findings map directly to OWASP API Top 10 (2023), and the tool validates controls relevant to PCI-DSS 4.0 and SOC 2 Type II. For other regulations, it supports audit evidence and aligns with described security controls.