Pre-funding hygiene audit

A pre-funding hygiene audit assesses the security posture of an API before capital is committed or a production contract is signed. The goal is to surface authentication weaknesses, data exposure risks, and authorization flaws that could lead to financial or operational impact. The scanner runs against the public-facing contract only, using read-only methods (GET and HEAD) plus text-only POST for LLM probes, completing in under a minute.

Teams relying on informal checks or manual documentation often miss subtle misconfigurations that become material risk after funding. Common gaps include accepting wildcard CORS with credentials, exposing internal fields in responses, using non‑unique sequential identifiers, and allowing excessive third‑party callbacks. These issues can enable IDOR, privilege escalation, or data leakage that is costly to remediate post‑investment.

A robust workflow starts with submitting the API endpoint and confirming domain ownership through a DNS TXT record or HTTP well‑known file. Authentication details are then provided only for the domain you control, with a restricted allowlist of headers forwarded to the application. The scan parses OpenAPI specifications when available, cross‑referencing the definition against runtime behavior to detect undefined security schemes, deprecated operations, and missing pagination. Results are reviewed, validated, and stored as evidence before proceeding to funding or integration.

middlebrick scan https://api.example.com --auth-type bearer --auth-value token_abc

Findings map to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II controls. Detection includes authentication bypass attempts, JWT misconfigurations such as alg=none or HS256 without proper key validation, and sensitive data exposure including PII and API key patterns resembling AWS, Stripe, GitHub, or Slack. The scanner also validates encryption posture through HTTPS redirects, HSTS, and cookie flags, and it checks for SSRF indicators like URL‑accepting parameters that probe internal IP space.

The scanner includes an LLM security profile that runs 18 adversarial probes across Quick, Standard, and Deep tiers. These probes test for system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, cost exploitation, encoding bypasses, translation‑embedded injection, few‑shot poisoning, markdown injection, multi‑turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. Coverage extends to unsafe consumption surfaces such as excessive third‑party URLs and webhook/callback endpoints.

Results are delivered through the web dashboard with prioritized findings and a risk score from A to F. You can generate branded compliance PDFs, integrate the CLI into local workflows with JSON or text output, and enforce gates in CI/CD via the GitHub Action, which fails the build when the score drops below your chosen threshold. Pro tier adds scheduled rescans, diff detection across runs, email alerts rate‑limited to one per hour per API, and HMAC‑SHA256 signed webhooks that auto‑disable after five consecutive failures.