When Customer asked for SOC 2

Run the When Customer asked for SOC 2 check

What middleBrick covers

  • Map findings to SOC 2 and OWASP API Top 10 (2023).
  • Black-box scanning with no agents or SDKs.
  • OpenAPI 3.x and Swagger 2.0 spec parsing with $ref resolution.
  • Authenticated scans with domain verification.
  • Continuous monitoring and diff detection (Pro).
  • Programmatic access via CLI and API client.

How middleBrick maps to SOC 2

middleBrick is a scanner, not an assessor. It surfaces findings that align with security controls described in SOC 2 Type II, giving you items to review and remediate. The scanner does not issue a SOC 2 opinion or attestation.

  • Logical access controls: detection of weak authentication, exposed secrets, and over-permissive headers.
  • System monitoring: evidence of scan runs, alert delivery, and change tracking via dashboard and webhooks.
  • Configuration and change management: OpenAPI spec parsing and runtime cross-checks to identify undefined or deprecated operations.

Detection coverage for common SOC 2-relevant findings

By design, the scanner covers patterns frequently relevant to SOC 2 control criteria, including authentication issues, data exposure, and input validation gaps. It does not test intrusive exploit paths.

  • Authentication and session management: JWT misconfigurations, missing security headers, unsafe token handling.
  • Data protection: exposed PII, API keys, and error leakage; HTTPS enforcement and HSTS presence.
  • Input validation and error handling: CORS misconfigurations, debug endpoints, verbose stack traces.
  • Access control and authorization: BOLA-like enumeration, privilege escalation hints, role/permission field exposure.
  • Server and dependency footprint: server fingerprinting and deprecated path patterns.

OpenAPI spec analysis and runtime cross-check

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents and resolves recursive $ref chains. Findings are compared against the spec to highlight mismatches that are often relevant to audit evidence.

openapi: 3.0.3
info:
  title: Example API
  version: 1.0.0
paths:
  /users/{id}:
    get:
      summary: Get user
      securitySchemes:
        bearerAuth:
          type: http
          scheme: bearer
      responses:
        '200':
          description: OK

If the runtime response leaks internal fields not declared in the schema, or if security schemes are undefined for an operation, the scanner reports the divergence.

Authenticated scanning and domain verification

With Starter tier and above, you can add authenticated scans for Bearer, API key, Basic auth, and Cookie-based access. Domain verification is enforced so only the domain owner can scan with credentials.

  • Verification methods: DNS TXT record or an HTTP well-known file placed at the domain root.
  • Header allowlist: only Authorization, X-API-Key, Cookie, and X-Custom-* headers are forwarded.
  • Read-only methods only; no destructive payloads are sent.

Continuous monitoring and evidence collection

Pro tier adds scheduled rescans and diff detection to support ongoing control monitoring. Alerts are rate-limited and webhooks are HMAC-SHA256 signed to help with evidence integrity.

  • Schedule options: every 6 hours, daily, weekly, or monthly.
  • Diff detection: new findings, resolved findings, and score drift are surfaced via dashboard and email.
  • Retention: customer data is deletable on demand and purged within 30 days of cancellation.
Run this check on your API See all use cases

Frequently Asked Questions

Does middleBrick provide a SOC 2 audit report?
No. The scanner detects patterns that may support SOC 2 control review, but it does not produce an audit report or an opinion.
Can I use authenticated scans for compliance evidence?
Yes, authenticated scans increase coverage for access control testing. Ensure domain verification is completed and limit permitted headers to the allowlist.
How are findings mapped to frameworks?
middleBrick maps findings directly to OWASP API Top 10 (2023). For other frameworks, it helps you prepare for and aligns with security controls described in SOC 2.
What happens to my scan data after cancellation?
Customer data is deletable on demand and purged within 30 days. Findings are not sold and are not used for model training.

Related Pages

Tool abuse audit — API securityTool abuse audit: what to check, how to automate it, and how middleBrick covers it.Vendor risk assessment — API securityVendor risk assessment: what to check, how to automate it, and how middleBrick covers it.Webhook receiver hardening — API securityWebhook receiver hardening: what to check, how to automate it, and how middleBrick covers it.