Pentest scoping preparation

Run the Pentest scoping preparation check

What middleBrick covers

  • Read-only scanning under a minute with GET and HEAD
  • LLM adversarial probes across Quick, Standard, and Deep tiers
  • OpenAPI 3.0/3.1 and Swagger 2.0 parsing with $ref resolution
  • Authenticated scans with Bearer, API key, Basic, and Cookie
  • Domain verification gate for credentialed scans
  • Continuous monitoring diffs and HMAC-SHA256 webhooks

What is pentest scoping preparation

Pentest scoping preparation defines the boundaries, rules of engagement, and success criteria before testing begins. It documents the APIs in scope, testing methods allowed, data handling rules, and remediation expectations. A clear scope aligns the security team, developers, and leadership on what will be tested and what will not.

What teams get wrong when skipping scoping

Teams that skip scoping preparation risk testing out-of-scope systems, causing operational disruption or compliance issues. Without explicit boundaries, findings may flood stakeholders with low-risk or false positives, while critical issues in unprotected endpoints are missed. Ambiguous rules of engagement also complicate retesting and remediation tracking.

A practical scoping workflow

Start by listing all API entry points, including public, partner, and administrative interfaces. Record authentication mechanisms, data sensitivity levels, and third-party dependencies. Agree on testing windows, allowed methods, and prohibited actions such as destructive payloads. Store the scope in version control and reference it in test plans, CI/CD gates, and reporting templates.

What middleBrick covers out of the box

middleBrick scans URLs using read-only methods (GET and HEAD) and text-only POST for LLM probes, completing scans in under a minute. It maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II controls, providing prioritized remediation guidance. The scanner validates authentication schemes, detects sensitive data exposure, enforces scope boundaries via domain verification, and integrates with dashboards, CLI, CI/CD gates, and MCP servers.

Authentication and scope enforcement

Authenticated scanning supports Bearer tokens, API keys, Basic auth, and cookies. Domain verification requires a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. Allowed headers are limited to Authorization, X-API-Key, Cookie, and X-Custom-* to minimize exposure.

curl -X GET "https://api.example.com/endpoint" \
  -H "Authorization: Bearer " \
  -H "X-API-Key: "

Continuous monitoring and reporting

Pro tier scheduled rescans run every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved items, and score drift. Alerts are rate-limited to one email per hour per API. HMAC-SHA256 signed webhooks deliver findings to ticketing systems, with auto-disable after five consecutive failures to reduce noise.

{
  "api_url": "https://api.example.com",
  "score": "B",
  "findings": [
    {"id": "BOLA-001", "title": "Sequential ID enumeration", "severity": "high"}
  ]
}
Run this check on your API See all use cases

Frequently Asked Questions

Can middleBrick fix findings automatically?
No. The scanner detects and reports with remediation guidance. It does not patch, block, or modify any systems.
Does the scanner test for SQL injection or command injection?
No. Those tests require intrusive payloads outside the scope of read-only scanning.
What standards does middleBrick align with?
Findings map to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II. It supports audit evidence for other frameworks using alignment language.
Is customer data retained after scans?
Data is deletable on demand and purged within 30 days of cancellation. It is never sold or used for model training.