On-demand executive snapshot

An on-demand executive snapshot provides a concise, risk-based summary of your API surface in under a minute. You submit a reachable URL, and the scanner returns a letter grade from A to F with a short list of prioritized findings. The approach is black-box, requiring no agents, SDKs, or access to source code, and it supports any language or framework. Only read-only methods (GET and HEAD) plus text-only POST for LLM probes are used during the scan.

Without a repeatable snapshot workflow, teams rely on informal checks and ad-hoc tools, which creates measurable risk exposure. Common gaps include:

• Inconsistent security posture visibility across microservices and environments.
• Delayed detection of authentication misconfigurations such as JWT alg=none or missing claims validation.
• Over-exposure of internal fields and mass-assignment surfaces due to missing property authorization reviews.
• Unnoticed sensitive data leakage like API keys, PII patterns, and error stack traces in responses.
• Inadequate monitoring for rate-limit headers, oversized responses, and SSRF-prone URL parameters.

These gaps increase the likelihood of control failures against mapped requirements in PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).

A practical workflow integrates the scanner into existing validation and CI/CD gates while respecting read-only constraints. The steps are:

1. Authorize the domain via DNS TXT record or an HTTP well-known file so only the domain owner can submit credentials.
2. Run a baseline scan using the CLI with middlebrick scan https://api.example.com and review the letter grade and prioritized findings.
3. For authenticated coverage, provide Bearer tokens, API keys, Basic auth, or cookies through the dashboard or CLI headers allowlist (Authorization, X-API-Key, Cookie, X-Custom-*).
4. Track score trends over time, export branded compliance PDFs, and configure email alerts for significant score drift.
5. Fail CI/CD pipelines automatically when the score drops below your defined threshold using the GitHub Action.

Continuous monitoring in Pro tier reschedules scans on a defined cadence and delivers diffs between runs to highlight new findings or resolved issues.

middleBrick maps findings directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection capabilities include:

• Authentication bypass attempts and JWT misconfigurations such as alg=none, weak keying, expired tokens, and missing claims.
• BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing.
• BFLA and privilege escalation checks through admin endpoint probing and role/permission field leakage.
• Property authorization issues like over-exposure, internal field leakage, and mass-assignment surface.
• Input validation checks for CORS wildcard usage, dangerous HTTP methods, and debug endpoints.
• Rate-limiting visibility, oversized response detection, and handling of unpaginated arrays.
• Data exposure patterns including email, Luhn-validated card numbers, context-aware SSN-like values, and API key formats (AWS, Stripe, GitHub, Slack).
• Encryption signals such as HTTPS redirects, HSTS, cookie flags, and mixed content issues.
• SSRFi indicators like URL-accepting parameters, internal IP probes, and active bypass checks.
• Inventory signals including missing versioning, legacy paths, and server fingerprinting.
• Unsafe consumption surfaces from excessive third-party URLs and webhook/callback endpoints.
• LLM/AI security probes spanning system prompt extraction, instruction override, jailbreaks, data exfiltration attempts, token smuggling, and multi-turn manipulation across tiered scan depths.

OpenAPI 3.0, 3.1, and Swagger 2.0 files are parsed with recursive $ref resolution, and spec definitions are cross-referenced against runtime findings to identify undefined security schemes, deprecated operations, and missing pagination.

The scanner is a detection-only tool and does not fix, patch, block, or remediate issues. It does not execute active SQL injection or command injection payloads, and it does not detect business logic vulnerabilities or blind SSRF that require out-of-band infrastructure. It is not a replacement for a human pentester in high-stakes audit scenarios.

Sensitive scan data is deletable on demand and purged within 30 days of cancellation. Customer data is never sold or used for model training, and the platform maintains a strict read-only safety posture with private IP, localhost, and cloud metadata endpoint blocking at multiple layers.