Attack Surface Discovery

API Spyder

API Spyder is a SaaS-based discovery tool that provides an attacker’s view into an organization’s public-facing resources to identify external API hosts, unauthorized hosting providers, and API-specific security issues.
Read the API Spyder Datasheet 
API Spyder - Attack Surface Discovery Dashboard
gradient lines

API Spyder is part of the Unified Application Protection Platform

A half-circle image depicting the Cequence Unified API Protection Platform with the words API Security & Bot Management and Discover, Comply, Protect.
The Cequence Unified Application Protection platform unites discovery, compliance, and protection to defend an organization’s applications and APIs against attacks, business logic abuse, and fraud. Demonstrating value in minutes rather than days or weeks, Cequence offers a flexible deployment model that requires no app instrumentation or modification. Cequence solutions scale to meet the needs of the largest and most demanding private and public sector organizations, protecting billions of user accounts and billions more daily API interactions.
Explore the Cequence Unified Application Platform >
API Security

API Security

API Security Posture Management, Compliance, Testing, and Remediation
Bot Management

Bot Management

Bot Detection, Mitigation, and Fraud Prevention
Gradient separator from dark to light blue

Get an attacker’s view of your infrastructure

The rapid expansion of API use in organizations has created unique visibility and risk management problems that are difficult to solve with traditional tools. Use cases addressed by API Spyder include:
External API and hosting provider discovery

External API and cloud hosting provider discovery

Identification of API-specific security issues such as publicly-exposed OpenAPI or GraphQL endpoints

Identification of potential API security issues such as Log4j vulnerabilities and non-production servers

Identify edge, infrastructure, & gateway providers

Reporting on external API risk exposure tailored to personas

At each organization, API Spyder discovers an average of:

API Hosts
0
Hosting Providers
0
Domains
0 +

API Spyder Key Features

API Spyder dashboards showing API Hosts and breakdown of Edge, Infrastructure and Application

Attack Surface Discovery

API Spyder crawls an organization’s domains to discover the complete API attack surface and classifies results for immediate action through user-customizable algorithms. An agentless solution that requires no installation, API Spyder even identifies APIs that aren’t transacting data. Discovery crawls can be on-demand or scheduled, enabling constant monitoring of the external API footprint. Spyder’s outside-in approach contributes to a comprehensive API discovery program, which also includes inside-out and third-party API discovery provided by Cequence Cequence API Security.
API Spyder dashboard showing insights with user configurability

Actionable Insights with User Configurability 

API Spyder provides rich insights into each finding including the ability to view and customize the detection algorithms as well as access API request and response data. Users can reproduce the issues detected and fine-tune the API discovery to ensure optimal effectiveness for their specific environment.
Three pages of an API Spyder report

Persona-Centric Reporting 

API Spyder provides graphical, PDF executive summary reports, and the raw data can be exported in Excel format. This raw data captures all the hosts discovered by API Spyder about each API host including IP address and security findings, enabling security teams to share and delegate to other stakeholders such as the application owners. 
Gradient separator from light blue to dark blue
A man on a cell phone representing reducing API Sprawl at a Global Telecom Provider 

Customer Success Story

Top Multi-National Mobile Phone Carrier Discovers Thousands of Unmanaged and Insecure APIs

One of the nation’s largest mobile phone carriers with over 100 million wireless subscribers used API Spyder to understand their external API attack surface. API Spyder uncovered over 1000 API servers without adequate protection, publicly-available and unprotected non-production servers, and even applications with unpatched Log4j vulnerabilities despite a rigorous patching program. The customer now has completely visibility into their API footprint and dramatically reduced security blind spots.
Read the Case Study

Get an attackers view into your organization.

Try API Spyder today with no installation and no obligation. Nothing to deploy. All we need is your email.
Free API Spyder Trial

API Spyder FAQ

What is API Spyder?

API Spyder is a SaaS-based attack surface discovery tool that provides an attacker’s view of your public-facing resources. It discovers API hosts, unauthorized hosting providers, and API-specific security issues.

API Spyder uses a predictive crawling technique on your public domains to discover exposed resources. In order to discover your API attack surface, all you need to provide is a top-level domain (e.g. exampledomain.com), and API Spyder will discover API hosts and hosting providers for that domain.
API Spyder will show you your publicly-accessible API hosts and associated resources including:
  • Public cloud hosted and non-production API servers (e.g. api.exampledomain.com)
  • Hosting providers on which these API servers are hosted (e.g. CDN, IaaS, or WAF providers)
  • REST and GraphQL endpoints
  • Internal API endpoints like health/monitoring endpoints and Swagger/OpenAPI specifications that may be accidentally available to the internet

You do not need to install or deploy any software on your premises for API Spyder to work, nor do you need to make any network changes. You simply enter the top-level domain you wish to crawl and it will then discover the API hosts and endpoints under that domain.

API Spyder identifies your exposed publicly-accessible resources – effectively showing you what an attacker sees from outside your organization’s environment. This will help you discover and manage your attack surface, highlighting the API servers and hosting providers that you may know of as well as those you don’t. API Spyder can also uncover API-specific security issues such as Log4j and LoNg4j vulnerabilities.
Simply try a free API assessment here.
No. Your work email root domain is automatically configured as a crawl target. Cequence technical staff reviews all requests for other domains and approve only those that are associated with your work email root domain.
API Spyder typically generates a few hundred API requests per API server when crawling a domain. The crawling is benign and is of similar impact to a Google Bot crawl impact.