API Spyder

API Attack Surface Discovery

Agentless discovery tool with no software or traffic redirects required provides a view into attacker-facing resources, allowing you to quickly prioritize remediation efforts by severity.
Spyder Hero Image

API Spyder Product Features

Validate Critical Vulnerability Patching

Validate Critical Vulnerability Patching

Confirm public-facing servers throughout your digital supply chain are no longer vulnerable to exploits such as Log4j.
Identify All Public-facing API Domains

Identify All Public-facing API Domains

Predictive crawling technology discovers publicly exposed API domains to help you eliminate shadow APIs.
Confirm Your API Hosting Footprint

Confirm Your API Hosting Footprint

Get visibility into all your API hosting locations including public clouds, datacenter providers, CDNs and SaaS services.
Take Action on Findings

Take Action on Findings

Generate executive summary reports and remediation notifications to reduce your public-facing attack surface area.
Continuous Attack Surface Monitoring

Continuous Attack Surface Monitoring

Schedule regular, no-impact API security assessments to track progress and ensure no new resources are exposed outside of your defined process or security policy.

API Spyder Product Features

Validate Critical Vulnerability Patching

Validate Critical Vulnerability Patching
Confirm public-facing servers throughout your digital supply chain are no longer vulnerable to exploits such as Log4J.

Identify All Public-facing API Domains

Identify All Public-facing API Domains
Predictive crawling technology discovers publicly exposed API domains to help you eliminate shadow APIs.

Confirm Your API Hosting Footprint

Confirm Your API Hosting Footprint
Get visibility into all your API hosting locations including public clouds, datacenter providers, CDNs and SaaS services.

Take Action on Findings

Take Action on Findings
Generate executive summary reports and remediation notifications to reduce your public-facing attack surface area.

Continuous Attack Surface Monitoring

Continuous Attack Surface Monitoring
Schedule regular, no-impact API security assessments to track progress and ensure no new resources are exposed outside of your defined process or security policy.

APIs are easy to expose, but difficult to defend.

This creates a large and growing attack surface, leading to a growing number of publicized API attacks and breaches. Traditional network and web protection tools do not protect against all the security threats facing APIs. Many organizations lack visibility of their APIs, as many are used as part of web or mobile applications and not published directly. This means that a key requirement of API threat protection is API discovery.”

gartner_logo.svg

Gartner® Hype Cycle™ for Application Security, 2022

Get an Attacker’s View
into Your Organization

API Spyder FAQ

What is API Spyder?

API Spyder is an API Attack Surface Discovery Tool that gives you an outside-in view of your exposed resources – effectively showing you what the attacker may see. It uncovers the API servers and some of the most common API endpoints they host. What API Spyder discovers is really the “tip of the iceberg”, a starting point for the security teams, on where to start the API Security journey. It complements the inside-out view that API Sentinel gives you by collecting data from your API management infrastructure. The ideal solution is one that gives you both views.

How does API Spyder discover my API attack surface? 

API Spyder uses a predictive crawling technique on your public domain to discover exposed resources, similar to what Google does when they update their search algorithms. In order to discover your API attack surface, all you need to provide is a top-level domain (e.g. exampledomain.com), and API Spyder will use that to uncover API servers under that domain.

What exactly is API Spyder going to show me?  

API Spyder will show you your publicly visible API servers and associated resources including:  
  • Public cloud hosted and non-production API servers (e.g. api.exampledomain.com)
  • Hosting providers on which these API servers are hosted (e.g. CDN, IaaS, or WAF providers)
  • REST and GraphQL type of endpoints
  • Internal API endpoints like health/monitoring endpoint and Swagger/OpenAPI specifications visible publicly

What do I need to install or deploy for this to work?  

You do not need to install or deploy any software on your premises for API Spyder to work, nor do you need to make any network changes. You simply enter the top-level domain you wish to crawl with API Spyder and it will then discover the API servers and endpoints under that domain.

What value does this provide?    

API Spyder gives you an outside-in view of your exposed resources – effectively showing you what an attacker may see from outside your enterprise environment. This will help you discover and manage your attack surface, showing you the API servers and hosting providers that you may know of, and those that you don’t. API Spyder can also uncover Log4j and LoNg4j vulnerabilities in your API servers without requiring any code to be added to the servers.

How do I try out API Spyder?  

You may request a limited time trial account for API Spyder. Open a browser window to Cequence API Spyder Signup. See Getting Started: First Steps The free trial will enable you to discover the attack surface for up to 2 top-level domains, with API Spyder crawling those domains exactly once. You may request an upgrade to a paid subscription to discover your attack surface for additional domains and for continuous discovery, management and notifications of the discovered attack surface.

  How does API Spyder crawl my domain?  

API Spyder typically generates a few hundred API requests per API server when doing API server and endpoint crawling. The default crawling is benign and is similar to a Google Bot crawl impact. Each domain can be configured to be scanned for Log4j vulnerabilities. This is also not a high impact crawl but could trigger WAF responses if a WAF is configured to look for Log4j scans.

Can I run API Spyder against any domain, even if it’s not my company domain?  

No. Your work email root domain is automatically configured as a crawl target. Cequence technical staff reviews all requests for other domains and approve only those that are associated with your work email root domain. Cequence will not permit a crawl by one corporate group or individual targeting another company’s online assets and domains.

What impact will API Spyder have on my site when it crawls?  

API Spyder typically generates a few hundred API requests per API server when crawling a domain. The crawling is benign and is similar to a Google Bot crawl impact. Each domain can also be configured to be scanned for Log4j vulnerabilities. This is also not a high impact crawl but could trigger WAF responses if a WAF is configured to look for Log4j scans.
Get an attacker’s view of your API attack surface now. Free, no obligation API assessment Arrow icon