When SaaS security questionnaire

What middleBrick covers

Black-box API scanning with read-only methods under one minute
Risk scoring with prioritized findings mapped to frameworks
Detection of authentication, authorization, and data exposure issues
LLM security testing across multiple adversarial probe tiers
OpenAPI 3.x and Swagger 2.0 contract validation
Authenticated scan support with strict header allowlists

Assess third-party APIs without access to source code

When a vendor asks you to complete a security questionnaire, you need evidence, not assurances. This scanner performs black-box analysis against the public API surface using only read-only methods such as GET and HEAD, plus text-only POST for LLM probes. No agents, SDKs, or code access are required. The scan completes in under a minute and returns a risk score across an A–F scale with prioritized findings mapped to common security expectations.

Detection aligned to recognized frameworks

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It detects authentication bypasses, JWT misconfigurations such as alg=none and expired tokens, security header issues, and OWASP API Top 10 categories including BOLA, BFLA, property authorization over-exposure, input validation, rate limiting, and data exposure. For other frameworks, the results help you prepare for audit evidence and align with security controls described in relevant standards, without claiming certification or compliance guarantees.

LLM and AI security coverage

The scanner includes 18 adversarial probes executed across three scan tiers: Quick, Standard, and Deep. These probes target system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. Coverage supports safe evaluation of AI-enabled endpoints without performing destructive or intrusive actions.

OpenAPI contract validation

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution. It cross-references spec definitions against runtime behavior to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This contract-first approach highlights deviations between declared behavior and observed responses, enabling faster remediation discussions with vendors.

Authenticated scanning and safe operations

Authenticated scans support Bearer, API key, Basic auth, and cookies, gated by domain verification via DNS TXT record or HTTP well-known file. Only a curated allowlist of headers is forwarded, including Authorization, X-API-Key, Cookie, and X-Custom-* headers. The scanner enforces read-only methods, blocks private IPs and metadata endpoints, and ensures customer data is deletable on demand and never used for model training.

Frequently Asked Questions

Can this replace a human penetration test?

No. It detects configuration and implementation weaknesses at scale but does not find business logic flaws or perform intrusive testing. Use it as a complement to, not a replacement for, human-led audits.

How are credentials handled during authenticated scans?

Credentials are accepted only when the domain ownership can be verified through DNS or HTTP well-known checks. The scanner forwards only necessary authentication headers and respects strict allowlists.

What happens to scan data after cancelling?

Customer scan data is deletable on demand and fully purged within 30 days of cancellation. Data is never sold or used for model training.

Does the scanner perform active exploitation like SQL injection?

No. It does not send destructive payloads or perform active SQL injection or command injection testing, which require intrusive methods outside its scope.