API discovery is the process of finding, mapping, and cataloging every single API across your entire digital estate, including your public-facing cloud accounts and your on-premises data centers.
With the widespread adoption of microservices, the demand for seamless mobile experiences, the growth of interconnected partner ecosystems, and the rapid proliferation of IoT devices, APIs have become the backbone of digital communication. As a result, APIs now account for the majority of web traffic, making them a prime target for cyberattacks.
Amid this changing landscape, the core challenge remains: You can't secure what you can't see, and that visibility must extend from the code developers write to the cloud environments where it runs.
To slash risks and maintain development velocity, an API discovery program needs to go beyond cataloging well-documented interfaces. Its true value lies in pinpointing hidden risks across an organization's entire API footprint, with coverage for categories of APIs that often fall through the cracks:
Shadow APIs are undocumented and unmanaged endpoints that represent a blind spot. They’re often created as a quick fix for a front-end feature or a debugging endpoint but are never removed from a production build. Because they exist off the record, they bypass security controls.
Orphaned APIs are APIs that were once live and may have been documented but have become disconnected from their official source of truth or are no longer actively maintained. They can still be functional and are often discovered by attackers who exploit their outdated state.
Deprecated APIs are old versions of APIs that the provider intends to retire. They stay live for a grace period until clients migrate to the newer version. These deprecated endpoints don’t receive new features or security patches, which makes them attractive targets for attackers.
In this article, we’ll explore the ins and outs of API discovery, including the business impact of API security failures and effective strategies to make API discovery easy, continuous, and contextual.
Advanced API Security Best Practices [Cheat Sheet]
Download the Wiz API Security Best Practices Cheat Sheet and fortify your API infrastructure with proven, advanced techniques tailored for secure, high-performance API management.
API discovery methods
API discovery methods vary widely. Many organizations combine multiple methods to ensure complete coverage of their API estate. In this section, we’ll discuss the most commonly used methods.
Manual discovery
Manual discovery involves gathering information through developer interviews, reviewing internal documentation such as wikis, and analyzing design documents. Although it offers insight into intended API functionality and business context, it’s incomplete and unreliable because it often overlooks undocumented or forgotten APIs. Manual discovery also goes out of date quickly, leaving teams with security blind spots between reviews.
Specification-based discovery
Specification-based discovery refers to the process of scanning source‑code repositories, CI pipelines, or artifact stores for machine‑readable interface contracts such as OpenAPI (REST), WSDL (SOAP), and Protocol Buffers (gRPC). These specifications provide a clear representation of the API design and serve as a useful baseline for API discovery.
A major weakness of specification-based discovery is spec drift, where the actual deployed API drifts from its original, documented specification. Developers might add new parameters or temporarily disable authentication for testing and forget to update the documentation. In other words, relying only on specifications can miss real-world discrepancies.
Zombie APIs: A hidden security risk
Zombie APIs are API endpoints that remain operational despite lacking ongoing maintenance or official support.
En savoir plus
Discovery from network and traffic analysis
The most accurate insight into active APIs comes from examining actual network traffic, revealing which APIs are in use, by whom, and what data is exchanged. It’s the most dependable approach for discovering undocumented shadow APIs and deprecated endpoints and keeping an up-to-date inventory of active APIs.
You can collect network and traffic data through a range of tools and sources:
API gateways: Tools such as Apigee and Amazon API Gateway log all API requests and responses, providing detailed visibility at the gateway level.
Cloud provider flow logs: Cloud provider flow logs, such as AWS VPC Flow Logs, capture metadata about network traffic at the infrastructure layer, including inbound and outbound connections.
Service meshes: Platforms such as Istio and Linkerd offer telemetry on service-to-service communication within microservices environments, helping track internal API traffic.
eBPF sensors: Kernel-level tracing with eBPF captures API calls directly on host machines, enabling deep visibility without relying on traditional network taps.
Static code analysis
Static code analysis supports early API discovery by analyzing infrastructure definitions and application code before deployment. This aligns with the shift-left security model, enabling teams to catch potential risks early in development instead of finding them once APIs are already running in production.
Domain-based and OSINT discovery
Public data sources and open-source intelligence (OSINT) techniques help to identify exposed or forgotten APIs outside an organization's known inventory. Security teams can discover shadow APIs and legacy services by scanning DNS records, SSL certificates, and subdomainsTools like Shodan, Censys, and crt.sh help map external API exposure and identify endpoints unintentionally made public.
REST API security: Best practices, risks, and tools
REST API security is the combination of technologies and practices used to safeguard RESTful endpoints from attacks, such as unauthorized access, exploitation, and abuse.
En savoir plus
What effective API discovery should capture
A mature discovery program doesn't just produce a list of endpoints; it discovers metadata to help teams better manage and document their APIs. This metadata includes:
URL pattern/route: Normalizing URL patterns and routes into generalized templates, such as
/users/{id} or /orders/{orderId}/items, helps to group related endpoints and flag undocumented or risky paths.HTTP method: The risk profile varies according to whether the API call uses GET, POST, or DELETE.
Protocol: REST, SOAP, and gRPC have different security considerations.
Authentication scheme: Identifying which authentication scheme is in use (OAuth, an API key, mTLS, or no authentication), is the first step toward detecting broken authentication flaws.
Hosting resource: Accurately identifying the underlying infrastructure, whether it’s a Lambda function, a Kubernetes pod, or a virtual machine, enables precise containment actions, such as throttling, scaling, or isolating resources during an attack.
Exposure: Clarifying whether an API is internal, partner-facing, or public reduces uncertainty about the attack surface and ensures that access controls match its intended level of exposure.
Sensitive data: Detecting whether the API transmits PII, PCI, PHI, credentials, or secrets helps prioritize protective controls.
API discovery tools
Maintaining a strong security posture demands tools that automatically discover all APIs across your environment, extract security posture insights, and drive actionable measures. A good solution should:
Use multiple discovery methods for full coverage
Offer continuous instead of point-in-time discovery
Cover all common API styles and environments
Collect the right metadata for security and operations
Enable additional security use cases, like risk assessment
Drive action and verification
Wiz follows this playbook by combining continuous discovery with analysis of network flow logs, traffic signals, and control-plane data to maintain an up-to-date API inventory.
Broken API authentication: Cloud security risks explained
Broken API authentication is an API security risk that occurs when an API doesn’t properly check and confirm who’s making a certain request.
En savoir plusWiz: Continuous API discovery
Modern environments move fast, and APIs change even faster. In this article, we saw how point-in-time scans leave blind spots, how shadow and orphaned API endpoints widen the attack surface, and why a continuous, contextual view of every API is essential for a strong security posture. Wiz closes API gaps by automatically discovering APIs and assessing them for security risks. With Wiz, you can:
Discover every API in your environment via agentless cloud connectors or using the lightweight Wiz Runtime Sensor, which analyzes API traffic to discover APIs and their characteristics.
Record API characteristics, including the protocol, network exposure, data-sensitivity indicators, and authentication mechanism, giving you the context to understand API risk. Spot hidden risks on day one, from shadow APIs to documented APIs accidentally exposed or shipped with weak auth.
Stay current automatically as teams ship new features; Wiz updates the inventory in near real time, no manual rescans or scripts required.
Ready to eliminate API blind spots? A comprehensive API inventory is just the beginning. Wiz identifies exposed APIs and dynamically scans them for vulnerabilities and misconfigurations. The Wiz Security Graph helps you identify attack paths from APIs to sensitive data and other cloud resources, helping you prioritize the most urgent risks. Book a demo and see how Wiz can help you secure your APIs and entire cloud attack surface.
Agentless, contextual API discovery
Wiz helps teams quickly uncover every API in their cloud environment, known and unknown, and see their exposure with full execution context. This makes it simple to answer: What APIs do I have, and where are they running?
