API Attack Surface Discovery: Map Every Endpoint Before Attackers Do

Your API documentation says you have 47 endpoints. Your OpenAPI specification covers 52. But when an attacker runs a reconnaissance scan against your production infrastructure, they find 73. Those 21 undocumented endpoints—the ones missing from every spec, every security review, and every penetration test scope—are exactly where the breach will happen.

This is not a hypothetical scenario. The OWASP API Security Top 10 (2023) lists Unrestricted Resource Consumption and Broken Object Level Authorization as top risks, but the precondition for exploiting any API vulnerability is finding the endpoint in the first place. Attackers are exceptionally good at this. Defenders, typically, are not.

The fundamental problem is that API documentation is a point-in-time artifact maintained by humans who forget, skip, or never knew about endpoints created by other teams. The actual API surface—what is really running in production—drifts from documentation continuously. Shadow APIs accumulate. Debug endpoints linger. Legacy routes remain active. Internal service-to-service APIs sit exposed on public interfaces.

Discovering your real API attack surface requires analyzing what your applications actually do, not what they claim to do. That means examining live traffic.

Why Documentation-Based API Inventories Fail

API documentation is written with good intentions and maintained with declining discipline. The drift between documentation and reality follows a predictable pattern.

A developer adds a new endpoint for a feature sprint. The feature ships. The developer intends to update the OpenAPI spec later but gets pulled into the next sprint. Three months later, the endpoint is handling production traffic, has been discovered by automated scanners, and exists in zero security reviews.

Multiply this across every team, every microservice, and every deployment pipeline in your organization. The Postman 2023 State of APIs Report found that a significant percentage of organizations have incomplete or outdated API documentation. The security implications are severe: you cannot protect what you do not know exists.

The MITRE ATT&CK framework documents Active Scanning (T1595) as a fundamental reconnaissance technique. Attackers use tools like Burp Suite, ffuf, and custom wordlists to enumerate endpoints that are not in your documentation. They test for common patterns—/api/v1/admin, /internal/debug, /graphql, /actuator—and find endpoints your own security team does not know about.

Static analysis tools that parse source code for route definitions help, but they miss dynamically registered routes, middleware-generated endpoints, and third-party library routes. The only authoritative source of truth for what endpoints exist in production is production traffic itself.

How SecureNow's API Map Discovery Works

SecureNow takes a traffic-first approach to API discovery. Instead of relying on documentation, source code, or specification files, the platform analyzes actual OpenTelemetry trace data from your running applications to build a comprehensive, accurate map of every endpoint that receives traffic.

Gradual Discovery from Live Traces

API Map Discovery operates over configurable time windows: 30 minutes, 1 hour, 2 hours, 4 hours, 8 hours, 12 hours, and 24 hours. This gradual approach serves two purposes.

First, it captures endpoints that are accessed at different frequencies. High-traffic endpoints appear within minutes. Scheduled jobs, webhook handlers, and admin interfaces that receive infrequent traffic need longer observation windows. A 30-minute scan might find your core CRUD endpoints; a 24-hour scan reveals the nightly batch processing endpoint that accepts unvalidated input from an internal queue.

Second, gradual discovery prevents overwhelming the analysis with a massive initial dataset. The platform processes traces incrementally, building the endpoint map progressively and surfacing new discoveries as they appear. You can watch the map grow in real time, seeing each new endpoint as it is identified.

Apps-With-Traffic Detection

Before discovery begins, SecureNow identifies which of your instrumented applications are actively generating trace data. This "apps with traffic" detection ensures you are analyzing applications that are actually running and receiving requests, not stale deployments or inactive services.

The detection operates across your entire OpenTelemetry data estate, showing you at a glance which applications have recent traffic and are candidates for API surface discovery.

AI Enhancement of Discovered Endpoints

Raw endpoint discovery from traces produces a list of URL paths and HTTP methods. SecureNow goes further by applying AI analysis to the discovered endpoints, enriching each one with:

• Parameter pattern analysis — identifying path parameters (e.g., /users/{id}), query parameters, and their observed value patterns (numeric IDs, UUIDs, email formats)
• Endpoint classification — categorizing endpoints by function (authentication, CRUD operations, admin, health checks, webhooks)
• Dependency mapping — tracing which services call which endpoints, revealing internal API dependencies
• Security observations — flagging endpoints that lack authentication spans in their traces, accept unusual parameter types, or show error patterns suggesting input validation issues

This AI enhancement transforms a raw endpoint list into an actionable security assessment of your API surface.

Stuck Detection and Auto-Reset

Discovery processes that analyze large volumes of trace data can occasionally stall—perhaps due to a temporary ClickHouse performance issue or an unusually complex trace pattern. SecureNow includes stuck detection that monitors discovery progress and automatically resets stalled processes, ensuring that API mapping completes reliably without manual intervention.

<!-- CTA:trial -->

Visualizing Your API Attack Surface

Discovering endpoints is step one. Understanding the relationships between them—how they interact, what services depend on what, and where the critical paths lie—requires visualization. SecureNow provides three complementary visualization modes.

Circle-Pack Topology

The circle-pack chart displays your API surface as nested circles, where the outermost circles represent applications, inner circles represent service groups, and the innermost circles represent individual endpoints. The size of each circle reflects traffic volume, making it immediately apparent which endpoints are the most active.

This topology view excels at revealing the shape of your API surface at a glance. Clusters of endpoints with high traffic are obvious. Isolated endpoints with low traffic—often the shadow APIs and admin interfaces that pose the greatest risk—stand out as small circles on the periphery.

Dependency Graphs

The dependency graph shows directed connections between services and endpoints. When Service A calls an endpoint on Service B, the graph displays that relationship with request volume and error rates annotated on the edge.

For security analysis, dependency graphs reveal:

• Attack propagation paths — how a compromised endpoint could lead to lateral movement through service-to-service calls
• Trust boundaries — which services communicate directly and which are isolated, indicating where authentication and authorization should be enforced
• Single points of failure — endpoints that many services depend on, where a vulnerability would have cascading impact
• Unexpected connections — service-to-service calls that were not architecturally intended, potentially indicating misconfiguration or unauthorized access

Endpoint Tables with Parameter Patterns

The tabular view provides a detailed listing of every discovered endpoint with:

• HTTP method and path — the full route specification
• Request count — total observed requests in the discovery window
• Last discovered — when the endpoint was most recently seen in traffic
• Parameter patterns — observed path and query parameter formats
• Response code distribution — the proportion of 2xx, 3xx, 4xx, and 5xx responses
• Service chain — which services handle this endpoint

This view is designed for systematic security review. You can sort by any column, filter for specific patterns (e.g., all endpoints containing "admin"), and export the data for integration with your vulnerability management workflow.

The Shadow API Problem

Shadow APIs are the most dangerous consequence of API surface drift. They are endpoints that exist in production, handle real traffic, and are completely invisible to your security program.

The OWASP API Security Top 10 addresses this directly. APIs that are not in your inventory cannot be covered by your rate limiting policies, your authentication requirements, your input validation rules, or your monitoring alerts. They exist outside the security perimeter you have built around your documented APIs.

Common Shadow API Categories

Debug and diagnostic endpoints — routes like /debug/pprof, /actuator/env, or /internal/config that developers add during development and forget to remove before deployment. These often expose sensitive application internals including environment variables, database connection strings, and runtime configuration.

Legacy API versions — deprecated endpoints like /api/v1/users that were replaced by /api/v2/users but never decommissioned. The v1 endpoint might lack security improvements (rate limiting, input validation, authentication changes) that were added in v2.

Internal service endpoints — APIs designed for service-to-service communication that are accidentally exposed on public interfaces. These often use weaker authentication (or none) because they were designed to operate within a trusted network boundary.

Feature flag endpoints — routes that enable or disable features, reset caches, or trigger background jobs. These are typically protected by obscurity ("nobody knows the URL") rather than proper authentication.

Third-party integration callbacks — webhook endpoints registered with external services that accept inbound data with minimal validation. Attackers who discover these endpoints can forge webhook payloads to manipulate your application state.

Real-World Discovery: The Unprotected Admin Endpoint

Consider a practical scenario. Your engineering team built an admin panel for internal use. It lives at /internal/admin and is "protected" by the assumption that only internal users know about it. There is no authentication middleware—the team planned to add it later.

SecureNow's API Map Discovery analyzes your production traces and surfaces /internal/admin along with its sub-routes: /internal/admin/users, /internal/admin/config, and /internal/admin/export. The AI enhancement flags these endpoints because their traces contain no authentication spans. The endpoint table shows they have received requests from external IP addresses.

Without traffic-based discovery, this endpoint remains invisible to your security program. With it, you have identified a critical vulnerability before an attacker exploits it. This is the difference between a security finding and a security incident.

Discovery Statistics and Monitoring

SecureNow tracks key metrics throughout the discovery process:

• Endpoint count — total unique endpoints discovered, with a running comparison to your documented API specification
• Request count — total requests observed during the discovery window, showing the traffic volume that informed the analysis
• Last discovered — timestamp of the most recently found endpoint, indicating whether the discovery is still finding new routes
• Discovery progress — percentage completion of the current analysis window
• New since last scan — endpoints that appeared since the previous discovery run, highlighting API surface changes

These metrics enable continuous monitoring of your API surface. Running discovery daily and comparing results reveals endpoint drift over time—new endpoints appearing, old endpoints disappearing, and traffic patterns shifting.

Integrating API Discovery Into Your Security Program

API attack surface discovery is most valuable when it is not a one-time exercise but an ongoing practice integrated into your security operations.

Continuous Discovery

Schedule API Map Discovery to run daily against all applications with traffic. Compare each day's results to the previous discovery to identify:

• New endpoints — any endpoint that was not present yesterday requires immediate security review
• Missing endpoints — endpoints that disappeared may indicate decommissioning (good) or a service outage (investigate)
• Traffic pattern changes — significant shifts in request volume or error rates on existing endpoints may signal abuse

Security Review Workflow

When discovery surfaces a new or suspicious endpoint, the investigation workflow proceeds naturally:

1. Examine the endpoint in SecureNow's endpoint table to understand its parameters, response patterns, and service chain
2. Analyze traces using AI-powered trace analysis to examine the application behavior triggered by requests to that endpoint
3. Hunt for abuse using forensic queries to search for unusual access patterns, unauthorized sources, or injection attempts targeting the endpoint
4. Create alert rules that monitor the endpoint for suspicious activity going forward

Mapping to OWASP API Security Top 10

Each discovered endpoint should be evaluated against the OWASP API Security Top 10 (2023) categories:

• API1: Broken Object Level Authorization — does the endpoint validate that the authenticated user has permission to access the requested resource?
• API2: Broken Authentication — does the endpoint require authentication, and is the authentication mechanism robust?
• API3: Broken Object Property Level Authorization — does the endpoint expose more data properties than the client needs?
• API4: Unrestricted Resource Consumption — does the endpoint have rate limiting and resource quotas?
• API5: Broken Function Level Authorization — can non-admin users access admin endpoints?

Discovery makes these assessments possible by ensuring you know about every endpoint that needs to be evaluated.

<!-- CTA:demo -->

Beyond Endpoint Lists: Understanding API Behavior

Knowing that an endpoint exists is necessary but not sufficient for security. Understanding how it behaves under different conditions—what parameters it accepts, how it handles malformed input, what downstream services it calls—is what enables effective protection.

SecureNow's API Map Discovery provides the foundation for this deeper understanding. The discovered endpoint map feeds into the platform's broader security analysis capabilities:

• Trace analysis examines the span-level behavior of requests to discovered endpoints, detecting SQL injection, SSRF, and authentication bypass in the application's actual execution path
• Alert rules can be configured for specific discovered endpoints, monitoring for anomalous traffic patterns, error rate spikes, or parameter manipulation
• API abuse detection uses the endpoint map as a baseline for identifying abnormal access patterns—requests to endpoints that should not be externally accessible, unusual parameter values, or traffic from suspicious sources

The endpoint map is not the end of the security analysis—it is the beginning. Every discovered endpoint is a candidate for deeper investigation, and every unknown endpoint that becomes known is a reduction in your attack surface blind spot.

The Attacker's Advantage—and How to Eliminate It

Attackers have a structural advantage in API security: they only need to find one unprotected endpoint. Defenders need to protect all of them. When your API inventory is incomplete, this asymmetry is overwhelming. You are defending endpoints you know about while attackers probe endpoints you do not.

Traffic-based API discovery eliminates this advantage by giving defenders the same visibility that attackers achieve through reconnaissance. Your API map reflects reality—not documentation aspirations—because it is built from the same live traffic that attackers would observe.

The discovery runs continuously. The map updates automatically. New endpoints surface immediately. Shadow APIs cannot hide when every request that reaches your application generates a trace that SecureNow analyzes.

Your documentation might say 47 endpoints. Your production traffic tells a different story. The question is whether you discover those hidden endpoints through scheduled analysis or through an incident report. SecureNow ensures it is always the former.

Frequently Asked Questions

What is API attack surface discovery?

API attack surface discovery automatically identifies all API endpoints in your applications by analyzing live traffic patterns, revealing undocumented, shadow, and deprecated endpoints that could be exploited.

How does SecureNow discover API endpoints?

SecureNow analyzes OpenTelemetry trace data over configurable time windows (30 minutes to 24 hours) to discover endpoints, then uses AI to enhance the results with parameter patterns and dependency analysis.

What are shadow APIs and why are they dangerous?

Shadow APIs are undocumented endpoints that exist in production but aren't covered by your API specifications. They often lack proper authentication, rate limiting, and input validation — making them prime attack targets.

Can I visualize my API topology?

Yes, SecureNow provides circle-pack topology charts, dependency graphs, and endpoint tables with parameter patterns for comprehensive API surface visualization.