When Pentest results to remediate

When a pentest completes, the hardest work is deciding what to fix first. Provide the scanner a URL that represents the API surface and it returns a risk score from A to F with a short list of prioritized findings. Each finding includes the relevant OWASP API Top 10 category, a brief description, and a reference to the specific control in the framework that is affected. This mapping lets you align remediation with compliance evidence without waiting for an auditor to interpret raw notes.

If your API requires access tokens, add credentials in the dashboard or CLI and the scanner validates domain ownership through a DNS TXT record or a well-known HTTP file before sending requests. Only specific headers are forwarded: Authorization, X-API-Key, Cookie, and X-Custom-*. All methods remain read-only, and destructive payloads are never used. The scan typically finishes in under a minute, making it practical to run on every major change to the API.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It covers requirements of these standards by detecting issues such as broken authentication, excessive data exposure, and missing authorization checks. For other regulations, the tool helps you prepare for audits by surfacing findings relevant to controls described in frameworks like HIPAA, GDPR, ISO 27001, NIST, CCPA, and similar standards, but it does not certify compliance.

Findings include concrete remediation steps tailored to the detected issue. For example, if the scanner identifies JWT alg=none acceptance, it recommends validating the signature algorithm and verifying exp and iss claims. If excessive properties are exposed, guidance focuses on tightening serialization rules and applying field-level permissions. Use these instructions to hand off work to developers with minimal back-and-forth.

Use the CLI to trigger scans from any terminal with middlebrick scan <url> and receive JSON or text output that can be parsed by scripts. The GitHub Action fails the build when the score drops below a configurable threshold, blocking merges until critical issues are addressed. The MCP server enables scanning from AI coding assistants, while the web dashboard tracks score trends and generates branded compliance PDFs for reporting.

Understand what the scanner does not detect so you can plan follow-up work. It does not perform active SQL injection or command injection testing, does not find blind SSRF without out-of-band infrastructure, and does not identify business logic flaws that require domain knowledge. It also does not replace a human pentester for high-stakes audits. Treat the output as a prioritized starting point for remediation and schedule deeper manual reviews for high-risk APIs.