Pre-acquisition due diligence

Pre-acquisition due diligence for APIs is a focused assessment you perform before integrating or acquiring a service. The goal is to verify that authentication, authorization, data exposure, and input handling meet baseline security standards. You map findings to controls defined in OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II to support audit evidence and risk decisions. The process is intentionally limited to black-box techniques that do not modify systems or data.

Teams that skip structured due diligence often miss misconfigured authentication that allows token bypass or algorithm confusion, such as JWT alg=none or weak secret usage. Sensitive data exposure is common, including PII, API keys in source or error messages, and credit card numbers that fail Luhn validation but are still accepted. Without checks for BOLA, BFLA, and over-exposed properties, you risk inheriting endpoints that escalate privileges or leak internal fields, increasing operational and regulatory risk.

A repeatable workflow starts with inventory: collect API entrypoints, version patterns, and authentication mechanisms. Run a black-box scan limited to read-only methods (GET, HEAD) and text-only POST for LLM probes, completing in under a minute per endpoint. Review the prioritized risk score and findings, then validate detected issues manually or with targeted tests. For authenticated coverage, provide domain-verified credentials so that Bearer, API key, Basic auth, and cookies are exercised within an allowlisted header set. Close the loop by tracking score trends across scans and surfacing new findings that affect integration risk.

middleBrick is a self-service API security scanner designed for pre-acquisition checks. Submit a URL to receive a risk score from A to F with prioritized findings aligned to OWASP API Top 10, PCI-DSS 4.0, and SOC 2 Type II. Black-box scanning requires no agents or SDKs and works across languages and clouds, with scan times under one minute. Detection categories include authentication bypass, JWT misconfigurations, BOLA and BFLA, property authorization, input validation, rate limiting, data exposure patterns, encryption issues, SSRF indicators, inventory problems, unsafe consumption surfaces, and LLM/AI adversarial probes across Quick, Standard, and Deep tiers. OpenAPI 3.0, 3.1, and Swagger 2.0 specs are parsed with recursive $ref resolution, cross-referenced against runtime behavior to identify undefined security schemes or deprecated operations.

Authenticated scanning (Starter tier and above) supports Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced via DNS TXT record or HTTP well-known file to ensure only the domain owner can scan with credentials. A header allowlist restricts forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*. For automation, use the CLI with middlebrick scan <url> and JSON output, the GitHub Action to gate CI/CD when scores drop below a threshold, the MCP Server for AI coding assistants, or the API client for custom integrations. Continuous monitoring (Pro tier) provides scheduled rescans, diff detection, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

middleBrick detects and reports; it does not fix, patch, block, or remediate. It does not perform active SQL injection or command injection testing, which fall outside read-only scope, nor does it identify business logic vulnerabilities that require domain understanding. Blind SSRF and certain advanced logic issues are out of scope because they rely on out-of-band infrastructure or complex interactions. The tool does not replace a human pentester for high-stakes audits. All scan data is deletable on demand and purged within 30 days of cancellation, and customer data is never sold or used for model training.