Cyber insurance renewal evidence

Cyber insurance renewal evidence centers on demonstrating that an organization continuously assesses and reduces API risk. Underwriters review security practices, incident history, and controls related to authentication, data exposure, and input validation mapped to frameworks such as PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). A scanner that runs without agents and produces a prioritized risk score helps teams maintain an auditable record of assessments over time.

Teams that forgo structured scanning rely on ad hoc checks or manual inventories, which miss subtle misconfigurations such as JWT alg=none, sensitive claims in tokens, CORS wildcard with credentials, and unversioned or legacy paths. This increases the likelihood of findings during underwriting, forces rushed remediation before renewals, and can weaken the organization's alignment with security controls described in PCI-DSS 4.0 and SOC 2 Type II.

Start by submitting each public API endpoint to a black-box scanner that completes in under a minute and uses only read-only methods. Review the risk score and prioritized findings, then remediate issues such as broken authentication, BOLA/IDOR, BFLA, data exposure patterns, and unsafe consumption surfaces. For recurring evidence, schedule rescans at the interval required by your risk posture, store reports with timestamps, and track score trends to show improvement or regression across policy periods.

middleBrick maps findings to OWASP API Top 10 (2023), supports audit evidence for PCI-DSS 4.0 and SOC 2 Type II, and detects issues across authentication, BOLA, BFLA, property authorization, input validation, rate limiting, data exposure, encryption, SSRF, inventory management, unsafe consumption, and LLM/AI security. The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime results to identify undefined security schemes and deprecated operations.

With Starter tier and above, you can authenticate scans using Bearer, API key, Basic auth, or Cookie, subject to domain verification via DNS TXT record or an HTTP well-known file. The scanner only forwards a limited allowlist of headers and never sends destructive payloads; private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer data can be deleted on demand and is never used for model training.

Pro tier enables scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection that highlights new findings, resolved findings, and score drift. Alerts are rate-limited to one per hour per API and can be delivered by email, Slack, or Teams, or via HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. The tool integrates through a web dashboard, CLI, GitHub Action with CI/CD gating, MCP server for AI coding assistants, and a programmable API for custom workflows.