42Crunch

What Is 42Crunch?

The API security problem has a well-understood root cause: APIs are designed, built, and deployed by different people under different time pressures, and security is typically validated at the end, if it is validated at all. The result is that the OWASP API Security Top 10 reads like a checklist of architectural decisions that developers make every day without realising the consequences: broken object-level authorisation, missing rate limiting, excessive data exposure. These are not exotic vulnerabilities requiring sophisticated attackers. They are basic specification failures that anyone with an HTTP client can exploit.

42Crunch was founded in 2018 in London to solve this problem by making API security a developer concern rather than a security team concern. The central insight is that if an API has an OpenAPI contract (a machine-readable specification of every endpoint, parameter, response, and authentication mechanism) then most security vulnerabilities can be detected by automated analysis of that contract, before a single line of implementation code is ever executed. The OpenAPI spec is the ground truth; everything that deviates from it is, by definition, a security risk.

The platform implements this insight at three points in the API lifecycle. In the IDE, developers receive real-time security feedback as they write OpenAPI specifications. In CI/CD pipelines, Security Quality Gates block APIs from reaching production if they fail a configurable security score threshold. At runtime, a contract-driven micro-firewall validates each API request and response against the OpenAPI contract and rejects anything that does not conform. 42Crunch calls this "shift-left" security: finding and fixing vulnerabilities at the cheapest possible point in the development lifecycle, which is always as early as possible.

Key Features

IDE-Native Security Feedback

42Crunch distributes free plugins for VS Code, IntelliJ IDEA, Eclipse, and PyCharm. These plugins embed an OpenAPI editor with integrated security audit: as a developer writes or modifies an API specification, the plugin runs 300+ automated checks and surfaces issues with explanations and remediation guidance, without leaving the editor, without submitting the spec to a platform, and without requiring a security expert in the room.

This distribution model has resulted in 1.6 million developers using 42Crunch's free tooling, a scale of adoption that makes it one of the most widely distributed API security tools in existence. For enterprise buyers, this matters practically: developers in the organisation likely already know 42Crunch's feedback patterns, which dramatically reduces the behaviour change required when deploying the paid platform.

CI/CD Security Quality Gates

The paid platform adds Security Quality Gates: configurable pass/fail conditions enforced in CI/CD pipelines (GitHub Actions, GitLab CI, Azure DevOps, Jenkins). When a developer submits a pull request containing API changes, the quality gate automatically audits the updated OpenAPI specification and fails the build if the security score falls below a threshold set by the security team.

This is the most operationally important feature for enterprise DevSecOps programmes. It creates a hard enforcement boundary: no API can reach production without meeting the organisation's documented security standard. The alternative, manual security review of every API change, is neither scalable nor reliable. Quality Gates make security compliance automatic and auditable.

300+ Automated Security Checks

42Crunch's audit engine runs over 300 checks against OpenAPI contracts, covering the OWASP API Security Top 10 and a broader set of specification best practices. Checks include: missing authentication definitions, overly permissive parameter schemas, missing rate limiting declarations, excessive data exposure in response schemas, missing input validation constraints, and dozens more.

Each finding is scored by severity and comes with an explanation of the underlying risk and specific remediation guidance. The result is an actionable security score (not a binary pass/fail but a prioritised list of improvements) that gives developers and security teams a shared language for API security quality.

Runtime Micro-Firewall

At runtime, 42Crunch deploys a lightweight micro-firewall that acts as a sidecar to the API. Every request and response is validated against the OpenAPI contract in real time. Requests with parameters not defined in the spec, payloads that exceed schema constraints, or authentication headers in the wrong format are rejected before they reach the API implementation.

This approach is fundamentally different from signature-based Web Application Firewalls (WAFs), which try to detect known attack patterns. 42Crunch's contract-driven approach blocks anything not explicitly allowed by the API specification, a positive security model that is effective against novel attacks, not just known ones.

Pricing

42Crunch offers a free tier and paid plans:

• Free — IDE plugins for VS Code, IntelliJ, Eclipse, and PyCharm; API Audit with security scoring; no account required; community support
• Single User — Full platform access including API Scan (dynamic testing) and CI/CD integration; monthly or annual billing via credit card; pricing not publicly listed
• Teams — 5–25 users on a sliding scale; includes Security Quality Gates, Data Dictionaries, and shared API inventory; Standard and Premium support options
• Enterprise — Custom pricing; unlimited APIs and users; SSO, advanced RBAC, Kubernetes and cloud gateway integrations; dedicated customer success; enterprise free trial available

Enterprise pricing is negotiated based on the number of APIs, API calls, and required features. Teams pricing follows a sliding scale from a base entry price for 5 users up to 25 users. Contact 42Crunch for specific pricing figures.

EU Compliance and Privacy

42Crunch is a UK-founded company (London HQ) with offices in Cologne, Oslo, New York, San Francisco, and Palm Beach. UK GDPR applies to UK data processing; EU GDPR applies to EU customer data. The platform primarily processes API contract definitions (OpenAPI specifications) and security audit results, rather than personal data in the conventional sense.

For European enterprise customers, 42Crunch can discuss data residency requirements and provide Data Processing Agreements. Enterprise and private-cloud deployment options give additional control over where audit data is stored. The platform supports SOC 2 audit evidence collection for API security controls, helping security teams document their API security posture for compliance programmes.

42Crunch's security audit checks cover OWASP API Security Top 10 compliance, which aligns with regulatory expectations in financial services (PSD2 API security requirements), healthcare (HIPAA API access controls), and general enterprise security frameworks.

Who It's Best For

DevSecOps teams at medium-to-large technology companies building REST APIs at scale will find 42Crunch's CI/CD Security Quality Gates and IDE plugins the most operationally significant API security tool available. The combination of developer-friendly tooling with hard enforcement gates solves the adoption problem that plagues most security tools.

Security engineers responsible for API security programmes at enterprises will find 42Crunch provides the automation needed to scale security review across large development organisations. Rather than reviewing every API manually, they can set score thresholds, monitor the shared API inventory, and focus attention on the most critical findings.

Platform engineering teams managing API gateways on AWS, Azure, or Kong can deploy 42Crunch's runtime micro-firewall alongside existing infrastructure without replacing the gateway. The firewall adds contract-driven validation as a security layer on top of existing routing and rate limiting.

Less suited for teams using primarily GraphQL, gRPC, or WebSocket APIs, since 42Crunch's coverage is focused on OpenAPI/REST. Also less suited for organisations needing full API lifecycle management, developer portals, or API monetisation capabilities, which are handled by gateway platforms like Kong and Apigee rather than security-focused tools.

The Verdict

42Crunch has identified the right problem (API security failures happen because security feedback comes too late, after code is written and deployed) and built a technically coherent solution to it. The IDE plugins with 1.6 million users demonstrate developer trust at a scale that most security vendors never achieve. The CI/CD Quality Gates solve the enforcement problem that makes most security programmes aspirational rather than enforced. The runtime micro-firewall closes the gap between design-time and runtime security. The weaknesses are real: REST/OpenAPI focus limits applicability to modern API paradigms, and the Series A stage means enterprise support maturity and integration breadth lag more established platforms. But for teams whose primary challenge is consistently building secure REST APIs across large development organisations, 42Crunch is a credible, developer-friendly answer built in Europe.

Frequently Asked Questions

Is 42Crunch GDPR compliant?

42Crunch is a UK-founded company with offices in London, Cologne, Oslo, New York, San Francisco, and Palm Beach. Data handling for European customers is subject to UK GDPR (which mirrors EU GDPR) and, for EU customers, applicable GDPR obligations. The platform processes API contract definitions (OpenAPI specs) and security audit results, and does not process end-user personal data in the conventional sense. Enterprise customers can request data processing agreements and discuss EU data residency requirements directly with the 42Crunch team. For organisations in highly regulated industries, 42Crunch's enterprise and private-cloud deployment options provide additional control over where audit data is stored and processed.

How does 42Crunch differ from Postman?

Postman is primarily an API development and testing platform that excels at building, documenting, and functionally testing APIs. 42Crunch is purpose-built for API security: it focuses on identifying security vulnerabilities in OpenAPI contracts, blocking insecure APIs from reaching production via CI/CD gates, and protecting running APIs with a contract-driven runtime firewall. The two tools are complementary. Many teams use Postman for functional API development and add 42Crunch for security analysis and enforcement. Kong and Apigee are API gateway platforms that manage traffic routing, rate limiting, and developer portals, whereas 42Crunch specialises in the security layer that runs alongside or within those gateways.

What is API-first security and how does 42Crunch implement it?

API-first security means treating the OpenAPI contract (specification) as the security source of truth, rather than trying to discover and protect APIs reactively. 42Crunch implements this by validating every API against its OpenAPI contract at three stages: in the IDE (instant feedback as code is written), in CI/CD pipelines (blocking deployment if the API fails security checks), and at runtime (a micro-firewall that rejects any API request or response not conforming to the contract). This approach catches the majority of API vulnerabilities before they are deployed, dramatically reducing the cost and impact of API security incidents.

Which IDEs and CI/CD tools does 42Crunch support?

42Crunch provides plugins for VS Code, IntelliJ IDEA, Eclipse, and PyCharm, covering the four most widely used Java and polyglot development environments. For CI/CD, 42Crunch publishes off-the-shelf pipeline integrations for GitHub Actions, GitLab CI, Azure DevOps, and Jenkins. These pipeline plugins automatically discover OpenAPI files in the repository, upload them to the 42Crunch platform, run a Security Audit, and pass or fail the pipeline based on configurable score thresholds. API gateway integrations are available for AWS API Gateway, Azure API Management, and Kong, enabling runtime protection in existing infrastructure without replacing the gateway.

Who uses 42Crunch?

42Crunch has 1.6 million developers using its free IDE extensions, making it one of the most widely distributed API security tools available. Enterprise customers include financial services firms, technology companies, and government organisations that need to enforce API security standards at scale across large development teams. The platform is particularly well-suited for DevSecOps teams that want to automate API security compliance without creating manual review bottlenecks. 42Crunch raised $17 million in Series A funding in 2021, led by Energy Impact Partners and Adara Ventures, to accelerate its developer-first go-to-market strategy.