API Spyder

Attack Surface Discovery

API Spyder is SaaS-based discovery tool that provides an attacker’s view into an organization’s public-facing resources to identify external API hosts, unauthorized hosting providers, and API-specific security issues.
The rapid expansion of API use in organizations has created unique visibility and risk management problems that are difficult to solve with traditional tools. Use cases addressed by API Spyder include:

External API and hosting provider discovery

Identification of API-specific security issues such as publicly-exposed OpenAPI or GraphQL endpoints

Reporting on external API risk exposure tailored to personas

External Attack Surface Discovery 

API Spyder crawls an organization’s domains to discover the complete API attack surface and classifies results for immediate action through user-customizable algorithms. An agentless solution that requires no installation, API Spyder even identifies APIs that aren’t transacting data. Discovery crawls can be on-demand or scheduled, enabling constant monitoring of the external API footprint.

At each organization, API Spyder discovers an average of:

API Hosts
Hosting Providers

Actionable Insights with User Configurability 

API Spyder provides rich insights into each finding including the ability to view and customize the detection algorithms as well as access API request and response data. Users can reproduce the issues detected and fine-tune the API discovery to ensure optimal effectiveness for their specific environment. 

Persona-Centric Reporting 

API Spyder provides graphical, PDF executive summary reports, and the raw data can be exported in Excel format. This raw data captures all the hosts discovered by API Spyder about each API host including IP address and security findings, enabling security teams to share and delegate to other stakeholders such as the application owners. 

API Spyder is Part of the Cequence Unified API Protection Platform 

The Cequence Unified API Protection platform unites discovery, compliance, and protection across all internal and external APIs to defend against attacks, targeted abuse, and fraud. API Spyder crawls the external API attack surface, supplementing the discovery of active APIs in API Sentinel. Any issues discovered can be mitigated with API Spartan through native blocking or other mitigation methods. Cequence solutions scale to handle the most demanding government, Fortune and Global 500 organizations, securing more than 8 billion daily API calls and protecting more than 3 billion user accounts.
One of the nation’s largest mobile phone carriers with over 100 million wireless subscribers used API Spyder to understand their external API attack surface. API Spyder uncovered over 1000 API servers without adequate protection, publicly-available and unprotected non-production servers, and even applications with unpatched Log4j vulnerabilities despite a rigorous patching program. The customer now has completely visibility into their API footprint and dramatically reduced security blind spots. 

Get an attackers view into your organization

Try API Spyder today with no installation and no obligation. 

API Spyder FAQ

What is API Spyder?

API Spyder is a SaaS-based attack surface discovery tool that gives you an outside-in view of your exposed resources – effectively showing you what the attacker may see. It uncovers API servers and some of the most common API endpoints they host.

How does API Spyder discover my API attack surface?

API Spyder uses a predictive crawling technique on your public domain to discover exposed resources. In order to discover your API attack surface, all you need to provide is a top-level domain (e.g. exampledomain.com), and API Spyder will discover API endpoints under that domain.

What exactly is API Spyder going to show me?

API Spyder will show you your publicly- accessible API servers and associated resources including:
  • Public cloud hosted and non-production API servers (e.g. api.exampledomain.com)
  • Hosting providers on which these API servers are hosted (e.g. CDN, IaaS, or WAF providers)
  • REST and GraphQL endpoints
  • Internal API endpoints like health/monitoring endpoints and Swagger/OpenAPI specifications unintentionally publicly available

What do I need to install or deploy for this to work?

You do not need to install or deploy any software on your premises for API Spyder to work, nor do you need to make any network changes. You simply enter the top-level domain you wish to crawl with API Spyder and it will then discover the API servers and endpoints under that domain.

What value does this provide?

API Spyder gives you an outside-in view of your exposed resources – effectively showing you what an attacker sees from outside your organization’s environment. This will help you discover and manage your attack surface, showing you the API servers and hosting providers that you may know of, and those that you don’t. API Spyder can also uncover Log4j and LoNg4j vulnerabilities in your API servers without requiring any instrumentation.

How do I try out API Spyder?

Can I run API Spyder against any domain, even if it’s not my company domain?

No. Your work email root domain is automatically configured as a crawl target. Cequence technical staff reviews all requests for other domains and approve only those that are associated with your work email root domain.

What impact will API Spyder have on my site when it crawls?

API Spyder typically generates a few hundred API requests per API server when crawling a domain. The crawling is benign and is of similar impact to a Google Bot crawl impact.