Attack Surface Discovery
API Spyder
API Spyder is a SaaS-based discovery tool that provides an attacker’s view into an organization’s public-facing resources to identify external API hosts, unauthorized hosting providers, and API-specific security issues.
API Spyder is part of the Unified API Protection platform
The Cequence Unified API Protection platform unites discovery, compliance, and protection to defend an organization’s applications and APIs against attacks, business logic abuse, and fraud. Demonstrating value in minutes rather than days or weeks, Cequence offers a flexible deployment model that requires no app instrumentation or modification. Cequence solutions scale to meet the needs of the largest and most demanding private and public sector organizations, protecting billions of user accounts and billions more daily API interactions.
Get an attacker’s view of your infrastructure
The rapid expansion of API use in organizations has created unique visibility and risk management problems that are difficult to solve with traditional tools. Use cases addressed by API Spyder include:
External API and cloud hosting provider discovery
Identification of potential API security issues such as Log4j vulnerabilities and non-production servers
Reporting on external API risk exposure tailored to personas
At each organization, API Spyder discovers an average of:
API Hosts
0
Hosting Providers
0
Domains
0 +
API Spyder Key Features
Attack Surface Discovery
API Spyder crawls an organization’s domains to discover the complete API attack surface and classifies results for immediate action through user-customizable algorithms. An agentless solution that requires no installation, API Spyder even identifies APIs that aren’t transacting data. Discovery crawls can be on-demand or scheduled, enabling constant monitoring of the external API footprint. Spyder’s outside-in approach contributes to a comprehensive API discovery program, which also includes inside-out and third-party API discovery provided by Cequence Cequence API Security.
Actionable Insights with User Configurability
API Spyder provides rich insights into each finding including the ability to view and customize the detection algorithms as well as access API request and response data. Users can reproduce the issues detected and fine-tune the API discovery to ensure optimal effectiveness for their specific environment.
Persona-Centric Reporting
API Spyder provides graphical, PDF executive summary reports, and the raw data can be exported in Excel format. This raw data captures all the hosts discovered by API Spyder about each API host including IP address and security findings, enabling security teams to share and delegate to other stakeholders such as the application owners.
Customer Success Story
Top Multi-National Mobile Phone Carrier Discovers Thousands of Unmanaged and Insecure APIs
One of the nation’s largest mobile phone carriers with over 100 million wireless subscribers used API Spyder to understand their external API attack surface. API Spyder uncovered over 1000 API servers without adequate protection, publicly-available and unprotected non-production servers, and even applications with unpatched Log4j vulnerabilities despite a rigorous patching program. The customer now has completely visibility into their API footprint and dramatically reduced security blind spots.
Get an attackers view into your organization.
Try API Spyder today with no installation and no obligation. Nothing to deploy. All we need is your email.
API Spyder FAQ
What is API Spyder?
API Spyder is a SaaS-based attack surface discovery tool that provides an attacker’s view of your public-facing resources. It discovers API hosts, unauthorized hosting providers, and API-specific security issues.
How does API Spyder discover my API attack surface?
API Spyder uses a predictive crawling technique on your public domains to discover exposed resources. In order to discover your API attack surface, all you need to provide is a top-level domain (e.g. exampledomain.com), and API Spyder will discover API hosts and hosting providers for that domain.
What exactly is API Spyder going to show me?
API Spyder will show you your publicly-accessible API hosts and associated resources including:
- Public cloud hosted and non-production API servers (e.g. api.exampledomain.com)
- Hosting providers on which these API servers are hosted (e.g. CDN, IaaS, or WAF providers)
- REST and GraphQL endpoints
- Internal API endpoints like health/monitoring endpoints and Swagger/OpenAPI specifications that may be accidentally available to the internet
What do I need to install or deploy for this to work?
You do not need to install or deploy any software on your premises for API Spyder to work, nor do you need to make any network changes. You simply enter the top-level domain you wish to crawl and it will then discover the API hosts and endpoints under that domain.
What value does this provide?
API Spyder identifies your exposed publicly-accessible resources – effectively showing you what an attacker sees from outside your organization’s environment. This will help you discover and manage your attack surface, highlighting the API servers and hosting providers that you may know of as well as those you don’t. API Spyder can also uncover API-specific security issues such as Log4j and LoNg4j vulnerabilities.
How do I try out API Spyder?
Simply try a free API assessment here.
Can I run API Spyder against any domain, even if it’s not my company domain?
No. Your work email root domain is automatically configured as a crawl target. Cequence technical staff reviews all requests for other domains and approve only those that are associated with your work email root domain.
What impact will API Spyder have on my site when it crawls?
API Spyder typically generates a few hundred API requests per API server when crawling a domain. The crawling is benign and is of similar impact to a Google Bot crawl impact.
