When Regulator inquiry

What middleBrick covers

Black-box API scanning with read-only methods under one minute
Risk scoring from A to F with prioritized findings
Mapping findings to PCI-DSS 4.0, SOC 2 Type II, OWASP API Top 10
Authenticated scanning with strict header allowlists
Scheduled rescans and diff detection for audit trails
Programmatic access via CLI, API client, and MCP Server

How the scanner handles regulator inquiry scenarios

When a regulator requests evidence about your API security posture, you need a fast, auditable source of findings rather than ad hoc testing. The scanner operates as a black-box assessment of your public endpoints, mapping results directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It does not require code access or agents, and it only uses read-safe methods (GET and HEAD) plus text-only POST for LLM probes, which avoids disruption to production systems.

Evidence collection and reporting for audits

Each scan produces a prioritized risk score from A to F and a set of findings that you can export into compliance artifacts. Reports include detection details, affected endpoints, and remediation guidance, and you can download branded compliance PDFs from the dashboard. For continuous monitoring, Pro tier provides scheduled rescans and diff detection so you can track how findings and scores evolve across audit cycles. HMAC-SHA256 signed webhooks and email alerts help you demonstrate ongoing oversight without overstating coverage.

Authentication and scope controls for credible assessments

Authenticated scanning in Starter and above supports Bearer tokens, API keys, Basic auth, and cookies, and it enforces a domain verification gate to ensure only the domain owner can scan with credentials. The scanner forwards a strict header allowlist containing Authorization, X-API-Key, Cookie, and X-Custom-* headers, which constrains the assessment to expected authorization paths. These controls help you show that testing remained bounded and did not rely on broad network probing.

What the scanner covers and does not cover

The scanner detects issues in 12 categories aligned to OWASP API Top 10, including authentication bypass, authorization flaws, input validation, data exposure, encryption misconfigurations, SSRF indicators, and LLM-specific adversarial probes. It surfaces findings relevant to regulatory evidence but does not fix, patch, or block issues, nor does it perform active SQL injection or command injection testing. Business logic vulnerabilities and blind SSRF are out of scope, and the tool does not replace a human pentester for high-stakes audits.

OpenAPI spec validation and runtime alignment

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, then cross-references spec definitions against runtime behavior. This highlights undefined security schemes, sensitive fields exposed in responses, deprecated operations, and missing pagination, giving you a defensible mapping between declared design and observed behavior. This alignment supports audit evidence without claiming certification or compliance guarantees.

Frequently Asked Questions

Can the scanner certify compliance with HIPAA or GDPR?

No. The scanner helps you prepare for and aligns with security controls described in regulations, but it does not certify, guarantee, or ensure compliance with any specific regulation.

Does the scanner perform destructive testing such as SQL injection?

No. It uses only read-safe methods and does not perform active SQL injection or command injection, which are outside its scope.

How are sensitive scan results protected and deleted?

Customer scan data is deletable on demand and purged within 30 days of cancellation. Data is never sold and is not used for model training.

Can the scanner integrate into CI/CD for ongoing evidence collection?

Yes. The GitHub Action can gate CI/CD based on score thresholds, and the CLI supports scripted runs with JSON output for integration into audit workflows.