Why Comprehensive API Discovery Requires Both Domain-Based and Runtime Techniques

Why Comprehensive API Discovery Requires Both Domain-Based and Runtime Techniques

The API attack surface is growing—and adversaries know it. Moving to the cloud, DevOps, and application modernization all lead to the proliferation of APIs. Resulting shadow APIs, deprecated endpoints, undocumented integrations, and increasing use of AI provide ideal entry points for attackers. Securing APIs starts with knowing what you have. Yet, most organizations still struggle with this foundational task. Decentralized API development and the speed with which new APIs appear, lack of security process, and inorganic business growth all contribute to this thorny problem.

For example, an organization may be under the impression that all its APIs (in some cases even, the endpoints) are managed by a specific API gateway. However, the reality is that developers are often motivated to run as fast as possible, bypassing known/approved API management methodologies so they can get working/proof-of-concept code out as quickly as possible. Even when done with the best of intentions (a “temporary” measure to enable testing, validation, etc.), developers may forget to properly clean up after they are done as they jump to deliver the next critical project. This all-too-common behavior results in the organization having shadow/should-be-deprecated APIs that should have been decommissioned but continue to exist. Sometimes these APIs are even publicly accessible on the internet.

In this case, runtime discovery will not know about these shadow APIs, since the traffic is not visible to the API gateway. However, domain-based discovery should uncover these exposed, unauthorized APIs. That’s why the most effective approach combines domain-based API discovery with runtime API discovery. Each brings unique strengths, and together, they deliver the comprehensive view security teams need. It’s a continuous, multi-dimensional process that requires visibility into what’s deployed and what’s actively in use.

What Domain-Based API Discovery Sees

Domain-based API discovery works by using data from DNS records to then scan your known domains, subdomains, and infrastructure for potential API hosts and endpoints. It can even find API documentation paths, public Swagger files, and well-known directories.

This method shines in its ability to uncover:

• Dormant or deprecated APIs still exposed to the internet
• Development and staging environments unintentionally left running and public
• Documented but unused endpoints that still accept traffic
• APIs not currently in use but still reachable and potentially exploitable

The strength of domain-based discovery lies in its breadth. It doesn’t need live traffic. It can find assets in the shadows – before attackers do. But it has limits. It can’t validate usage, business context, or the data these APIs handle. It’s a structural view of potential exposure, not a behavioral one.

What Runtime API Discovery Reveals

Runtime API discovery fills that gap by watching real-time traffic. It doesn’t rely on guesses or static inventories. Instead, it inspects what actually moves through your network—live requests, responses, traffic patterns, and payloads.

This method typically uses inline proxies, network taps, or integrations with existing traffic inspection points like API gateways or WAFs. It captures:

• Which APIs are actively in use
• How they’re being used (methods, parameters, data types)
• Who’s calling them and how often
• Abuse patterns like credential stuffing, scraping, or data exfiltration

Because it works at runtime, this approach offers dynamic, real-world insight. It spots undocumented APIs, internal-to-external exposures, and usage drift over time. However, it has one blind spot: if there’s no traffic to the API, it sees nothing. That means dormant but vulnerable APIs can fly under the radar.

One Informs the Other

While runtime API discovery is comprehensive in its ability to identify endpoints in use and the risks/vulnerabilities that may lurk in those APIs, it requires prior knowledge of where these APIs are hosted (and possibly managed). If an organization is unaware of all its APIs to begin with, it may not know how or where to perform runtime API discovery.

Domain-based API discovery solves this problem by discovering the locations of these APIs without needing any prior knowledge of their existence and/or deployment. Information discovered in this way can help inform runtime discovery efforts.

Both Approaches Are Needed

Treating domain-based and runtime API discovery as separate, siloed activities creates blind spots– places where attackers thrive. Used together, these methods complement and reinforce each other:

• Domain-based API discovery shows you external API hosts and unauthorized hosting providers that could be in play, even if they’re not used today.
• Runtime API discovery shows you what’s actually happening in real time.

Security leaders need both dimensions to build a complete API inventory, monitor usage patterns, and prioritize risks. A point-in-time scan only gives you a snapshot. Runtime traffic alone can miss critical exposure that hasn’t yet been exploited.

Even more powerful is the synergy between the two approaches. When runtime insights influence domain scanning—such as prioritizing high-risk domains where unknown traffic is observed—you gain efficiency. And when domain discovery feeds runtime systems with a list of potential endpoints to monitor, you reduce your chances of missing new or unclassified APIs.

The Integrated Advantage

Most tools stop at offering either domain-based or runtime API discovery. Few offer both. Even fewer integrate the two. Cequence does. Our API Security offering not only supports both discovery methods but delivers their results as a unified experience.

With Cequence, your domain-based scans are informed by runtime behavior, and your runtime insights are enhanced by static structural intelligence. That’s more than visibility – it’s contextual awareness that helps you secure APIs before attackers can exploit them.

API security starts with discovery – but discovery must be continuous, contextual, and complete. You can’t protect what you can’t see. And you can’t see everything with just one method.

Use both. Secure more.

Get started today by taking advantage of Cequence’s free API security assessment to get an attacker’s view into your public-facing API resources.