Pre-deploy API security check

This tool provides a pre-deploy API security check that you can run without access to source code or infrastructure. Submit an API endpoint URL and receive a risk score from A to F along with prioritized findings. The scan is black-box and read-only, using only GET and HEAD methods plus text-only POST for LLM probes. Scan completion typically occurs in under one minute.

Findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection covers 12 security categories aligned to OWASP API Top 10, including authentication bypass, JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation through admin endpoint probing, property over-exposure and mass-assignment surfaces, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate-limiting misconfigurations, data exposure including PII and API key leakage, missing encryption protections, SSRF against URL-accepting parameters, inventory issues such as missing versioning, and LLM/AI security probes across Quick, Standard, and Deep tiers.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime results to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans at the Starter tier and above, support includes Bearer, API key, Basic auth, and Cookie. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can scan with credentials. A header allowlist restricts forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection to surface new findings, resolved findings, and score drift. Alerts are delivered via email at a rate-limited pace of one per hour per API and through HMAC-SHA256 signed webhooks that auto-disable after 5 consecutive failures. Integration options include a web dashboard for reports and trends, a CLI via the middlebrick npm package using middlebrick scan <url> with JSON or text output, a GitHub Action that fails the build below a score threshold, an MCP server for AI coding assistants, and a programmatic API for custom integrations.

The tool does not fix, patch, block, or remediate findings; it reports with remediation guidance. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside scope. Business logic vulnerabilities are not detected, as they require human domain understanding. Blind SSRF is out of scope due to the lack of out-of-band infrastructure, and the scanner does not replace a human pentester for high-stakes audits.

Free tier offers 3 scans per month with CLI access. Starter at 99 USD per month supports 15 APIs, monthly scans, dashboard, email alerts, and MCP Server. Pro at 499 USD per month covers 100 APIs with continuous monitoring, GitHub Action gates, CI/CD integration, Slack/Teams alerts, compliance reports, and signed webhooks. Enterprise at 2000 USD per month provides unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints, and deleting customer data on demand within 30 days of cancellation. This tool helps you prepare for PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023) and supports audit evidence for other frameworks through alignment with described controls.