Post-pentest remediation verification

Post-pentest verification is the process of confirming that identified findings are resolved and that the overall security posture of an API has improved after remediation work. It is a repeatable assessment that reruns targeted checks against the live API to validate fixes, detect regressions, and produce evidence for audit trails. Teams use this process after a manual or automated penetration test to close the loop on reported issues.

Skipping verification creates a false sense of security. Teams assume a fix is effective without confirming that the behavior change is reflected in production, leading to lingering authentication bypasses, exposed sensitive data, or unstable rate-limiting controls. Without repeat scans, the same vulnerability class can reappear in later releases, increasing technical debt and audit friction.

Common errors include relying only on ticket closure, running ad hoc manual checks without coverage, and failing to track score drift over time. These gaps leave OWASP API Top 10 issues such as broken object level authorization and sensitive data exposure unchecked, complicating future SOC 2 Type II or PCI-DSS 4.0 audit evidence collection.

A robust workflow starts with a baseline scan that produces a risk score and prioritized findings. After remediation, teams rerun scans on the same environment and compare results. A useful workflow includes these steps:

1. Record the initial scan ID, score, and finding list.
2. Apply fixes and confirm functionality with standard tests.
3. Run a focused scan that covers the changed endpoints and security-sensitive categories.
4. Map new results to the original findings to confirm resolution.
5. Store scan artifacts to support SOC 2 Type II or PCI-DSS 4.0 audit evidence.
6. Enable scheduled rescans to detect regressions early.

Automating parts of this flow reduces manual overhead and increases consistency across services.

middleBrick is a self-service API security scanner designed for post-pentest verification. You submit a URL and receive a risk score from A to F with prioritized findings aligned to OWASP API Top 10 (2023). The scanner performs read-only checks using GET and HEAD methods, supports text-only POST for LLM probes, and completes a scan in under a minute.

It parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution and cross-references spec definitions against runtime behavior. Key verification capabilities include authentication checks, BOLA and BFLA detection, input validation, rate limiting analysis, data exposure discovery, and LLM-specific adversarial probes across multiple scan tiers. The platform provides a web dashboard for managing scans, a CLI for scripting workflows, and a GitHub Action for CI/CD gates that can fail builds when scores drop below a defined threshold.

For continuous verification, Pro tier subscriptions offer scheduled rescans, diff detection across runs, email alerts, HMAC-SHA256 signed webhooks, and compliance reports that help you prepare for SOC 2 Type II and PCI-DSS 4.0 reviews. The system does not perform intrusive exploitation; it surfaces findings and remediation guidance so your team can validate fixes with appropriate context.

middleBrick operates with a strict safety posture. It only uses read-only methods, blocks private and localhost addresses, and never sends destructive payloads. Customer data can be deleted on demand and is purged within 30 days of cancellation. The tool surfaces findings relevant to regulatory frameworks such as SOC 2 Type II and PCI-DSS 4.0, but it is not an auditor and cannot certify compliance.

Limitations include no active SQL injection or command injection testing, no detection of business logic vulnerabilities that require domain understanding, and no blind SSRF detection relying on out-of-band infrastructure. It does not replace a human pentester for high-stakes audits but provides a scalable layer of verification to keep API security posture measurable and transparent.