CISO API inventory heatmap

An API inventory heatmap plots each API surface against two axes: risk severity and business criticality. Every endpoint receives a risk score graded A to F, and the resulting visual highlights where sensitive data paths intersect with high-probability attack vectors. The map is generated from a read-only scan that submits GET and HEAD requests plus text-only POST probes, completing in under a minute without agents or code access.

Without a continuous inventory, teams rely on documentation that drifts from reality. Shadow endpoints and legacy paths remain unmeasured, allowing authentication bypass, IDOR, and data exposure to persist in forgotten services. Adversarial tooling can enumerate versionless paths and adjacent numeric IDs, turning incomplete asset lists into an attacker roadmap.

A practical workflow starts with discovery, where the scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions and resolves recursive $ref chains to compare spec definitions against runtime behavior. After the initial scan, the dashboard overlays risk categories aligned to OWASP API Top 10 (2023), including authentication misconfigurations, BOLA, BFLA, property over-exposure, and SSRF indicators. Teams then filter by critical services, assign ownership, and track score trends across scheduled rescans, using diff detection to identify new findings and regressions.

Example CLI usage: middlebrick scan https://api.example.com. The tool supports authenticated scanning with Bearer tokens, API keys, Basic auth, and cookies, enforcing domain verification and a strict header allowlist to prevent credential leakage during scans.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detected issues such as missing security headers, unencrypted transport, and sensitive data leakage in error messages can be used as audit evidence to support controls described in these frameworks. For other regulations, middleBrick helps you prepare for requirements by surfacing findings relevant to security controls, though it does not certify compliance.

The scanner includes an LLM/AI security category that runs 18 adversarial probes across three scan tiers: Quick, Standard, and Deep. These probes test for system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. Results highlight model-facing endpoints that require additional guardrails and runtime monitoring.

MiddleBrick operates read-only, never sending destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training. The tool does not fix, patch, block, or remediate, nor does it perform intrusive SQL injection or command injection testing. Business logic vulnerabilities require human domain expertise, and blind SSRF relies on out-of-band infrastructure that is out of scope.