Skip to content

Shadow API Discovery

Most organizations find about 30% more attack surface the first time they run Escape, because every organization has APIs nobody remembered. Shadow APIs are the undocumented, forgotten, or rogue endpoints that sit outside your official inventory. Attackers find them; your own teams usually don't.

What Counts as a Shadow API

  • Undocumented endpoints: routes live in production but aren't in the OpenAPI spec or the internal catalog.
  • Forgotten subdomains: old marketing sites, internal tools pinned to legacy vhosts, proof-of-concept hosts still serving.
  • Rogue deployments: staging environments deployed to production-like domains, personal test servers exposed by mistake.
  • Drift: an endpoint that used to exist in the spec but got removed from docs while still serving traffic.

How Escape Finds Them

ASM runs three layers of discovery in parallel:

  1. DNS and certificate transparency: enumerate subdomains from passive sources and CT logs.
  2. Service fingerprinting: hit every discovered host on a configurable port list, identify the framework, and infer the likely shape of the API.
  3. Traffic inference: when a scan runs with authentication, Escape reconciles observed routes against the declared schema and flags the delta.

Every shadow endpoint becomes an Asset with the usual lifecycle: severity, owner, classification. From there it's treated like any other API: scanned by DAST, tested by AI Pentesting, routed to the owning team.

Feeding Back Into the Truth

When ASM finds an endpoint that should have been in the schema, the right fix is usually upstream: update the OpenAPI spec, fix the catalog, close the rogue deployment. Escape's goal is to keep the gap between what's documented and what's served as small as possible.

See Asset Management for how assets are tracked over time, and Scope for including or excluding a discovered asset from the next scan.