OutScope Team

API Discovery: Finding Shadow APIs with External Monitoring

Discover how external visibility monitoring can help you find forgotten, undocumented, and potentially risky APIs exposed to the internet.

api-security discovery appsec shadow-it

The Shadow API Problem

Shadow APIs are API endpoints that exist in production but are:

  • Not documented in your official API catalog
  • Unknown to security teams
  • Forgotten after migrations or refactors
  • Accidentally exposed during deployment

According to Gartner, by 2025, less than 50% of enterprise APIs will be managed - the rest are shadow APIs.

Why Shadow APIs Are Dangerous

1. No Security Oversight

If you don’t know an API exists, you can’t:

  • Apply security policies
  • Monitor for attacks
  • Patch vulnerabilities
  • Enforce authentication

2. Data Exposure Risk

Shadow APIs often expose:

  • Legacy endpoints with weak auth
  • Admin interfaces meant for internal use
  • Debug endpoints left enabled
  • Deprecated API versions with known vulns

3. Compliance Violations

Untracked APIs can leak PII, violating:

  • GDPR
  • HIPAA
  • PCI-DSS
  • SOC 2

How External Visibility Helps

OutScope discovers APIs by probing from the outside, just like an attacker would.

Automatic Detection

When checking a domain, OutScope:

  1. Analyzes HTTP responses
GET https://example.com/
# Response headers indicate API
Content-Type: application/json
  1. Checks common API paths
/api
/api/v1
/api/v2
/graphql
/swagger
/docs
  1. Detects documentation
{
  "api_doc_detected": true,
  "api_doc_type": "openapi",
  "api_doc_url": "/api/swagger.json"
}
  1. Classifies service type
{
  "kind": "api",
  "speaks_http": true,
  "analyzable": true
}

Real Case Study

A mid-size SaaS company used OutScope to scan their entire domain inventory:

Results:

  • 47 APIs discovered
  • 23 were in official catalog ✅
  • 24 were unknown shadow APIs ⚠️

Shadow APIs found:

  1. Old /admin-api from 2022 (no auth!)
  2. Debug endpoint /api/debug/users (PII exposure)
  3. Legacy /v1/ still responding (known CVE)
  4. Staging API on production subdomain
  5. Swagger UI on internal-api.company.com (public!)

Impact:

  • 3 critical vulnerabilities patched
  • 8 endpoints decommissioned
  • 13 added to WAF rules
  • API catalog updated

Time to discovery: 15 minutes

Step-by-Step: Discover Your Shadow APIs

1. Install OutScope SDK

pip install outscope-sdk

2. Scan Your Domains

from outscope_sdk import Client

client = Client(api_key="svc_your_key")

# Check all subdomains
domains = [
    "api.company.com",
    "app.company.com",
    "admin.company.com",
    "internal.company.com",
    "staging.company.com"
]

# Scan with API-focused paths
for domain in domains:
    client.checks.create(
        fqdn=domain,
        paths=[
            "/",
            "/api",
            "/api/v1",
            "/api/v2",
            "/graphql",
            "/swagger",
            "/docs",
            "/admin"
        ]
    )

3. Filter for APIs

import time
time.sleep(30)  # Wait for checks to complete

checks = client.checks.list_all()

apis = [
    c for c in checks
    if c['analysis']['kind'] == 'api'
    or c['analysis'].get('api_doc_detected')
]

for api in apis:
    print(f"\nFound API: {api['fqdn']}")
    print(f"  Type: {api['analysis']['kind']}")
    print(f"  Auth detected: {api['analysis']['auth_detected']}")
    
    if api['analysis'].get('api_doc_detected'):
        print(f"  Documentation: {api['analysis']['api_doc_url']}")

4. Investigate Unknowns

For each discovered API:

Is it in your API catalog?

  • If NO → Shadow API found

Is it supposed to be public?

  • If NO → Security incident

Does it require authentication?

  • If NO → Critical risk

Is it documented publicly?

  • If YES → Verify no sensitive data in docs

Common Shadow API Patterns

Pattern 1: Forgotten Staging

staging-api.company.com
dev-api.company.com
test.api.company.com

Often no auth, same data as production!

Pattern 2: Legacy Versions

/api/v1  (deprecated, still running)
/api-old
/legacy-api

May have known vulnerabilities.

Pattern 3: Debug Endpoints

/api/debug
/api/test
/api/healthcheck

Sometimes leak internal info.

Pattern 4: Internal Tools Exposed

internal-api.company.com  (public DNS!)
admin-api.company.com
ops.company.com/api

Meant for internal use, accidentally public.

Automate Discovery in CI/CD

Prevent shadow APIs from being deployed:

# .github/workflows/api-discovery.yml
name: API Discovery Check

on:
  push:
    branches: [main]

jobs:
  discover:
    runs-on: ubuntu-latest
    steps:
      - name: Check External APIs
        run: |
          python discover_apis.py
          
      - name: Compare with Catalog
        run: |
          diff discovered_apis.txt api_catalog.txt || exit 1

Fail the build if new APIs are found that aren’t in the catalog.

Best Practices

  1. Scan regularly - Weekly automated scans
  2. Maintain API catalog - Update as you deploy
  3. Monitor for changes - Alert on new discoveries
  4. Enforce policies - All APIs must be cataloged
  5. Decommission properly - Don’t just stop using, actually remove

Conclusion

Shadow APIs are a massive blind spot in most security programs.

External visibility monitoring helps you:

  • ✅ Discover unknown APIs
  • ✅ Find exposed documentation
  • ✅ Identify auth gaps
  • ✅ Prevent accidental exposure

Don’t wait for attackers to find them first.

Try It Now

  1. Start with OutScope (free tier)
  2. Scan your domains
  3. Check for shadow APIs
  4. Update your catalog

Found shadow APIs? Contact us for help securing them.

Back to Blog