New region launch API security check
What middleBrick covers
- Black-box API scanning with risk scores A–F in under a minute
- Detects Authentication bypass and JWT misconfigurations
- Identifies BOLA, BFLA, and Property Authorization issues
- Covers OWASP API Top 10 and maps to PCI-DSS and SOC 2
- Supports authenticated scans with domain verification
- Provides continuous monitoring and webhook alerts
Pre-launch security validation for new regions
Before you expose an API in a new region, validate that baseline protections are in place. middleBrick provides a black-box scan that requires no agents or code access. Submit the regional endpoint URL and receive a risk score from A to F along with prioritized findings within a minute. The scan uses read-only methods, including GET and HEAD, plus text-only POST for LLM probes, ensuring no destructive payloads are sent.
Coverage aligned to industry standards
The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It detects issues across 12 categories, including Authentication, BOLA and BFLA, Property Authorization, Input Validation, Rate Limiting, Data Exposure, Encryption, SSRF, Inventory Management, Unsafe Consumption, and LLM / AI Security. Detection of CORS misconfigurations, dangerous HTTP methods, debug endpoints, and sensitive data leakage helps surface findings relevant to audit evidence for these frameworks.
For LLM security, the scanner runs 18 adversarial probes across Quick, Standard, and Deep tiers, targeting system prompt extraction, instruction override, jailbreak attempts, data exfiltration patterns, and token smuggling. These capabilities support audit evidence collection and align with security controls described in relevant standards without claiming certification.
Authenticated scanning and domain verification
For endpoints that require authentication, use the Starter tier and above to send Bearer tokens, API keys, Basic auth, or cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a restricted allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers, limiting exposure during testing.
OpenAPI 3.0, 3.1, and Swagger 2.0 specs are parsed with recursive $ref resolution. The tool cross-references the spec against runtime behavior, highlighting undefined security schemes, sensitive fields, deprecated operations, and missing pagination to reduce risk before public launch.
Continuous monitoring and alerting
With Pro tier, enable scheduled rescans every 6 hours, daily, weekly, or monthly to track score trends across new regions. Diff detection highlights new findings, resolved findings, and score drift between scans. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks can notify external systems, auto-disabling after five consecutive failures to prevent notification storms.
All scan data is deletable on demand and purged within 30 days of cancellation. Customer data is never sold and is not used for model training, which supports privacy controls aligned with your internal governance policies.
Remediation guidance and integration options
middleBrick does not fix, patch, block, or remediate. It detects and reports with actionable remediation guidance to help your team address issues. You can integrate scanning into your workflow via the Web Dashboard for report review and score trends, the CLI with JSON or text output, the GitHub Action to gate CI/CD builds, or the MCP Server for use with AI coding assistants.
Example CLI usage:
middlebrick scan https://api-us.example.com
Example GitHub Action snippet:
uses: middlebrick/action@v1
with:
url: ${{ secrets.API_URL }}
threshold: C