When Customer asked for a pentest

What middleBrick covers

Black-box API scanning with a risk score in under a minute
Detection aligned to OWASP API Top 10, PCI-DSS 4.0, and SOC 2 Type II
LLM adversarial probes across Quick, Standard, and Deep scan tiers
Authenticated scans with header allowlisting and domain verification
OpenAPI 3.0/3.1 and Swagger 2.0 parsing with spec-to-runtime comparison
CI/CD integration via GitHub Action and programmatic API access

When a pentest request arrives

Stakeholders ask for a pentest to validate security and satisfy compliance. You need an answer that is defensible, auditable, and fast. middleBrick provides an immediate baseline using a black-box scan that requires no agents, SDKs, or code access. Within a minute you receive a risk score from A to F with prioritized findings and direct references to the relevant control objectives.

Coverage aligned to recognized frameworks

The scanner maps findings to three core frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). These alignments are specific, not generic. For other regulations, the product supports audit evidence collection and helps you prepare for security controls described in frameworks such as HIPAA, GDPR, ISO 27001, NIST, CCPA, and related standards without claiming certification or compliance guarantees.

Detection scope and safe testing behavior

Detection covers 12 categories including Authentication bypass, BOLA and BFLA, Property Authorization, Input Validation, Data Exposure, SSRF, and LLM/AI Security with 18 adversarial probe tiers. Testing is read-only: only GET and HEAD methods are used, plus text-only POST for LLM probes. Destructive payloads are never sent, private IPs and cloud metadata endpoints are blocked at multiple layers, and customer data is deletable on demand and never sold or used for model training.

Authenticated scanning and compliance evidence

For authenticated scans (Starter tier and above), Bearer, API key, Basic auth, and Cookie credentials are supported after domain verification via DNS TXT record or an HTTP well-known file. Only a allowlisted set of headers is forwarded. OpenAPI 3.0, 3.1, and Swagger 2.0 specs are parsed with recursive $ref resolution, enabling cross-reference between the specification and runtime findings to highlight undefined security schemes or deprecated operations.

Remediation workflow and ongoing monitoring

Results include remediation guidance rather than fixes. The Web Dashboard centralizes scans, score trends, and branded compliance PDFs. The CLI enables scripted scans with JSON output, and a GitHub Action can gate CI/CD when scores drop below a threshold. Pro tier adds scheduled rescans, diff detection, HMAC-SHA256 signed webhooks, and Slack or Teams alerts to integrate findings into existing workflows.

Frequently Asked Questions

Can middleBrick replace a human pentester for high-stakes audits?

No. The tool detects and reports, but it does not fix, patch, or remediate. It does not perform active SQL injection or command injection testing, and it cannot identify business logic vulnerabilities or blind SSRF, which require human domain expertise.

Does the scanner perform intrusive exploitation such as SQL injection?

It does not. Only safe, read-only methods are used. Actively exploitative payloads are outside scope and are never sent.

How are compliance mappings presented in reports?

Findings are mapped directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, reports surface findings relevant to audit evidence without asserting certification or compliance.

What happens to scan data after cancellation?

Customer data is deletable on demand and is purged within 30 days of cancellation. It is never sold and is not used for model training.