M&A due diligence audit

During a merger or acquisition, API security becomes a shared responsibility across seller, buyer, and their respective technology stacks. An M&A due diligence audit inventories public and partner APIs, evaluates authentication and authorization designs, and checks for data exposure that could survive post-integration operations. The goal is to surface findings that materially affect integration risk, ongoing maintenance cost, and regulatory reporting obligations before contracts are signed.

Teams that forgo structured API security review during M&A expose the combined organization to immediate and long term risk. Inconsistent authentication mechanisms between acquired and acquirer services enable lateral movement. Hidden data exposures, such as PII in error responses or API keys embedded in repositories, can violate data residency or privacy expectations. Unknown privilege escalation paths and IDOR endpoints may allow lower privileged accounts to access sensitive records after integration, complicating incident response and increasing audit findings.

A repeatable workflow starts with inventory discovery, followed by risk scoring and prioritization, then evidence-backed validation and remediation tracking. Begin with public endpoint reconnaissance using read-only methods to build an inventory and initial risk scores. For systems that require authenticated context, verify domain ownership through DNS TXT records or HTTP well-known files, then submit scoped credentials with a tight header allowlist. Run iterative scans to track changes between stages, and export structured findings for integration into legal, engineering, and compliance review artifacts.

middlebrick scan https://api.example.com --output json

middleBrick operates as a black-box scanner, requiring no agents or code access, and completes a full assessment in under a minute. It maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II control frameworks to support audit evidence collection. Detection categories include authentication bypass, IDOR, privilege escalation, data exposure of PII and API key formats, SSRF indicators, unsafe consumption surfaces, LLM/AI adversarial probes, and encryption hygiene. The scanner respects read-only methods, blocks private and metadata endpoints, and provides a deletable data store with configurable retention.

With Starter tier or higher, you can add Bearer tokens, API keys, Basic auth, and cookies to validate authenticated flows. Domain verification ensures only the domain owner can scan with credentials, and a strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* values. For ongoing governance, Pro tier scheduled rescans produce diffs that highlight new findings, resolved issues, and score drift, with HMAC-SHA256 signed webhooks and email alerts to support continuous monitoring requirements.

Results are available through the web dashboard, CLI, and programmable API. The dashboard centralizes scan history, score trends, and downloadable compliance PDFs. The CLI supports JSON and text output for scripting, while the GitHub Action can gate CI/CD pipelines based on score thresholds. An MCP server enables scanning from AI coding assistants, and the REST API allows custom integrations with ticketing or governance platforms.

npx middlebrick@latest scan https://api.example.com --output json