API Sprawl and Discovery: Finding the APIs You Didn't Know You Had

Every security team has woken up to the same nightmare: an API they didn’t know existed was breached. API sprawl — the proliferation of undocumented, unmanaged, and unmonitored API endpoints — is arguably the single biggest security risk facing organizations in 2026. And it’s getting worse.

The Scale of the Problem

Recent surveys indicate that the average enterprise has 3.5x more API endpoints in production than their security team has documented. The gap is driven by several factors:

• Developer autonomy. Microservices teams deploy APIs independently, sometimes without notifying the security team
• Mobile app hardcoding. Mobile apps often contain hardcoded API endpoints that bypass the official gateway
• Third-party integrations. Vendor-provided APIs frequently create undocumented endpoints within customer environments
• Legacy endpoints. Old API versions remain active long after the new version is deployed
• Testing leftovers. Development and staging APIs are accidentally left accessible in production

How API Discovery Works

Modern WAAP platforms include API discovery capabilities that automatically identify endpoints by analyzing traffic patterns. The process typically works in three phases:

Phase 1: Passive Discovery

The WAAP monitors all traffic flowing through it and catalogues every unique request path, HTTP method, and query parameter combination. Over a baseline period (typically 7-14 days), it builds a complete inventory of active API endpoints.

Phase 2: Classification

Each discovered endpoint is classified by risk factors:

• Does it require authentication? (If not, it’s high risk)
• What data does it return? (PII detection on responses)
• How often is it accessed? (Rarely accessed endpoints may be forgotten)
• What version is it? (Old versions need deprecation plans)

Phase 3: Governance

Discovered APIs are flagged for the security team to review. The team can either:

• Adopt the API into the official inventory and apply standard security controls
• Deprecate the API and schedule decommissioning
• Block the API immediately if it poses imminent risk

Real-World Impact

A recent deployment at a healthcare technology company illustrates the impact. Their WAAP discovery feature identified 186 undocumented API endpoints in the first week — including a patient data export endpoint that had no authentication and was exposed to the public internet. That endpoint was processing an average of 400 requests per day from unknown clients.

Continuous Discovery Is Essential

API sprawl isn’t a one-time problem. New APIs are deployed daily. Continuous discovery — running in the background on all traffic — is the only way to maintain an accurate API inventory.

The Bottom Line

You cannot protect APIs you don’t know about. API discovery is not a nice-to-have feature — it’s the foundation of any effective WAAP deployment. If your WAAP platform doesn’t include continuous API discovery, that should be your top priority for the next procurement cycle.

For API microsegmentation strategies that limit blast radius when shadow APIs are compromised, visit microsegmentation.uk. And for AI-powered API governance automation, check out aisecurities.uk.

Want to go deeper? Check out these resources on Amazon:

• API Security in Action
• Hacking APIs

As an Amazon Associate I earn from qualifying purchases.