From d7ed4d6b009ef96af5c21f635e821fd2865164a1 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Thu, 30 Apr 2026 16:10:07 -0600 Subject: [PATCH 01/26] Add AAP endpoint scanning docs --- config/_default/menus/main.en.yaml | 14 +++++- .../security/application_security/_index.md | 3 +- .../api-inventory/_index.md | 3 ++ .../api_security/_index.md | 21 +++++++++ .../api_security/endpoint-scanning.md | 44 +++++++++++++++++++ 5 files changed, 82 insertions(+), 3 deletions(-) create mode 100644 content/en/security/application_security/api_security/_index.md create mode 100644 content/en/security/application_security/api_security/endpoint-scanning.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index bce66139ced..dcd9a9e5144 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -7886,11 +7886,21 @@ menu: parent: application_security identifier: aws_waf_int weight: 8 + - name: API Security + url: security/application_security/api_security/ + parent: application_security + identifier: application_security_api_security + weight: 9 - name: API Security Inventory url: security/application_security/api-inventory/ - parent: application_security + parent: application_security_api_security identifier: asm_api_security - weight: 9 + weight: 1 + - name: Endpoint Scanning + url: security/application_security/api_security/endpoint-scanning/ + parent: application_security_api_security + identifier: application_security_endpoint_scanning + weight: 2 - name: Guides url: security/application_security/guide/ parent: application_security diff --git a/content/en/security/application_security/_index.md b/content/en/security/application_security/_index.md index 1a040bee1f6..5cf4bc3c947 100644 --- a/content/en/security/application_security/_index.md +++ b/content/en/security/application_security/_index.md @@ -61,6 +61,7 @@ Whether you're defending public-facing APIs, internal services, or user-facing a * Identify unprotected, undocumented, or overly permissive endpoints. * Get detailed, contextual findings tied to specific endpoints, misconfigurations, and observed behavior. * Evaluate API configurations against posture rules based on security best practices and compliance frameworks (e.g., OWASP API Top 10). +* Actively verify endpoint reachability and authentication posture with [Endpoint Scanning][17]. ### Runtime threat detection and protection @@ -133,4 +134,4 @@ For information on disabling AAP or its features, see the following: [14]: /security/application_security/exploit-prevention/ [15]: /security/application_security/waf-integration/ [16]: /security/application_security/setup/ - +[17]: /security/application_security/api_security/endpoint-scanning/ diff --git a/content/en/security/application_security/api-inventory/_index.md b/content/en/security/application_security/api-inventory/_index.md index e398d1210a0..da7a7ca8d27 100644 --- a/content/en/security/application_security/api-inventory/_index.md +++ b/content/en/security/application_security/api-inventory/_index.md @@ -81,6 +81,8 @@ API Endpoints gathers security metadata about API traffic by leveraging the Data API Endpoints uses [Remote Configuration][1] to manage and configure scanning rules that detect sensitive data and authentication. +To verify whether discovered endpoints are publicly accessible and require authentication, enable [Endpoint Scanning][19]. Endpoint Scanning actively probes eligible endpoints and enriches API Security Inventory with verified public accessibility, authentication status, HTTP response status, and last evaluation data. + The following risks are calculated for each endpoint. ### Data sources @@ -314,3 +316,4 @@ Click a finding to view its details and perform a workflow such as Validate > In [16]: /integrations/guide/source-code-integration/ [17]: /internal_developer_portal/software_catalog/set_up/create_entities/#through-the-datadog-ui [18]: /internal_developer_portal/software_catalog/entity_model/ +[19]: /security/application_security/api_security/endpoint-scanning/ diff --git a/content/en/security/application_security/api_security/_index.md b/content/en/security/application_security/api_security/_index.md new file mode 100644 index 00000000000..09d341d56d5 --- /dev/null +++ b/content/en/security/application_security/api_security/_index.md @@ -0,0 +1,21 @@ +--- +title: API Security +description: Explore API Security capabilities in App and API Protection. +--- + +API Security in Datadog App and API Protection (AAP) helps you discover API endpoints, understand endpoint risk, and verify endpoint behavior. + +Use this section to find documentation for API Security capabilities: + +- [API Security Inventory][1] provides a catalog of API endpoints, services, and findings across your environment. +- [Endpoint Scanning][2] enriches eligible endpoints with verified reachability and authentication data. + +## Capabilities + +{{< whatsnext desc="Explore API Security capabilities:" >}} + {{< nextlink href="/security/application_security/api-inventory/" >}}API Security Inventory: View and triage API endpoints, services, and API findings in one place.{{< /nextlink >}} + {{< nextlink href="/security/application_security/api_security/endpoint-scanning/" >}}Endpoint Scanning: Actively test discovered endpoints to verify public accessibility and authentication status.{{< /nextlink >}} +{{< /whatsnext >}} + +[1]: /security/application_security/api-inventory/ +[2]: /security/application_security/api_security/endpoint-scanning/ diff --git a/content/en/security/application_security/api_security/endpoint-scanning.md b/content/en/security/application_security/api_security/endpoint-scanning.md new file mode 100644 index 00000000000..70000c863d5 --- /dev/null +++ b/content/en/security/application_security/api_security/endpoint-scanning.md @@ -0,0 +1,44 @@ +--- +title: Endpoint Scanning +description: Verify whether discovered API endpoints are publicly accessible and require authentication. +aliases: + - /security/application_security/endpoint-scanning/ + - /security/application_security/api-inventory/endpoint-scanning/ +--- + +Endpoint Scanning is an opt-in App and API Protection (AAP) feature that actively tests discovered API endpoints and enriches the [API Security Inventory][1] with verified security posture data. + +Instead of relying only on observed traffic, Endpoint Scanning probes endpoints from outside your environment to verify how they respond. + +## What Endpoint Scanning verifies + +For each scanned endpoint, Datadog records: + +- **Authentication status**: Whether the endpoint requires authentication. +- **Public accessibility**: Whether the endpoint is reachable without credentials. +- **HTTP response status**: The status code returned by the endpoint. +- **Last evaluation timestamp**: When the endpoint was last scanned. + +Use this information to prioritize exposed endpoints, confirm whether important APIs enforce authentication, and investigate API findings with stronger evidence about the endpoint's current behavior. + +## Eligible endpoints + +Endpoint Scanning currently probes endpoints discovered through distributed tracing. + +Endpoints discovered only from static source code, Software Catalog API definitions, or Amazon API Gateway are not scanned. + +## How scans run + +Endpoint Scanning is off by default. After you enable it, Datadog scans eligible endpoints in the background on a recurring cadence. Scans run in batches, and endpoints are retested approximately every seven days. + +Scans use `GET` requests to verify reachability and authentication posture. + +## Enable Endpoint Scanning + +Endpoint Scanning is off by default. To enable it, go to [App and API Protection settings][2] and turn on **Endpoint Scanning** in **API Testing and Endpoint Scanning**. + +After you enable Endpoint Scanning, results appear in the [API Endpoints][3] explorer as Datadog scans eligible endpoints. + +[1]: /security/application_security/api-inventory/ +[2]: https://app.datadoghq.com/security/configuration/asm/api-security-testing +[3]: https://app.datadoghq.com/security/appsec/inventory/apis From c6f20c80f8d01e5d0083a1817ed2ddfc4024920b Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Thu, 30 Apr 2026 16:19:36 -0600 Subject: [PATCH 02/26] Move API inventory under API security --- config/_default/menus/main.en.yaml | 4 ++-- content/en/security/application_security/_index.md | 2 +- .../security/application_security/api_security/_index.md | 8 ++++---- .../_index.md => api_security/api_inventory.md} | 4 +++- .../{endpoint-scanning.md => endpoint_scanning.md} | 5 +---- content/en/security/guide/security-findings-migration.md | 2 +- .../app_and_api_protection/python/capabilities.html | 2 +- 7 files changed, 13 insertions(+), 14 deletions(-) rename content/en/security/application_security/{api-inventory/_index.md => api_security/api_inventory.md} (99%) rename content/en/security/application_security/api_security/{endpoint-scanning.md => endpoint_scanning.md} (91%) diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index dcd9a9e5144..14ad9d71e64 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -7892,12 +7892,12 @@ menu: identifier: application_security_api_security weight: 9 - name: API Security Inventory - url: security/application_security/api-inventory/ + url: security/application_security/api_security/api_inventory/ parent: application_security_api_security identifier: asm_api_security weight: 1 - name: Endpoint Scanning - url: security/application_security/api_security/endpoint-scanning/ + url: security/application_security/api_security/endpoint_scanning/ parent: application_security_api_security identifier: application_security_endpoint_scanning weight: 2 diff --git a/content/en/security/application_security/_index.md b/content/en/security/application_security/_index.md index 5cf4bc3c947..2f4a8c64172 100644 --- a/content/en/security/application_security/_index.md +++ b/content/en/security/application_security/_index.md @@ -134,4 +134,4 @@ For information on disabling AAP or its features, see the following: [14]: /security/application_security/exploit-prevention/ [15]: /security/application_security/waf-integration/ [16]: /security/application_security/setup/ -[17]: /security/application_security/api_security/endpoint-scanning/ +[17]: /security/application_security/api_security/endpoint_scanning/ diff --git a/content/en/security/application_security/api_security/_index.md b/content/en/security/application_security/api_security/_index.md index 09d341d56d5..5338d67e242 100644 --- a/content/en/security/application_security/api_security/_index.md +++ b/content/en/security/application_security/api_security/_index.md @@ -13,9 +13,9 @@ Use this section to find documentation for API Security capabilities: ## Capabilities {{< whatsnext desc="Explore API Security capabilities:" >}} - {{< nextlink href="/security/application_security/api-inventory/" >}}API Security Inventory: View and triage API endpoints, services, and API findings in one place.{{< /nextlink >}} - {{< nextlink href="/security/application_security/api_security/endpoint-scanning/" >}}Endpoint Scanning: Actively test discovered endpoints to verify public accessibility and authentication status.{{< /nextlink >}} + {{< nextlink href="/security/application_security/api_security/api_inventory/" >}}API Security Inventory: View and triage API endpoints, services, and API findings in one place.{{< /nextlink >}} + {{< nextlink href="/security/application_security/api_security/endpoint_scanning/" >}}Endpoint Scanning: Actively test discovered endpoints to verify public accessibility and authentication status.{{< /nextlink >}} {{< /whatsnext >}} -[1]: /security/application_security/api-inventory/ -[2]: /security/application_security/api_security/endpoint-scanning/ +[1]: /security/application_security/api_security/api_inventory/ +[2]: /security/application_security/api_security/endpoint_scanning/ diff --git a/content/en/security/application_security/api-inventory/_index.md b/content/en/security/application_security/api_security/api_inventory.md similarity index 99% rename from content/en/security/application_security/api-inventory/_index.md rename to content/en/security/application_security/api_security/api_inventory.md index da7a7ca8d27..bdf74e16086 100644 --- a/content/en/security/application_security/api-inventory/_index.md +++ b/content/en/security/application_security/api_security/api_inventory.md @@ -1,5 +1,7 @@ --- title: API Security Inventory +aliases: + - /security/application_security/api-inventory/ further_reading: - link: "https://www.datadoghq.com/blog/primary-risks-to-api-security/" tag: "Blog" @@ -316,4 +318,4 @@ Click a finding to view its details and perform a workflow such as Validate > In [16]: /integrations/guide/source-code-integration/ [17]: /internal_developer_portal/software_catalog/set_up/create_entities/#through-the-datadog-ui [18]: /internal_developer_portal/software_catalog/entity_model/ -[19]: /security/application_security/api_security/endpoint-scanning/ +[19]: /security/application_security/api_security/endpoint_scanning/ diff --git a/content/en/security/application_security/api_security/endpoint-scanning.md b/content/en/security/application_security/api_security/endpoint_scanning.md similarity index 91% rename from content/en/security/application_security/api_security/endpoint-scanning.md rename to content/en/security/application_security/api_security/endpoint_scanning.md index 70000c863d5..808a33c4e79 100644 --- a/content/en/security/application_security/api_security/endpoint-scanning.md +++ b/content/en/security/application_security/api_security/endpoint_scanning.md @@ -1,9 +1,6 @@ --- title: Endpoint Scanning description: Verify whether discovered API endpoints are publicly accessible and require authentication. -aliases: - - /security/application_security/endpoint-scanning/ - - /security/application_security/api-inventory/endpoint-scanning/ --- Endpoint Scanning is an opt-in App and API Protection (AAP) feature that actively tests discovered API endpoints and enriches the [API Security Inventory][1] with verified security posture data. @@ -39,6 +36,6 @@ Endpoint Scanning is off by default. To enable it, go to [App and API Protection After you enable Endpoint Scanning, results appear in the [API Endpoints][3] explorer as Datadog scans eligible endpoints. -[1]: /security/application_security/api-inventory/ +[1]: /security/application_security/api_security/api_inventory/ [2]: https://app.datadoghq.com/security/configuration/asm/api-security-testing [3]: https://app.datadoghq.com/security/appsec/inventory/apis diff --git a/content/en/security/guide/security-findings-migration.md b/content/en/security/guide/security-findings-migration.md index 9f2fbfff896..538018269ec 100644 --- a/content/en/security/guide/security-findings-migration.md +++ b/content/en/security/guide/security-findings-migration.md @@ -150,7 +150,7 @@ Security findings encompass misconfigurations, vulnerabilities, and security ris [10]: /security/cloud_security_management/identity_risks/ [11]: /security/security_inbox/?s=attack%20path#types-of-findings-in-security-inbox [12]: /security/code_security/iac_security/ -[13]: /security/application_security/api-inventory/#api-findings +[13]: /security/application_security/api_security/api_inventory/#api-findings [14]: /help [15]: /api/latest/security-monitoring/#list-findings [16]: /api/latest/security-monitoring/#get-a-finding diff --git a/layouts/partials/app_and_api_protection/python/capabilities.html b/layouts/partials/app_and_api_protection/python/capabilities.html index 1ebb859107b..103ff437030 100644 --- a/layouts/partials/app_and_api_protection/python/capabilities.html +++ b/layouts/partials/app_and_api_protection/python/capabilities.html @@ -23,7 +23,7 @@ 1.17.0 - API Security Inventory + API Security Inventory 2.6.0 From 8710814dcc421b26029ae0373986ecaafc86a74c Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Fri, 1 May 2026 10:47:45 -0600 Subject: [PATCH 03/26] Refine endpoint scanning and API security copy --- .../security/application_security/_index.md | 2 +- .../api_security/_index.md | 14 +++----- .../api_security/api_inventory.md | 3 +- .../api_security/endpoint_scanning.md | 33 ++++++++----------- 4 files changed, 20 insertions(+), 32 deletions(-) diff --git a/content/en/security/application_security/_index.md b/content/en/security/application_security/_index.md index 2f4a8c64172..6a348af53dd 100644 --- a/content/en/security/application_security/_index.md +++ b/content/en/security/application_security/_index.md @@ -61,7 +61,7 @@ Whether you're defending public-facing APIs, internal services, or user-facing a * Identify unprotected, undocumented, or overly permissive endpoints. * Get detailed, contextual findings tied to specific endpoints, misconfigurations, and observed behavior. * Evaluate API configurations against posture rules based on security best practices and compliance frameworks (e.g., OWASP API Top 10). -* Actively verify endpoint reachability and authentication posture with [Endpoint Scanning][17]. +* Actively verify endpoint reachability and authentication with [Endpoint Scanning][17]. ### Runtime threat detection and protection diff --git a/content/en/security/application_security/api_security/_index.md b/content/en/security/application_security/api_security/_index.md index 5338d67e242..a66b7ef437c 100644 --- a/content/en/security/application_security/api_security/_index.md +++ b/content/en/security/application_security/api_security/_index.md @@ -1,21 +1,15 @@ --- title: API Security -description: Explore API Security capabilities in App and API Protection. +description: Discover API endpoints, assess endpoint risk, and verify endpoint behavior with API Security in App and API Protection. --- -API Security in Datadog App and API Protection (AAP) helps you discover API endpoints, understand endpoint risk, and verify endpoint behavior. +API Security in Datadog [App and API Protection][1] (AAP) helps you discover API endpoints, understand the risk they expose, and verify how they behave. -Use this section to find documentation for API Security capabilities: - -- [API Security Inventory][1] provides a catalog of API endpoints, services, and findings across your environment. -- [Endpoint Scanning][2] enriches eligible endpoints with verified reachability and authentication data. - -## Capabilities +API Security Inventory provides the catalog and risk view: it lists the APIs in your environment, the services that own them, and the findings tied to each. Endpoint Scanning enriches the inventory by actively probing eligible endpoints to confirm whether they are publicly reachable and whether they require authentication. {{< whatsnext desc="Explore API Security capabilities:" >}} {{< nextlink href="/security/application_security/api_security/api_inventory/" >}}API Security Inventory: View and triage API endpoints, services, and API findings in one place.{{< /nextlink >}} {{< nextlink href="/security/application_security/api_security/endpoint_scanning/" >}}Endpoint Scanning: Actively test discovered endpoints to verify public accessibility and authentication status.{{< /nextlink >}} {{< /whatsnext >}} -[1]: /security/application_security/api_security/api_inventory/ -[2]: /security/application_security/api_security/endpoint_scanning/ +[1]: /security/application_security/ diff --git a/content/en/security/application_security/api_security/api_inventory.md b/content/en/security/application_security/api_security/api_inventory.md index bdf74e16086..77acd2b3fc5 100644 --- a/content/en/security/application_security/api_security/api_inventory.md +++ b/content/en/security/application_security/api_security/api_inventory.md @@ -1,5 +1,6 @@ --- title: API Security Inventory +description: Catalog API endpoints, services, and findings, and assess API security risk across your environment. aliases: - /security/application_security/api-inventory/ further_reading: @@ -83,7 +84,7 @@ API Endpoints gathers security metadata about API traffic by leveraging the Data API Endpoints uses [Remote Configuration][1] to manage and configure scanning rules that detect sensitive data and authentication. -To verify whether discovered endpoints are publicly accessible and require authentication, enable [Endpoint Scanning][19]. Endpoint Scanning actively probes eligible endpoints and enriches API Security Inventory with verified public accessibility, authentication status, HTTP response status, and last evaluation data. +To verify whether discovered endpoints are publicly accessible and require authentication, enable [Endpoint Scanning][19]. Endpoint Scanning actively scans eligible endpoints and enriches API Security Inventory with verified public accessibility, authentication status, HTTP response status, and last evaluation data. The following risks are calculated for each endpoint. diff --git a/content/en/security/application_security/api_security/endpoint_scanning.md b/content/en/security/application_security/api_security/endpoint_scanning.md index 808a33c4e79..8a6eff31ee3 100644 --- a/content/en/security/application_security/api_security/endpoint_scanning.md +++ b/content/en/security/application_security/api_security/endpoint_scanning.md @@ -3,9 +3,11 @@ title: Endpoint Scanning description: Verify whether discovered API endpoints are publicly accessible and require authentication. --- -Endpoint Scanning is an opt-in App and API Protection (AAP) feature that actively tests discovered API endpoints and enriches the [API Security Inventory][1] with verified security posture data. +Endpoint Scanning is an opt-in [App and API Protection][1] (AAP) feature. It tests discovered API endpoints and enriches the [API Security Inventory][2] with verified authentication and reachability data. -Instead of relying only on observed traffic, Endpoint Scanning probes endpoints from outside your environment to verify how they respond. +Instead of inferring endpoint behavior from observed traffic, Datadog sends requests to your endpoints from outside your environment and records how they respond. + +
Endpoint Scanning only scans endpoints AAP has discovered from APM traces.
## What Endpoint Scanning verifies @@ -16,26 +18,17 @@ For each scanned endpoint, Datadog records: - **HTTP response status**: The status code returned by the endpoint. - **Last evaluation timestamp**: When the endpoint was last scanned. -Use this information to prioritize exposed endpoints, confirm whether important APIs enforce authentication, and investigate API findings with stronger evidence about the endpoint's current behavior. - -## Eligible endpoints - -Endpoint Scanning currently probes endpoints discovered through distributed tracing. - -Endpoints discovered only from static source code, Software Catalog API definitions, or Amazon API Gateway are not scanned. - -## How scans run - -Endpoint Scanning is off by default. After you enable it, Datadog scans eligible endpoints in the background on a recurring cadence. Scans run in batches, and endpoints are retested approximately every seven days. - -Scans use `GET` requests to verify reachability and authentication posture. +Use this information to prioritize exposed endpoints, confirm whether important APIs enforce authentication, and investigate API findings with stronger evidence about how the endpoint behaves. ## Enable Endpoint Scanning -Endpoint Scanning is off by default. To enable it, go to [App and API Protection settings][2] and turn on **Endpoint Scanning** in **API Testing and Endpoint Scanning**. +Endpoint Scanning is off by default. To enable it: + +1. In App and API Protection settings, go to [API Security Testing][3]. +2. Toggle **Enable Endpoint Scanning** on. -After you enable Endpoint Scanning, results appear in the [API Endpoints][3] explorer as Datadog scans eligible endpoints. +After you enable it, Datadog scans eligible endpoints in the background in batches, using `GET` requests. Endpoints are retested approximately every seven days. -[1]: /security/application_security/api_security/api_inventory/ -[2]: https://app.datadoghq.com/security/configuration/asm/api-security-testing -[3]: https://app.datadoghq.com/security/appsec/inventory/apis +[1]: /security/application_security/ +[2]: /security/application_security/api_security/api_inventory/ +[3]: https://app.datadoghq.com/security/configuration/asm/api-security-testing From 8f6c462e975204d67ddd1c4292e4cdb4df2c26e2 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Fri, 1 May 2026 10:54:37 -0600 Subject: [PATCH 04/26] Minor edit --- content/en/security/application_security/api_security/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/application_security/api_security/_index.md b/content/en/security/application_security/api_security/_index.md index a66b7ef437c..7a888e8e8b8 100644 --- a/content/en/security/application_security/api_security/_index.md +++ b/content/en/security/application_security/api_security/_index.md @@ -5,7 +5,7 @@ description: Discover API endpoints, assess endpoint risk, and verify endpoint b API Security in Datadog [App and API Protection][1] (AAP) helps you discover API endpoints, understand the risk they expose, and verify how they behave. -API Security Inventory provides the catalog and risk view: it lists the APIs in your environment, the services that own them, and the findings tied to each. Endpoint Scanning enriches the inventory by actively probing eligible endpoints to confirm whether they are publicly reachable and whether they require authentication. +API Security Inventory provides the catalog and risk view: it lists the APIs in your environment, the services that own them, and the findings tied to each. Endpoint Scanning enriches the inventory by actively scanning eligible endpoints to confirm whether they are publicly reachable and whether they require authentication. {{< whatsnext desc="Explore API Security capabilities:" >}} {{< nextlink href="/security/application_security/api_security/api_inventory/" >}}API Security Inventory: View and triage API endpoints, services, and API findings in one place.{{< /nextlink >}} From 51b25c7a10f913ce8dba5d6559b3682f0e5e9ba4 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Fri, 1 May 2026 14:27:37 -0600 Subject: [PATCH 05/26] Tighten endpoint scanning intro and align terminology --- .../en/security/application_security/api_security/_index.md | 4 ++-- .../application_security/api_security/endpoint_scanning.md | 4 +--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/content/en/security/application_security/api_security/_index.md b/content/en/security/application_security/api_security/_index.md index 7a888e8e8b8..fb0ed2880ce 100644 --- a/content/en/security/application_security/api_security/_index.md +++ b/content/en/security/application_security/api_security/_index.md @@ -5,11 +5,11 @@ description: Discover API endpoints, assess endpoint risk, and verify endpoint b API Security in Datadog [App and API Protection][1] (AAP) helps you discover API endpoints, understand the risk they expose, and verify how they behave. -API Security Inventory provides the catalog and risk view: it lists the APIs in your environment, the services that own them, and the findings tied to each. Endpoint Scanning enriches the inventory by actively scanning eligible endpoints to confirm whether they are publicly reachable and whether they require authentication. +API Security Inventory provides the catalog and risk view: it lists the APIs in your environment, the services that own them, and the findings tied to each. Endpoint Scanning enriches the inventory by actively scanning eligible endpoints to confirm whether they are publicly accessible and whether they require authentication. {{< whatsnext desc="Explore API Security capabilities:" >}} {{< nextlink href="/security/application_security/api_security/api_inventory/" >}}API Security Inventory: View and triage API endpoints, services, and API findings in one place.{{< /nextlink >}} - {{< nextlink href="/security/application_security/api_security/endpoint_scanning/" >}}Endpoint Scanning: Actively test discovered endpoints to verify public accessibility and authentication status.{{< /nextlink >}} + {{< nextlink href="/security/application_security/api_security/endpoint_scanning/" >}}Endpoint Scanning: Actively scan discovered endpoints to verify public accessibility and authentication status.{{< /nextlink >}} {{< /whatsnext >}} [1]: /security/application_security/ diff --git a/content/en/security/application_security/api_security/endpoint_scanning.md b/content/en/security/application_security/api_security/endpoint_scanning.md index 8a6eff31ee3..f363da50ebb 100644 --- a/content/en/security/application_security/api_security/endpoint_scanning.md +++ b/content/en/security/application_security/api_security/endpoint_scanning.md @@ -3,9 +3,7 @@ title: Endpoint Scanning description: Verify whether discovered API endpoints are publicly accessible and require authentication. --- -Endpoint Scanning is an opt-in [App and API Protection][1] (AAP) feature. It tests discovered API endpoints and enriches the [API Security Inventory][2] with verified authentication and reachability data. - -Instead of inferring endpoint behavior from observed traffic, Datadog sends requests to your endpoints from outside your environment and records how they respond. +Endpoint Scanning is an opt-in [App and API Protection][1] (AAP) feature. Instead of inferring endpoint behavior from observed traffic, Datadog scans your endpoints from outside your environment to verify how they respond. The results enrich the [API Security Inventory][2] with verified authentication and accessibility data.
Endpoint Scanning only scans endpoints AAP has discovered from APM traces.
From 9c6a81c3319cd78408bb7dd481ce7a7eaa68bcbc Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Mon, 4 May 2026 14:49:05 -0600 Subject: [PATCH 06/26] Surface GET-only behavior in endpoint scanning intro --- .../application_security/api_security/endpoint_scanning.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/en/security/application_security/api_security/endpoint_scanning.md b/content/en/security/application_security/api_security/endpoint_scanning.md index f363da50ebb..813100d2a0c 100644 --- a/content/en/security/application_security/api_security/endpoint_scanning.md +++ b/content/en/security/application_security/api_security/endpoint_scanning.md @@ -5,6 +5,8 @@ description: Verify whether discovered API endpoints are publicly accessible and Endpoint Scanning is an opt-in [App and API Protection][1] (AAP) feature. Instead of inferring endpoint behavior from observed traffic, Datadog scans your endpoints from outside your environment to verify how they respond. The results enrich the [API Security Inventory][2] with verified authentication and accessibility data. +Endpoint Scanning sends only `GET` requests. It does not call POST, PUT, PATCH, or DELETE endpoints, and never modifies data on your endpoints. +
Endpoint Scanning only scans endpoints AAP has discovered from APM traces.
## What Endpoint Scanning verifies @@ -25,7 +27,7 @@ Endpoint Scanning is off by default. To enable it: 1. In App and API Protection settings, go to [API Security Testing][3]. 2. Toggle **Enable Endpoint Scanning** on. -After you enable it, Datadog scans eligible endpoints in the background in batches, using `GET` requests. Endpoints are retested approximately every seven days. +After you enable it, Datadog scans eligible endpoints in the background in batches. Endpoints are retested approximately every seven days. [1]: /security/application_security/ [2]: /security/application_security/api_security/api_inventory/ From 8f1d3f852c6680129ec9b9196dc62412ebb14119 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Wed, 6 May 2026 09:22:07 -0600 Subject: [PATCH 07/26] Change accessibility to visibility --- .../application_security/api_security/endpoint_scanning.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/security/application_security/api_security/endpoint_scanning.md b/content/en/security/application_security/api_security/endpoint_scanning.md index 813100d2a0c..76751bdaf2a 100644 --- a/content/en/security/application_security/api_security/endpoint_scanning.md +++ b/content/en/security/application_security/api_security/endpoint_scanning.md @@ -3,7 +3,7 @@ title: Endpoint Scanning description: Verify whether discovered API endpoints are publicly accessible and require authentication. --- -Endpoint Scanning is an opt-in [App and API Protection][1] (AAP) feature. Instead of inferring endpoint behavior from observed traffic, Datadog scans your endpoints from outside your environment to verify how they respond. The results enrich the [API Security Inventory][2] with verified authentication and accessibility data. +Endpoint Scanning is an opt-in [App and API Protection][1] (AAP) feature. Instead of inferring endpoint behavior from observed traffic, Datadog scans your endpoints from outside your environment to verify how they respond. The results enrich the [API Security Inventory][2] with verified authentication and visibility data. Endpoint Scanning sends only `GET` requests. It does not call POST, PUT, PATCH, or DELETE endpoints, and never modifies data on your endpoints. @@ -14,7 +14,7 @@ Endpoint Scanning sends only `GET` requests. It does not call POST, PUT, PATCH, For each scanned endpoint, Datadog records: - **Authentication status**: Whether the endpoint requires authentication. -- **Public accessibility**: Whether the endpoint is reachable without credentials. +- **Public visibility**: Whether the endpoint is reachable without credentials. - **HTTP response status**: The status code returned by the endpoint. - **Last evaluation timestamp**: When the endpoint was last scanned. From 4ec827a8ad4b26be2c8886236b468cd1fcce4a69 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Tue, 12 May 2026 12:39:32 -0600 Subject: [PATCH 08/26] Rename API Security to API Posture --- config/_default/menus/main.en.yaml | 10 +++++----- .../en/security/application_security/_index.md | 2 +- .../application_security/api_posture/_index.md | 15 +++++++++++++++ .../api_inventory.md | 10 +++++----- .../endpoint_scanning.md | 4 ++-- .../application_security/api_security/_index.md | 15 --------------- .../security/guide/security-findings-migration.md | 2 +- .../python/capabilities.html | 2 +- 8 files changed, 30 insertions(+), 30 deletions(-) create mode 100644 content/en/security/application_security/api_posture/_index.md rename content/en/security/application_security/{api_security => api_posture}/api_inventory.md (97%) rename content/en/security/application_security/{api_security => api_posture}/endpoint_scanning.md (89%) delete mode 100644 content/en/security/application_security/api_security/_index.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 14ad9d71e64..66f26b9de92 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -7886,18 +7886,18 @@ menu: parent: application_security identifier: aws_waf_int weight: 8 - - name: API Security - url: security/application_security/api_security/ + - name: API Posture + url: security/application_security/api_posture/ parent: application_security identifier: application_security_api_security weight: 9 - - name: API Security Inventory - url: security/application_security/api_security/api_inventory/ + - name: API Posture Inventory + url: security/application_security/api_posture/api_inventory/ parent: application_security_api_security identifier: asm_api_security weight: 1 - name: Endpoint Scanning - url: security/application_security/api_security/endpoint_scanning/ + url: security/application_security/api_posture/endpoint_scanning/ parent: application_security_api_security identifier: application_security_endpoint_scanning weight: 2 diff --git a/content/en/security/application_security/_index.md b/content/en/security/application_security/_index.md index 6a348af53dd..ee01dff0860 100644 --- a/content/en/security/application_security/_index.md +++ b/content/en/security/application_security/_index.md @@ -134,4 +134,4 @@ For information on disabling AAP or its features, see the following: [14]: /security/application_security/exploit-prevention/ [15]: /security/application_security/waf-integration/ [16]: /security/application_security/setup/ -[17]: /security/application_security/api_security/endpoint_scanning/ +[17]: /security/application_security/api_posture/endpoint_scanning/ diff --git a/content/en/security/application_security/api_posture/_index.md b/content/en/security/application_security/api_posture/_index.md new file mode 100644 index 00000000000..04b2666c65b --- /dev/null +++ b/content/en/security/application_security/api_posture/_index.md @@ -0,0 +1,15 @@ +--- +title: API Posture +description: Discover API endpoints, assess endpoint risk, and verify endpoint behavior with API Posture in App and API Protection. +--- + +API Posture in Datadog [App and API Protection][1] (AAP) helps you discover API endpoints, understand the risk they expose, and verify how they behave. + +API Posture Inventory provides the catalog and risk view: it lists the APIs in your environment, the services that own them, and the findings tied to each. Endpoint Scanning enriches the inventory by actively scanning eligible endpoints to confirm whether they are publicly accessible and whether they require authentication. + +{{< whatsnext desc="Explore API Posture capabilities:" >}} + {{< nextlink href="/security/application_security/api_posture/api_inventory/" >}}API Posture Inventory: View and triage API endpoints, services, and API findings in one place.{{< /nextlink >}} + {{< nextlink href="/security/application_security/api_posture/endpoint_scanning/" >}}Endpoint Scanning: Actively scan discovered endpoints to verify public accessibility and authentication status.{{< /nextlink >}} +{{< /whatsnext >}} + +[1]: /security/application_security/ diff --git a/content/en/security/application_security/api_security/api_inventory.md b/content/en/security/application_security/api_posture/api_inventory.md similarity index 97% rename from content/en/security/application_security/api_security/api_inventory.md rename to content/en/security/application_security/api_posture/api_inventory.md index 77acd2b3fc5..d639bff120f 100644 --- a/content/en/security/application_security/api_security/api_inventory.md +++ b/content/en/security/application_security/api_posture/api_inventory.md @@ -1,5 +1,5 @@ --- -title: API Security Inventory +title: API Posture Inventory description: Catalog API endpoints, services, and findings, and assess API security risk across your environment. aliases: - /security/application_security/api-inventory/ @@ -11,7 +11,7 @@ further_reading: API security relies on visibility. The biggest failure mode in most applications isn't missed vulnerabilities, it's missed APIs. -[API Security Inventory][7] provides a comprehensive, up-to-date catalog and risk assessment of all API endpoints and services in your environment. +[API Posture Inventory][7] provides a comprehensive, up-to-date catalog and risk assessment of all API endpoints and services in your environment. **Inventory** is comprised of explorers that correspond to distinct layers in the API security lifecycle: @@ -63,7 +63,7 @@ For Amazon Web Services (AWS) API Gateway integration, you must set up the follo API Endpoints are discovered from the Datadog Software Catalog and specifically from API definitions [uploaded to Datadog][13]. For instructions on uploading API definitions, see [Create Entities][17]. -For information on what library versions are compatible with API Security Inventory, see [Enabling App and API Protection][11]. [Remote Configuration][1] is required. +For information on what library versions are compatible with API Posture Inventory, see [Enabling App and API Protection][11]. [Remote Configuration][1] is required. |Technology|Minimum tracer version| Support for sensitive data scanning | |----------|----------|----------| @@ -84,7 +84,7 @@ API Endpoints gathers security metadata about API traffic by leveraging the Data API Endpoints uses [Remote Configuration][1] to manage and configure scanning rules that detect sensitive data and authentication. -To verify whether discovered endpoints are publicly accessible and require authentication, enable [Endpoint Scanning][19]. Endpoint Scanning actively scans eligible endpoints and enriches API Security Inventory with verified public accessibility, authentication status, HTTP response status, and last evaluation data. +To verify whether discovered endpoints are publicly accessible and require authentication, enable [Endpoint Scanning][19]. Endpoint Scanning actively scans eligible endpoints and enriches API Posture Inventory with verified public accessibility, authentication status, HTTP response status, and last evaluation data. The following risks are calculated for each endpoint. @@ -319,4 +319,4 @@ Click a finding to view its details and perform a workflow such as Validate > In [16]: /integrations/guide/source-code-integration/ [17]: /internal_developer_portal/software_catalog/set_up/create_entities/#through-the-datadog-ui [18]: /internal_developer_portal/software_catalog/entity_model/ -[19]: /security/application_security/api_security/endpoint_scanning/ +[19]: /security/application_security/api_posture/endpoint_scanning/ diff --git a/content/en/security/application_security/api_security/endpoint_scanning.md b/content/en/security/application_security/api_posture/endpoint_scanning.md similarity index 89% rename from content/en/security/application_security/api_security/endpoint_scanning.md rename to content/en/security/application_security/api_posture/endpoint_scanning.md index 76751bdaf2a..7e1edf751b8 100644 --- a/content/en/security/application_security/api_security/endpoint_scanning.md +++ b/content/en/security/application_security/api_posture/endpoint_scanning.md @@ -3,7 +3,7 @@ title: Endpoint Scanning description: Verify whether discovered API endpoints are publicly accessible and require authentication. --- -Endpoint Scanning is an opt-in [App and API Protection][1] (AAP) feature. Instead of inferring endpoint behavior from observed traffic, Datadog scans your endpoints from outside your environment to verify how they respond. The results enrich the [API Security Inventory][2] with verified authentication and visibility data. +Endpoint Scanning is an opt-in [App and API Protection][1] (AAP) feature. Instead of inferring endpoint behavior from observed traffic, Datadog scans your endpoints from outside your environment to verify how they respond. The results enrich the [API Posture Inventory][2] with verified authentication and visibility data. Endpoint Scanning sends only `GET` requests. It does not call POST, PUT, PATCH, or DELETE endpoints, and never modifies data on your endpoints. @@ -30,5 +30,5 @@ Endpoint Scanning is off by default. To enable it: After you enable it, Datadog scans eligible endpoints in the background in batches. Endpoints are retested approximately every seven days. [1]: /security/application_security/ -[2]: /security/application_security/api_security/api_inventory/ +[2]: /security/application_security/api_posture/api_inventory/ [3]: https://app.datadoghq.com/security/configuration/asm/api-security-testing diff --git a/content/en/security/application_security/api_security/_index.md b/content/en/security/application_security/api_security/_index.md deleted file mode 100644 index fb0ed2880ce..00000000000 --- a/content/en/security/application_security/api_security/_index.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: API Security -description: Discover API endpoints, assess endpoint risk, and verify endpoint behavior with API Security in App and API Protection. ---- - -API Security in Datadog [App and API Protection][1] (AAP) helps you discover API endpoints, understand the risk they expose, and verify how they behave. - -API Security Inventory provides the catalog and risk view: it lists the APIs in your environment, the services that own them, and the findings tied to each. Endpoint Scanning enriches the inventory by actively scanning eligible endpoints to confirm whether they are publicly accessible and whether they require authentication. - -{{< whatsnext desc="Explore API Security capabilities:" >}} - {{< nextlink href="/security/application_security/api_security/api_inventory/" >}}API Security Inventory: View and triage API endpoints, services, and API findings in one place.{{< /nextlink >}} - {{< nextlink href="/security/application_security/api_security/endpoint_scanning/" >}}Endpoint Scanning: Actively scan discovered endpoints to verify public accessibility and authentication status.{{< /nextlink >}} -{{< /whatsnext >}} - -[1]: /security/application_security/ diff --git a/content/en/security/guide/security-findings-migration.md b/content/en/security/guide/security-findings-migration.md index 538018269ec..5130e224490 100644 --- a/content/en/security/guide/security-findings-migration.md +++ b/content/en/security/guide/security-findings-migration.md @@ -150,7 +150,7 @@ Security findings encompass misconfigurations, vulnerabilities, and security ris [10]: /security/cloud_security_management/identity_risks/ [11]: /security/security_inbox/?s=attack%20path#types-of-findings-in-security-inbox [12]: /security/code_security/iac_security/ -[13]: /security/application_security/api_security/api_inventory/#api-findings +[13]: /security/application_security/api_posture/api_inventory/#api-findings [14]: /help [15]: /api/latest/security-monitoring/#list-findings [16]: /api/latest/security-monitoring/#get-a-finding diff --git a/layouts/partials/app_and_api_protection/python/capabilities.html b/layouts/partials/app_and_api_protection/python/capabilities.html index 103ff437030..9d4457eeb18 100644 --- a/layouts/partials/app_and_api_protection/python/capabilities.html +++ b/layouts/partials/app_and_api_protection/python/capabilities.html @@ -23,7 +23,7 @@ 1.17.0 - API Security Inventory + API Posture Inventory 2.6.0 From d1652eddcc472024711780b046b90844fbb73d69 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Fri, 15 May 2026 16:12:58 -0600 Subject: [PATCH 09/26] Rename API Posture Inventory to API Inventory --- .../security/application_security/api_posture/_index.md | 4 ++-- .../application_security/api_posture/api_inventory.md | 8 ++++---- .../application_security/api_posture/endpoint_scanning.md | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/content/en/security/application_security/api_posture/_index.md b/content/en/security/application_security/api_posture/_index.md index 04b2666c65b..eb18ca2902f 100644 --- a/content/en/security/application_security/api_posture/_index.md +++ b/content/en/security/application_security/api_posture/_index.md @@ -5,10 +5,10 @@ description: Discover API endpoints, assess endpoint risk, and verify endpoint b API Posture in Datadog [App and API Protection][1] (AAP) helps you discover API endpoints, understand the risk they expose, and verify how they behave. -API Posture Inventory provides the catalog and risk view: it lists the APIs in your environment, the services that own them, and the findings tied to each. Endpoint Scanning enriches the inventory by actively scanning eligible endpoints to confirm whether they are publicly accessible and whether they require authentication. +API Inventory provides the catalog and risk view: it lists the APIs in your environment, the services that own them, and the findings tied to each. Endpoint Scanning enriches the inventory by actively scanning eligible endpoints to confirm whether they are publicly accessible and whether they require authentication. {{< whatsnext desc="Explore API Posture capabilities:" >}} - {{< nextlink href="/security/application_security/api_posture/api_inventory/" >}}API Posture Inventory: View and triage API endpoints, services, and API findings in one place.{{< /nextlink >}} + {{< nextlink href="/security/application_security/api_posture/api_inventory/" >}}API Inventory: View and triage API endpoints, services, and API findings in one place.{{< /nextlink >}} {{< nextlink href="/security/application_security/api_posture/endpoint_scanning/" >}}Endpoint Scanning: Actively scan discovered endpoints to verify public accessibility and authentication status.{{< /nextlink >}} {{< /whatsnext >}} diff --git a/content/en/security/application_security/api_posture/api_inventory.md b/content/en/security/application_security/api_posture/api_inventory.md index d639bff120f..e51b034edeb 100644 --- a/content/en/security/application_security/api_posture/api_inventory.md +++ b/content/en/security/application_security/api_posture/api_inventory.md @@ -1,5 +1,5 @@ --- -title: API Posture Inventory +title: API Inventory description: Catalog API endpoints, services, and findings, and assess API security risk across your environment. aliases: - /security/application_security/api-inventory/ @@ -11,7 +11,7 @@ further_reading: API security relies on visibility. The biggest failure mode in most applications isn't missed vulnerabilities, it's missed APIs. -[API Posture Inventory][7] provides a comprehensive, up-to-date catalog and risk assessment of all API endpoints and services in your environment. +[API Inventory][7] provides a comprehensive, up-to-date catalog and risk assessment of all API endpoints and services in your environment. **Inventory** is comprised of explorers that correspond to distinct layers in the API security lifecycle: @@ -63,7 +63,7 @@ For Amazon Web Services (AWS) API Gateway integration, you must set up the follo API Endpoints are discovered from the Datadog Software Catalog and specifically from API definitions [uploaded to Datadog][13]. For instructions on uploading API definitions, see [Create Entities][17]. -For information on what library versions are compatible with API Posture Inventory, see [Enabling App and API Protection][11]. [Remote Configuration][1] is required. +For information on what library versions are compatible with API Inventory, see [Enabling App and API Protection][11]. [Remote Configuration][1] is required. |Technology|Minimum tracer version| Support for sensitive data scanning | |----------|----------|----------| @@ -84,7 +84,7 @@ API Endpoints gathers security metadata about API traffic by leveraging the Data API Endpoints uses [Remote Configuration][1] to manage and configure scanning rules that detect sensitive data and authentication. -To verify whether discovered endpoints are publicly accessible and require authentication, enable [Endpoint Scanning][19]. Endpoint Scanning actively scans eligible endpoints and enriches API Posture Inventory with verified public accessibility, authentication status, HTTP response status, and last evaluation data. +To verify whether discovered endpoints are publicly accessible and require authentication, enable [Endpoint Scanning][19]. Endpoint Scanning actively scans eligible endpoints and enriches API Inventory with verified public accessibility, authentication status, HTTP response status, and last evaluation data. The following risks are calculated for each endpoint. diff --git a/content/en/security/application_security/api_posture/endpoint_scanning.md b/content/en/security/application_security/api_posture/endpoint_scanning.md index 7e1edf751b8..21946ac6986 100644 --- a/content/en/security/application_security/api_posture/endpoint_scanning.md +++ b/content/en/security/application_security/api_posture/endpoint_scanning.md @@ -3,7 +3,7 @@ title: Endpoint Scanning description: Verify whether discovered API endpoints are publicly accessible and require authentication. --- -Endpoint Scanning is an opt-in [App and API Protection][1] (AAP) feature. Instead of inferring endpoint behavior from observed traffic, Datadog scans your endpoints from outside your environment to verify how they respond. The results enrich the [API Posture Inventory][2] with verified authentication and visibility data. +Endpoint Scanning is an opt-in [App and API Protection][1] (AAP) feature. Instead of inferring endpoint behavior from observed traffic, Datadog scans your endpoints from outside your environment to verify how they respond. The results enrich the [API Inventory][2] with verified authentication and visibility data. Endpoint Scanning sends only `GET` requests. It does not call POST, PUT, PATCH, or DELETE endpoints, and never modifies data on your endpoints. From efb2e49fe750776ec5015e289a4650df2676d84c Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Fri, 15 May 2026 16:14:31 -0600 Subject: [PATCH 10/26] Rename API Posture Inventory to API Inventory in side nav and Python capabilities --- config/_default/menus/main.en.yaml | 2 +- .../partials/app_and_api_protection/python/capabilities.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 66f26b9de92..b5219817212 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -7891,7 +7891,7 @@ menu: parent: application_security identifier: application_security_api_security weight: 9 - - name: API Posture Inventory + - name: API Inventory url: security/application_security/api_posture/api_inventory/ parent: application_security_api_security identifier: asm_api_security diff --git a/layouts/partials/app_and_api_protection/python/capabilities.html b/layouts/partials/app_and_api_protection/python/capabilities.html index 9d4457eeb18..b48a69a2755 100644 --- a/layouts/partials/app_and_api_protection/python/capabilities.html +++ b/layouts/partials/app_and_api_protection/python/capabilities.html @@ -23,7 +23,7 @@ 1.17.0 - API Posture Inventory + API Inventory 2.6.0 From 5a47454cca9ac8e9f373491aed913bd4f2376987 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Wed, 20 May 2026 16:40:16 -0600 Subject: [PATCH 11/26] Add Preview banner and reframe API Posture landing page --- .../security/application_security/api_posture/_index.md | 8 ++++++-- .../application_security/api_posture/endpoint_scanning.md | 3 +++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/content/en/security/application_security/api_posture/_index.md b/content/en/security/application_security/api_posture/_index.md index eb18ca2902f..dffb26c6d56 100644 --- a/content/en/security/application_security/api_posture/_index.md +++ b/content/en/security/application_security/api_posture/_index.md @@ -5,10 +5,14 @@ description: Discover API endpoints, assess endpoint risk, and verify endpoint b API Posture in Datadog [App and API Protection][1] (AAP) helps you discover API endpoints, understand the risk they expose, and verify how they behave. -API Inventory provides the catalog and risk view: it lists the APIs in your environment, the services that own them, and the findings tied to each. Endpoint Scanning enriches the inventory by actively scanning eligible endpoints to confirm whether they are publicly accessible and whether they require authentication. +API Posture includes: + +- **API Inventory**: A catalog of the API endpoints and services in your environment. +- **API Findings**: Security findings, weaknesses, and misconfigurations tied to your API endpoints. +- **Endpoint Scanning**: Active scanning that verifies whether discovered endpoints are publicly accessible and require authentication. {{< whatsnext desc="Explore API Posture capabilities:" >}} - {{< nextlink href="/security/application_security/api_posture/api_inventory/" >}}API Inventory: View and triage API endpoints, services, and API findings in one place.{{< /nextlink >}} + {{< nextlink href="/security/application_security/api_posture/api_inventory/" >}}API Inventory: View and triage API endpoints and services.{{< /nextlink >}} {{< nextlink href="/security/application_security/api_posture/endpoint_scanning/" >}}Endpoint Scanning: Actively scan discovered endpoints to verify public accessibility and authentication status.{{< /nextlink >}} {{< /whatsnext >}} diff --git a/content/en/security/application_security/api_posture/endpoint_scanning.md b/content/en/security/application_security/api_posture/endpoint_scanning.md index 21946ac6986..71f1df4f077 100644 --- a/content/en/security/application_security/api_posture/endpoint_scanning.md +++ b/content/en/security/application_security/api_posture/endpoint_scanning.md @@ -3,6 +3,9 @@ title: Endpoint Scanning description: Verify whether discovered API endpoints are publicly accessible and require authentication. --- +{{< callout url="#" btn_hidden="true" header="Endpoint Scanning is in Preview" >}} +{{< /callout >}} + Endpoint Scanning is an opt-in [App and API Protection][1] (AAP) feature. Instead of inferring endpoint behavior from observed traffic, Datadog scans your endpoints from outside your environment to verify how they respond. The results enrich the [API Inventory][2] with verified authentication and visibility data. Endpoint Scanning sends only `GET` requests. It does not call POST, PUT, PATCH, or DELETE endpoints, and never modifies data on your endpoints. From 1d632935c8a9c2fa2d6d0280862fa39705904633 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Wed, 20 May 2026 17:19:44 -0600 Subject: [PATCH 12/26] Tighten Endpoint Scanning intro --- .../application_security/api_posture/endpoint_scanning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/application_security/api_posture/endpoint_scanning.md b/content/en/security/application_security/api_posture/endpoint_scanning.md index 71f1df4f077..a9e0851bc25 100644 --- a/content/en/security/application_security/api_posture/endpoint_scanning.md +++ b/content/en/security/application_security/api_posture/endpoint_scanning.md @@ -6,7 +6,7 @@ description: Verify whether discovered API endpoints are publicly accessible and {{< callout url="#" btn_hidden="true" header="Endpoint Scanning is in Preview" >}} {{< /callout >}} -Endpoint Scanning is an opt-in [App and API Protection][1] (AAP) feature. Instead of inferring endpoint behavior from observed traffic, Datadog scans your endpoints from outside your environment to verify how they respond. The results enrich the [API Inventory][2] with verified authentication and visibility data. +Endpoint Scanning verifies how your API endpoints actually respond by scanning them from outside your environment, rather than inferring their behavior from observed traffic. The results enrich the [API Inventory][2] with verified authentication and visibility data. Endpoint Scanning sends only `GET` requests. It does not call POST, PUT, PATCH, or DELETE endpoints, and never modifies data on your endpoints. From 1785949204147be2ecc5bcdaffe612005302583f Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Thu, 21 May 2026 08:23:48 -0600 Subject: [PATCH 13/26] Use absLangURL for capability links --- .../partials/app_and_api_protection/python/capabilities.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/layouts/partials/app_and_api_protection/python/capabilities.html b/layouts/partials/app_and_api_protection/python/capabilities.html index b48a69a2755..ff4180126b6 100644 --- a/layouts/partials/app_and_api_protection/python/capabilities.html +++ b/layouts/partials/app_and_api_protection/python/capabilities.html @@ -19,11 +19,11 @@ 1.19.0 - Automatic user activity event tracking + Automatic user activity event tracking 1.17.0 - API Inventory + API Inventory 2.6.0 From a5efa5b74cfa60acde35e48501067cf8a5e535ab Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Thu, 21 May 2026 09:29:53 -0600 Subject: [PATCH 14/26] Use alert-warning for Endpoint Scanning Preview note --- .../application_security/api_posture/endpoint_scanning.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/en/security/application_security/api_posture/endpoint_scanning.md b/content/en/security/application_security/api_posture/endpoint_scanning.md index a9e0851bc25..f1310dd8a55 100644 --- a/content/en/security/application_security/api_posture/endpoint_scanning.md +++ b/content/en/security/application_security/api_posture/endpoint_scanning.md @@ -3,8 +3,7 @@ title: Endpoint Scanning description: Verify whether discovered API endpoints are publicly accessible and require authentication. --- -{{< callout url="#" btn_hidden="true" header="Endpoint Scanning is in Preview" >}} -{{< /callout >}} +
Endpoint Scanning is in Preview and is subject to change.
Endpoint Scanning verifies how your API endpoints actually respond by scanning them from outside your environment, rather than inferring their behavior from observed traffic. The results enrich the [API Inventory][2] with verified authentication and visibility data. From fade8fc79e4b19c3c2064d9c7f0b5386c6da5e03 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Thu, 21 May 2026 09:30:59 -0600 Subject: [PATCH 15/26] Update note text --- content/.gitignore | 2 ++ .../application_security/api_posture/endpoint_scanning.md | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/content/.gitignore b/content/.gitignore index aec3399366f..2f2acf64835 100644 --- a/content/.gitignore +++ b/content/.gitignore @@ -102,3 +102,5 @@ /en/agent/tooltip_test.md /en/experiments/guide/connecting_a_data_warehouse.md /en/profiler/enabling/_index.md +/es/real_user_monitoring/application_monitoring/browser/setup/client.md +/fr/real_user_monitoring/application_monitoring/browser/setup/client.md diff --git a/content/en/security/application_security/api_posture/endpoint_scanning.md b/content/en/security/application_security/api_posture/endpoint_scanning.md index f1310dd8a55..786d1c522c4 100644 --- a/content/en/security/application_security/api_posture/endpoint_scanning.md +++ b/content/en/security/application_security/api_posture/endpoint_scanning.md @@ -9,7 +9,7 @@ Endpoint Scanning verifies how your API endpoints actually respond by scanning t Endpoint Scanning sends only `GET` requests. It does not call POST, PUT, PATCH, or DELETE endpoints, and never modifies data on your endpoints. -
Endpoint Scanning only scans endpoints AAP has discovered from APM traces.
+
At this time, Endpoint Scanning only scans endpoints AAP has discovered from APM traces.
## What Endpoint Scanning verifies From ae889f7ea0acfd1acf278c724c893649de8a7c7c Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Thu, 21 May 2026 09:49:04 -0600 Subject: [PATCH 16/26] Drop unrelated content/.gitignore changes --- content/.gitignore | 2 -- 1 file changed, 2 deletions(-) diff --git a/content/.gitignore b/content/.gitignore index 2f2acf64835..aec3399366f 100644 --- a/content/.gitignore +++ b/content/.gitignore @@ -102,5 +102,3 @@ /en/agent/tooltip_test.md /en/experiments/guide/connecting_a_data_warehouse.md /en/profiler/enabling/_index.md -/es/real_user_monitoring/application_monitoring/browser/setup/client.md -/fr/real_user_monitoring/application_monitoring/browser/setup/client.md From f265e7a15828efd4f345179dd5a73d5608465f07 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Thu, 21 May 2026 09:54:57 -0600 Subject: [PATCH 17/26] Sharpen intro, backtick HTTP methods, present tense --- .../application_security/api_posture/endpoint_scanning.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/en/security/application_security/api_posture/endpoint_scanning.md b/content/en/security/application_security/api_posture/endpoint_scanning.md index 786d1c522c4..48a9565fc20 100644 --- a/content/en/security/application_security/api_posture/endpoint_scanning.md +++ b/content/en/security/application_security/api_posture/endpoint_scanning.md @@ -5,11 +5,11 @@ description: Verify whether discovered API endpoints are publicly accessible and
Endpoint Scanning is in Preview and is subject to change.
-Endpoint Scanning verifies how your API endpoints actually respond by scanning them from outside your environment, rather than inferring their behavior from observed traffic. The results enrich the [API Inventory][2] with verified authentication and visibility data. +Endpoint Scanning probes your API endpoints from outside your environment and records their HTTP responses, rather than inferring behavior from observed traffic. The results enrich the [API Inventory][2] with verified authentication and visibility data. -Endpoint Scanning sends only `GET` requests. It does not call POST, PUT, PATCH, or DELETE endpoints, and never modifies data on your endpoints. +Endpoint Scanning sends only `GET` requests. It does not call `POST`, `PUT`, `PATCH`, or `DELETE` endpoints, and never modifies data on your endpoints. -
At this time, Endpoint Scanning only scans endpoints AAP has discovered from APM traces.
+
At this time, Endpoint Scanning only scans endpoints that AAP discovers from APM traces.
## What Endpoint Scanning verifies From 33781b6c90741267f6285960226845a0c8d677ce Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Thu, 21 May 2026 09:59:09 -0600 Subject: [PATCH 18/26] Combine scope and safety notes into one bulleted alert --- .../api_posture/endpoint_scanning.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/content/en/security/application_security/api_posture/endpoint_scanning.md b/content/en/security/application_security/api_posture/endpoint_scanning.md index 48a9565fc20..31886ff9336 100644 --- a/content/en/security/application_security/api_posture/endpoint_scanning.md +++ b/content/en/security/application_security/api_posture/endpoint_scanning.md @@ -7,9 +7,13 @@ description: Verify whether discovered API endpoints are publicly accessible and Endpoint Scanning probes your API endpoints from outside your environment and records their HTTP responses, rather than inferring behavior from observed traffic. The results enrich the [API Inventory][2] with verified authentication and visibility data. -Endpoint Scanning sends only `GET` requests. It does not call `POST`, `PUT`, `PATCH`, or `DELETE` endpoints, and never modifies data on your endpoints. - -
At this time, Endpoint Scanning only scans endpoints that AAP discovers from APM traces.
+
+Note: +
    +
  • Endpoint Scanning sends only GET requests. It does not call POST, PUT, PATCH, or DELETE endpoints, and never modifies data on your endpoints.
    • +
  • At this time, Endpoint Scanning only scans endpoints that AAP discovers from APM traces.
    • +
+
## What Endpoint Scanning verifies From 087b4efeb7814b6e932f272320435b6c5088efd0 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Thu, 21 May 2026 10:00:36 -0600 Subject: [PATCH 19/26] Split scope and safety notes back into two --- .../api_posture/endpoint_scanning.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/content/en/security/application_security/api_posture/endpoint_scanning.md b/content/en/security/application_security/api_posture/endpoint_scanning.md index 31886ff9336..48a9565fc20 100644 --- a/content/en/security/application_security/api_posture/endpoint_scanning.md +++ b/content/en/security/application_security/api_posture/endpoint_scanning.md @@ -7,13 +7,9 @@ description: Verify whether discovered API endpoints are publicly accessible and Endpoint Scanning probes your API endpoints from outside your environment and records their HTTP responses, rather than inferring behavior from observed traffic. The results enrich the [API Inventory][2] with verified authentication and visibility data. -
-Note: -
    -
  • Endpoint Scanning sends only GET requests. It does not call POST, PUT, PATCH, or DELETE endpoints, and never modifies data on your endpoints.
    • -
  • At this time, Endpoint Scanning only scans endpoints that AAP discovers from APM traces.
    • -
-
+Endpoint Scanning sends only `GET` requests. It does not call `POST`, `PUT`, `PATCH`, or `DELETE` endpoints, and never modifies data on your endpoints. + +
At this time, Endpoint Scanning only scans endpoints that AAP discovers from APM traces.
## What Endpoint Scanning verifies From 47bf61be3bc89327b0be410bd4b5366bd86486fe Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Wed, 27 May 2026 17:04:47 -0600 Subject: [PATCH 20/26] Move api_inventory.md into api_inventory/_index.md to establish a section --- .../api_posture/{api_inventory.md => api_inventory/_index.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/en/security/application_security/api_posture/{api_inventory.md => api_inventory/_index.md} (100%) diff --git a/content/en/security/application_security/api_posture/api_inventory.md b/content/en/security/application_security/api_posture/api_inventory/_index.md similarity index 100% rename from content/en/security/application_security/api_posture/api_inventory.md rename to content/en/security/application_security/api_posture/api_inventory/_index.md From 9d686402936fbfcaf967802bae60eb90d09d9b27 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Wed, 27 May 2026 17:06:19 -0600 Subject: [PATCH 21/26] Extract Services into its own page --- config/_default/menus/main.en.yaml | 9 +++-- .../api_posture/api_inventory/_index.md | 31 ----------------- .../api_posture/api_inventory/services.md | 33 +++++++++++++++++++ 3 files changed, 40 insertions(+), 33 deletions(-) create mode 100644 content/en/security/application_security/api_posture/api_inventory/services.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 6e727b97bd8..42ed09a5fbe 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -2092,7 +2092,7 @@ menu: parent: platform_heading identifier: internal_developer_portal weight: 110000 - - name: Catalog + - name: Catalog url: internal_developer_portal/catalog/ parent: internal_developer_portal identifier: catalog @@ -4540,7 +4540,7 @@ menu: parent: tracing identifier: tracing_services weight: 9 - - name: Catalog + - name: Catalog url: /internal_developer_portal/catalog/ parent: tracing_services identifier: tracing_software_catalog @@ -8113,6 +8113,11 @@ menu: parent: application_security_api_security identifier: asm_api_security weight: 1 + - name: Services + url: security/application_security/api_posture/api_inventory/services/ + parent: asm_api_security + identifier: asm_api_security_services + weight: 10001 - name: Endpoint Scanning url: security/application_security/api_posture/endpoint_scanning/ parent: application_security_api_security diff --git a/content/en/security/application_security/api_posture/api_inventory/_index.md b/content/en/security/application_security/api_posture/api_inventory/_index.md index 17d37ccc3f0..53d0558c6a1 100644 --- a/content/en/security/application_security/api_posture/api_inventory/_index.md +++ b/content/en/security/application_security/api_posture/api_inventory/_index.md @@ -239,37 +239,6 @@ Custom authentication detection is possible by configuring [Endpoint Tagging Rul |PHP | v1.15.0 | |Golang | v2.4.0 | -## Services - -The **Services** explorer shows where findings from API Endpoints, vulnerabilities, and runtime signals converge by service. Consider it the operational risk view of your applications. - -Review your services for the following: - -- **Vulnerability risk:** The **Vulnerability Risk** column shows aggregated SCA and IAST results for each service. Vulnerable services have components needing patching or upgrading. -- **Signals and attacks:** Click a service to see charts showing ongoing detections for active exploit attempts or recurring attack patterns. -- **Sensitive data exposure:** Services processing PII (such as SSNs or emails) demand stricter controls and monitoring. -- **Coverage and mode:** Use the **App & API Protection In Monitoring Mode**, **App & API Protection In Blocking Mode**, and the **Inactive** facet to identify where App and API Protection is enabled and enforcing runtime protection. -- **Trend graphs:** The **Trend** column indicates activity and attack frequency over time. - -### Coverage - -The **Coverage** column shows the active protection and analysis capabilities for each service. Use **Coverage** to measure the completeness of your protection stack. - -For example, here are some use cases for **Coverage**: - -- **Runtime protection coverage with App and API Protection**: - - Identify the services in **Monitoring** or **Blocking** mode. - - Move ready-to-block services into blocking mode to actively stop attacks. - - Investigate inactive services to see if instrumentation or configuration gaps are leaving APIs exposed. -- **Software Composition Analysis (SCA) coverage**: - - Track the services with analyzed open source dependencies. - - Enable SCA for unscanned services to detect vulnerable libraries early. - - Prioritize patching inactive services with high dependency risk. -- **Runtime Code Analysis (IAST) coverage**: - - Pinpoint where code-level vulnerability detection is missing. - - Enable IAST for production or high-risk apps to uncover exploitable issues in live traffic. - - Use results to confirm whether library vulnerabilities are actually reachable in code. - ## API Findings **API Findings** provides a central triage view of all detected API risks across definitions, gateways, and live traffic. It provides a set of default rules to detect common vulnerabilities and misconfigurations. You can also set up [custom rules][12] to adapt to specific use cases. diff --git a/content/en/security/application_security/api_posture/api_inventory/services.md b/content/en/security/application_security/api_posture/api_inventory/services.md new file mode 100644 index 00000000000..4394e5414aa --- /dev/null +++ b/content/en/security/application_security/api_posture/api_inventory/services.md @@ -0,0 +1,33 @@ +--- +title: Services +description: View where API findings, vulnerabilities, and runtime signals converge by service. +--- + +The **Services** explorer shows where findings from API Endpoints, vulnerabilities, and runtime signals converge by service. Consider it the operational risk view of your applications. + +Review your services for the following: + +- **Vulnerability risk:** The **Vulnerability Risk** column shows aggregated SCA and IAST results for each service. Vulnerable services have components needing patching or upgrading. +- **Signals and attacks:** Click a service to see charts showing ongoing detections for active exploit attempts or recurring attack patterns. +- **Sensitive data exposure:** Services processing PII (such as SSNs or emails) demand stricter controls and monitoring. +- **Coverage and mode:** Use the **App & API Protection In Monitoring Mode**, **App & API Protection In Blocking Mode**, and the **Inactive** facet to identify where App and API Protection is enabled and enforcing runtime protection. +- **Trend graphs:** The **Trend** column indicates activity and attack frequency over time. + +## Coverage + +The **Coverage** column shows the active protection and analysis capabilities for each service. Use **Coverage** to measure the completeness of your protection stack. + +For example, here are some use cases for **Coverage**: + +- **Runtime protection coverage with App and API Protection**: + - Identify the services in **Monitoring** or **Blocking** mode. + - Move ready-to-block services into blocking mode to actively stop attacks. + - Investigate inactive services to see if instrumentation or configuration gaps are leaving APIs exposed. +- **Software Composition Analysis (SCA) coverage**: + - Track the services with analyzed open source dependencies. + - Enable SCA for unscanned services to detect vulnerable libraries early. + - Prioritize patching inactive services with high dependency risk. +- **Runtime Code Analysis (IAST) coverage**: + - Pinpoint where code-level vulnerability detection is missing. + - Enable IAST for production or high-risk apps to uncover exploitable issues in live traffic. + - Use results to confirm whether library vulnerabilities are actually reachable in code. From 82154b8f50995296d5c2983bc8197994402a1854 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Wed, 27 May 2026 17:08:47 -0600 Subject: [PATCH 22/26] Extract API Findings into its own page as a peer of API Inventory --- config/_default/menus/main.en.yaml | 7 +++- .../api_posture/api_findings.md | 33 +++++++++++++++++++ .../api_posture/api_inventory/_index.md | 30 ----------------- .../guide/security-findings-migration.md | 2 +- 4 files changed, 40 insertions(+), 32 deletions(-) create mode 100644 content/en/security/application_security/api_posture/api_findings.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 42ed09a5fbe..5d7bba0848e 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -8118,11 +8118,16 @@ menu: parent: asm_api_security identifier: asm_api_security_services weight: 10001 + - name: API Findings + url: security/application_security/api_posture/api_findings/ + parent: application_security_api_security + identifier: application_security_api_findings + weight: 2 - name: Endpoint Scanning url: security/application_security/api_posture/endpoint_scanning/ parent: application_security_api_security identifier: application_security_endpoint_scanning - weight: 2 + weight: 3 - name: Guides url: security/application_security/guide/ parent: application_security diff --git a/content/en/security/application_security/api_posture/api_findings.md b/content/en/security/application_security/api_posture/api_findings.md new file mode 100644 index 00000000000..5a4513b5b40 --- /dev/null +++ b/content/en/security/application_security/api_posture/api_findings.md @@ -0,0 +1,33 @@ +--- +title: API Findings +description: Triage detected API risks across definitions, gateways, and live traffic. +--- + +**API Findings** provides a central triage view of all detected API risks across definitions, gateways, and live traffic. It provides a set of default rules to detect common vulnerabilities and misconfigurations. You can also set up [custom rules][1] to adapt to specific use cases. + +**API Findings** columns: + +- **Severity:** Each issue is ranked by risk. +- **Endpoints:** Shows how many endpoints are affected and their services. +- **Status and Ticketing:** `Open` or `In Progress` tracks remediation progress and workflow integration. + +Use the **Service** facet to see each service's endpoints to identify ownership and prioritize by business impact. + +## Common operations + +Click a finding to view its details and perform a workflow such as Validate > Investigate > Fix > Track: + +1. Validate: + - Review **What Happened** and **Detected In** to ensure the detection is accurate (service, endpoint, method). + - In **Next Steps**, choose whether to **Mute**, **Create Ticket**, or **Run Workflow** depending on ownership and impact. +2. Investigate: + - Use the **Context** tab to examine the endpoint snapshot and attributes (method, path, authentication flags, tags). + - **Detected In** provides information for routing ownership and remediation. + - In **Detection Rule Query**, you can edit an API finding rule by clicking **See Detection Rule**. +3. Fix: + - Follow the guidance under **Remediation**. +4. Track: + - Use **Create Ticket** to link the issue to your tracking system. + - Use **Reference Links** for developer education or code review. + +[1]: /security/application_security/policies/custom_rules/ diff --git a/content/en/security/application_security/api_posture/api_inventory/_index.md b/content/en/security/application_security/api_posture/api_inventory/_index.md index 53d0558c6a1..56c40d3e58c 100644 --- a/content/en/security/application_security/api_posture/api_inventory/_index.md +++ b/content/en/security/application_security/api_posture/api_inventory/_index.md @@ -239,35 +239,6 @@ Custom authentication detection is possible by configuring [Endpoint Tagging Rul |PHP | v1.15.0 | |Golang | v2.4.0 | -## API Findings - -**API Findings** provides a central triage view of all detected API risks across definitions, gateways, and live traffic. It provides a set of default rules to detect common vulnerabilities and misconfigurations. You can also set up [custom rules][12] to adapt to specific use cases. - -**API Findings** columns: - -- **Severity:** Each issue is ranked by risk. -- **Endpoints:** Shows how many endpoints are affected and their services. -- **Status and Ticketing:** `Open` or `In Progress` tracks remediation progress and workflow integration. - -Use the **Service** facet to see each service's endpoints to identify ownership and prioritize by business impact. - -### Common operations - -Click a finding to view its details and perform a workflow such as Validate > Investigate > Fix > Track: - -1. Validate: - - Review **What Happened** and **Detected In** to ensure the detection is accurate (service, endpoint, method). - - In **Next Steps**, choose whether to **Mute**, **Create Ticket**, or **Run Workflow** depending on ownership and impact. -2. Investigate: - - Use the **Context** tab to examine the endpoint snapshot and attributes (method, path, authentication flags, tags). - - **Dectected In** provides information for routing ownership and remediation. - - In **Detection Rule Query**, you can edit an API finding rule by clicking **See Detection Rule**. -3. Fix: - - Follow the guidance under **Remediation**. -4. Track: - - Use **Create Ticket** to link the issue to your tracking system. - - Use **Reference Links** for developer education or code review. - ## Further reading {{< partial name="whats-next/whats-next.html" >}} @@ -281,7 +252,6 @@ Click a finding to view its details and perform a workflow such as Validate > In [9]: /integrations/amazon-web-services [10]: /integrations/amazon-api-gateway [11]: /security/application_security/setup/ -[12]: /security/application_security/policies/custom_rules/ [13]: /internal_developer_portal/catalog/entity_model/native_entities/?tab=api#native-entity-types [14]: https://app.datadoghq.com/security/appsec/policies/scanners [15]: https://app.datadoghq.com/security/configuration/asm/trace-tagging diff --git a/content/en/security/guide/security-findings-migration.md b/content/en/security/guide/security-findings-migration.md index 5130e224490..8b628af3369 100644 --- a/content/en/security/guide/security-findings-migration.md +++ b/content/en/security/guide/security-findings-migration.md @@ -150,7 +150,7 @@ Security findings encompass misconfigurations, vulnerabilities, and security ris [10]: /security/cloud_security_management/identity_risks/ [11]: /security/security_inbox/?s=attack%20path#types-of-findings-in-security-inbox [12]: /security/code_security/iac_security/ -[13]: /security/application_security/api_posture/api_inventory/#api-findings +[13]: /security/application_security/api_posture/api_findings/ [14]: /help [15]: /api/latest/security-monitoring/#list-findings [16]: /api/latest/security-monitoring/#get-a-finding From c5ae1082f241070932611e6f8f106666a052ce37 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Wed, 27 May 2026 17:11:51 -0600 Subject: [PATCH 23/26] Add asm_api_security to left-nav allowlist so Inventory children render --- layouts/partials/nav/left-nav.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/layouts/partials/nav/left-nav.html b/layouts/partials/nav/left-nav.html index a8b8208f373..1b3cac90664 100644 --- a/layouts/partials/nav/left-nav.html +++ b/layouts/partials/nav/left-nav.html @@ -69,7 +69,7 @@
    + "catalog_set_up" "catalog_entity_model" "asm_serverless" "otel-setup-ddot" "otel-setup-other" "cloud_siem_custom_detection_rules" "llm_obs_managed_evaluations" "llm_obs_external_evaluations" "cnm_analytics" "cloud_siem_open_cybersecurity_schema_framework" "infrastructure_livecontainers_explorer" "otel-dd-sdk-parent" "llm_obs_custom_llm_as_a_judge_evaluations" "ndm_profiles" "synthetics_notifications_template_variables" "dev_tool_int_mcp_server" "serverless_aws_lambda" "serverless_step_functions" "serverless_aws_fargate" "serverless_app_services" "serverless_container_apps" "serverless_azure_functions" "serverless_logic_apps" "serverless_gcr" "asm_api_security") .Identifier) }}d-none{{ end }}"> {{/* LEVEL 4 */}} {{ range .Children }} From ff575a64fae420ec69ca2e84fd12908fd5e86259 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Wed, 27 May 2026 17:16:21 -0600 Subject: [PATCH 24/26] Extract API Endpoints into its own page; fix typos in moved content --- config/_default/menus/main.en.yaml | 5 + .../api_posture/api_inventory/_index.md | 226 +----------------- .../api_inventory/api_endpoints.md | 226 ++++++++++++++++++ 3 files changed, 233 insertions(+), 224 deletions(-) create mode 100644 content/en/security/application_security/api_posture/api_inventory/api_endpoints.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 5d7bba0848e..5fb4a579ef6 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -8113,6 +8113,11 @@ menu: parent: application_security_api_security identifier: asm_api_security weight: 1 + - name: API Endpoints + url: security/application_security/api_posture/api_inventory/api_endpoints/ + parent: asm_api_security + identifier: asm_api_security_api_endpoints + weight: 10000 - name: Services url: security/application_security/api_posture/api_inventory/services/ parent: asm_api_security diff --git a/content/en/security/application_security/api_posture/api_inventory/_index.md b/content/en/security/application_security/api_posture/api_inventory/_index.md index 56c40d3e58c..795170aa55f 100644 --- a/content/en/security/application_security/api_posture/api_inventory/_index.md +++ b/content/en/security/application_security/api_posture/api_inventory/_index.md @@ -11,7 +11,7 @@ further_reading: API security relies on visibility. The biggest failure mode in most applications isn't missed vulnerabilities, it's missed APIs. -[API Inventory][7] provides a comprehensive, up-to-date catalog and risk assessment of all API endpoints and services in your environment. +[API Inventory][1] provides a comprehensive, up-to-date catalog and risk assessment of all API endpoints and services in your environment. **Inventory** is comprised of explorers that correspond to distinct layers in the API security lifecycle: @@ -32,230 +32,8 @@ These explorers correspond to the common API security operational flow: 2. **Contextualize:** Identify ownership and dependencies using **Services**. 3. **Detect and respond:** See where misconfigurations are, and where attacks could occur, using **API Findings**. -## API Endpoints - -[API Endpoints][7] monitors your API traffic to provide visibility into the security posture of your APIs, including: - -- **Authentication**: Whether the API enforces authentication. -- **Authentication Method**: Type of authentication used, such as Basic Auth and API key. -- **Public Exposure**: Whether the API is processing traffic from the internet. -- **Sensitive data flows**: Sensitive data handled by the API and flows between APIs. -- **Attack Exposure**: If the endpoint is targeted by attacks. -- **Business Logic**: Business logic and associated business logic suggestions for this API. -- **Vulnerabilities**: If the endpoint contains a vulnerability (powered by [Code Security][8] and [Software Composition Analysis][3]). -- **Findings**: Security findings identified on this API. -- **Dependencies**: APIs and Databases the API depends on. - -Using API Endpoints you can: - -- See which endpoints process sensitive data, are authenticated, have vulnerabilities or findings, or are publicly available. -- See which endpoints are at risk, and pivot directly into the [Threat Monitoring and Protection][2] service for further investigation or response. -- See which endpoints are associated to your business's logic, and find business logic suggestions based on your endpoint's traffic history. - -### Configuration - -To view API Endpoints on your services, **you must have App and API Protection Threats Protection enabled**. - -For Amazon Web Services (AWS) API Gateway integration, you must set up the following: - -- [Amazon Web Services][9] -- [Amazon API Gateway Integration][10] - -API Endpoints are discovered from the Datadog Catalog and specifically from API definitions [uploaded to Datadog][13]. For instructions on uploading API definitions, see [Create Entities][17]. - -For information on what library versions are compatible with API Inventory, see [Enabling App and API Protection][11]. [Remote Configuration][1] is required. - -|Technology|Minimum tracer version| Support for sensitive data scanning | -|----------|----------|----------| -|Python | v2.1.6 | Requests and responses | -|Java | v1.31.0 | Requests only | -|PHP | v0.98.0 | Requests and responses | -|.NET Core | v2.42.0 | Requests and responses | -|.NET Fx | v2.47.0 | Requests and responses | -|Ruby | v1.15.0 | Requests only | -|Golang | v1.59.0 | Requests only | -|Node.js | v3.51.0, v4.30.0 or v5.6.0 | Requests and responses | - -**Note**: On .NET Core and .NET Fx tracers, you need to set the environment variable `DD_API_SECURITY_ENABLED=true` for API Security features to work properly. - -### How it works - -API Endpoints gathers security metadata about API traffic by leveraging the Datadog SDK with App and API Protection enabled, alongside configurations from Amazon API Gateway and uploaded API Definitions. This data includes the discovered API schema, the types of sensitive data (PII) processed, and the authentication scheme in use. The API information is continuously evaluated, ensuring a comprehensive and up-to-date view of your entire API attack surface. - -API Endpoints uses [Remote Configuration][1] to manage and configure scanning rules that detect sensitive data and authentication. - -To verify whether discovered endpoints are publicly accessible and require authentication, enable [Endpoint Scanning][19]. Endpoint Scanning actively scans eligible endpoints and enriches API Inventory with verified public accessibility, authentication status, HTTP response status, and last evaluation data. - -The following risks are calculated for each endpoint. - -### Data sources - -In the [API Endpoints][7] explorer, the **Data Sources** show where visibility originates. - -The following data sources are explored. - -#### Amazon API Gateway - -The Amazon API Gateway service formally defines your API structure. Datadog AWS integration reads this pre-defined configuration from the Amazon API Gateway, and then Datadog uses this configuration to create API endpoint entries in **Inventory**. - -Use **AWS API Gateway** in **Data Source** to gain visibility into these exposed endpoints. You can also use the query `datasource:aws_apigateway`. - -#### Catalog - -The **Catalog** data source shows API endpoints that Datadog learned about from the formal specification uploaded to Datadog. The API specification is attached to, or registered as, a dedicated API component within the IDP service entity. - -This source ensures that your API inventory is complete by including all planned and formally documented endpoints. - -#### APM traces - -The **Spans** data source shows real traffic and data exposure. Remediation should be performed in code, config, or access controls immediately. - -What actions you take depend on each of the attack surfaces: - -- **Vulnerabilities:** Patch any vulnerable libraries surfaced by SCA or Runtime Code Analysis, then redeploy the service. -- **API findings discovered:** Review each issue in context of the traced service, fix any code or configurations, and then validate using new traces. -- **Processing sensitive data:** Confirm data handling complies with policy, sanitize or encrypt PII, and limit access to necessary services. -- **Unauthenticated endpoint:** If the endpoint is not intentionally public, enforce authentication and update service configurations. - -#### Static Endpoint Discovery - -
    Static Endpoint Discovery is in Preview.
    - -{{< site-region region="gov,gov2" >}} -
    Static Endpoint Discovery is not available for the {{< region-param key="dd_site_name" >}} site.
    -{{< /site-region >}} - -The **Source Code** data source shows API endpoints discovered directly from your source code. This complements runtime-based discovery by surfacing endpoints earlier in the development life cycle, including endpoints that may not receive live traffic. - -To use this data source, configure the [Source Code Integration][16] with GitHub, GitLab, or Azure DevOps. The following languages and frameworks are supported: - -| Language | Framework | -|----------|-----------| -| Python | FastAPI, Flask, Tornado | -| Java | Spring | -| Go | Beego, Chi, Echo, Fiber, Gin, Gorilla Mux, fasthttp, go-zero | -| C# | ASP.NET Core MVC | -| Node.js | Express, Fastify | - -To filter for source code endpoints, use **Source Code** in the **Data Source** facet or the query `datasource:source_code`. Scans run when code is pushed to the default branch and on an 8-hour recurring schedule. Discovered endpoints are removed after 12 hours if they are not re-discovered by a subsequent scan. - -##### Map source code endpoints to services - -Static Endpoint Discovery uses heuristics to infer which service an endpoint belongs to. For more accurate mapping, explicitly define service-to-code relationships using the `codeLocations` field in your [Catalog service definition (v3 schema)][18]: - -```yaml -apiVersion: v3 -kind: service -metadata: - name: my-service - owner: my-team -datadog: - codeLocations: - - repositoryURL: https://github.com/org/myrepo.git - paths: - - path/to/service/code/** -``` - -Without explicit `codeLocations`, endpoints may not merge correctly with data from other sources. - -### Processing sensitive data - -[App and API Protection][2] matches known patterns for sensitive data in API requests and responses. If it finds a match, the endpoint is tagged with the category and type of sensitive data processed. - -The matching occurs within your application, and none of the sensitive data is sent to Datadog. - -#### Supported data types - -To see the supported data types (for example, `payment:card`), use the **Schema Sensitive Data** facet. You can also see the data type used in the **Sensitive Data** column. - -#### Create API data scanners - -By default, Datadog App and API Protection scans for PII, credentials, and payment types. Sensitive Data Detection provides API data scanners to define custom scanner data patterns beyond the defaults and improve visibilty into the sensitive data of your API traffic. - -In an API data scanner, you define a scanner category and type to classify API endpoints processing sensitive data (for example, `health_info:patient_id`). Next, you define the JSON key or value conditions that trigger the scanner. - -When the scanner detects sensitive data, it tags the API endpoint with the category and type and displays it in [API Endpoints][7]. - -To create an API data scanner and view its results, do the following: - -1. In App and API Protection **Policies**, go to [Sensitive Data Detection][14]. -2. Click **New Scanner**. -3. In **Select your scanner tags**, define the category and type to classify the senstive data. The scanner tags API endpoints with the format `category:type`. -4. In **Define conditions on JSON keys and values**, define the JSON key or value conditions to trigger the scanner. -5. Click **Save Scanner**. The scanner is enabled by default. -6. To view the results of the scanner, go to App and API Protection [API Endpoints][7]. -7. In the **Schema Sensitive Data** facet, the category and type of your custom scanner is listed in the format `category:type`. Customer scanner `category:type` tags are also visible in the **Sensitive Data** column of the explorer. - - -### Business logic - -These tags (`(users.login.success`, `users.login.failure`, etc.) are determined by the presence of business logic traces associated with the endpoint. - -
    Datadog can suggest a business logic tag for your endpoint based on its HTTP method, response status codes, and URL.
    - -### Publicly accessible - -Datadog marks an endpoint as public if the client IP address is outside these ranges: - -- 10.0.0.0/8 -- 172.16.0.0/12 -- 192.168.0.0/16 -- 169.254.1.0/16 - -See [Configuring a client IP header][6] for more information on the required library configuration. - -### Endpoint authentication - -Authentication is determined by: - -- The presence of `Authorization`, `Token` or `X-Api-Key` headers. -- The presence of a user ID within the trace (for example, the `@usr.id` APM attribute). -- The request has responded with a 401 or 403 status code. -- Custom [Endpoint Tagging][15] rules that you configured - - -When the type of authentication is available, Datadog reports it in a header through the **Authentication Method** facet. - -#### Supported authentication methods - -| Category | Category facet | -|---------------------------------------------------|------------------| -| JSON Web Token (JWT) | `json_web_token` | -| Bearer tokens (found in `Authorization` headers) | `bearer_token` | -| Basic Authentication | `basic_auth` | -| Digest access authentication | `digest_auth` | - -#### Custom Authentication support - -Custom authentication detection is possible by configuring [Endpoint Tagging Rules][15]. These rules require the following minimum tracer versions: - -|Technology| Minimum tracer version | -|----------|------------------------| -|Java | v1.55.0 | -|.NET | Coming Soon | -|Node.js | v5.76.0 | -|Python | v3.17.0 | -|Ruby | v2.23.0 | -|PHP | v1.15.0 | -|Golang | v2.4.0 | - ## Further reading {{< partial name="whats-next/whats-next.html" >}} -[1]: /tracing/guide/remote_config/ -[2]: /security/application_security/ -[3]: /security/code_security/software_composition_analysis/ -[6]: /security/application_security/policies/library_configuration/#configuring-a-client-ip-header -[7]: https://app.datadoghq.com/security/appsec/inventory/apis -[8]: /security/code_security/iast/ -[9]: /integrations/amazon-web-services -[10]: /integrations/amazon-api-gateway -[11]: /security/application_security/setup/ -[13]: /internal_developer_portal/catalog/entity_model/native_entities/?tab=api#native-entity-types -[14]: https://app.datadoghq.com/security/appsec/policies/scanners -[15]: https://app.datadoghq.com/security/configuration/asm/trace-tagging -[16]: /integrations/guide/source-code-integration/ -[17]: /internal_developer_portal/catalog/set_up/create_entities/#through-the-datadog-ui -[18]: /internal_developer_portal/catalog/entity_model/ -[19]: /security/application_security/api_posture/endpoint_scanning/ \ No newline at end of file +[1]: https://app.datadoghq.com/security/appsec/inventory/apis diff --git a/content/en/security/application_security/api_posture/api_inventory/api_endpoints.md b/content/en/security/application_security/api_posture/api_inventory/api_endpoints.md new file mode 100644 index 00000000000..72dce5d7643 --- /dev/null +++ b/content/en/security/application_security/api_posture/api_inventory/api_endpoints.md @@ -0,0 +1,226 @@ +--- +title: API Endpoints +description: Monitor API traffic to assess endpoint risk, authentication, sensitive data flows, and exposure. +--- + +[API Endpoints][1] monitors your API traffic to provide visibility into the security posture of your APIs, including: + +- **Authentication**: Whether the API enforces authentication. +- **Authentication Method**: Type of authentication used, such as Basic Auth and API key. +- **Public Exposure**: Whether the API is processing traffic from the internet. +- **Sensitive data flows**: Sensitive data handled by the API and flows between APIs. +- **Attack Exposure**: If the endpoint is targeted by attacks. +- **Business Logic**: Business logic and associated business logic suggestions for this API. +- **Vulnerabilities**: If the endpoint contains a vulnerability (powered by [Code Security][2] and [Software Composition Analysis][3]). +- **Findings**: Security findings identified on this API. +- **Dependencies**: APIs and Databases the API depends on. + +Using API Endpoints you can: + +- See which endpoints process sensitive data, are authenticated, have vulnerabilities or findings, or are publicly available. +- See which endpoints are at risk, and pivot directly into the [Threat Monitoring and Protection][4] service for further investigation or response. +- See which endpoints are associated to your business's logic, and find business logic suggestions based on your endpoint's traffic history. + +## Configuration + +To view API Endpoints on your services, **you must have App and API Protection Threats Protection enabled**. + +For Amazon Web Services (AWS) API Gateway integration, you must set up the following: + +- [Amazon Web Services][5] +- [Amazon API Gateway Integration][6] + +API Endpoints are discovered from the Datadog Catalog and specifically from API definitions [uploaded to Datadog][7]. For instructions on uploading API definitions, see [Create Entities][8]. + +For information on what library versions are compatible with API Inventory, see [Enabling App and API Protection][9]. [Remote Configuration][10] is required. + +|Technology|Minimum tracer version| Support for sensitive data scanning | +|----------|----------|----------| +|Python | v2.1.6 | Requests and responses | +|Java | v1.31.0 | Requests only | +|PHP | v0.98.0 | Requests and responses | +|.NET Core | v2.42.0 | Requests and responses | +|.NET Fx | v2.47.0 | Requests and responses | +|Ruby | v1.15.0 | Requests only | +|Golang | v1.59.0 | Requests only | +|Node.js | v3.51.0, v4.30.0 or v5.6.0 | Requests and responses | + +**Note**: On .NET Core and .NET Fx tracers, you need to set the environment variable `DD_API_SECURITY_ENABLED=true` for API Security features to work properly. + +## How it works + +API Endpoints gathers security metadata about API traffic by leveraging the Datadog SDK with App and API Protection enabled, alongside configurations from Amazon API Gateway and uploaded API Definitions. This data includes the discovered API schema, the types of sensitive data (PII) processed, and the authentication scheme in use. The API information is continuously evaluated, ensuring a comprehensive and up-to-date view of your entire API attack surface. + +API Endpoints uses [Remote Configuration][10] to manage and configure scanning rules that detect sensitive data and authentication. + +To verify whether discovered endpoints are publicly accessible and require authentication, enable [Endpoint Scanning][11]. Endpoint Scanning actively scans eligible endpoints and enriches API Inventory with verified public accessibility, authentication status, HTTP response status, and last evaluation data. + +The following risks are calculated for each endpoint. + +## Data sources + +In the [API Endpoints][1] explorer, the **Data Sources** show where visibility originates. + +The following data sources are explored. + +### Amazon API Gateway + +The Amazon API Gateway service formally defines your API structure. Datadog AWS integration reads this pre-defined configuration from the Amazon API Gateway, and then Datadog uses this configuration to create API endpoint entries in **Inventory**. + +Use **AWS API Gateway** in **Data Source** to gain visibility into these exposed endpoints. You can also use the query `datasource:aws_apigateway`. + +### Catalog + +The **Catalog** data source shows API endpoints that Datadog learned about from the formal specification uploaded to Datadog. The API specification is attached to, or registered as, a dedicated API component within the IDP service entity. + +This source ensures that your API inventory is complete by including all planned and formally documented endpoints. + +### APM traces + +The **Spans** data source shows real traffic and data exposure. Remediation should be performed in code, config, or access controls immediately. + +What actions you take depend on each of the attack surfaces: + +- **Vulnerabilities:** Patch any vulnerable libraries surfaced by SCA or Runtime Code Analysis, then redeploy the service. +- **API findings discovered:** Review each issue in context of the traced service, fix any code or configurations, and then validate using new traces. +- **Processing sensitive data:** Confirm data handling complies with policy, sanitize or encrypt PII, and limit access to necessary services. +- **Unauthenticated endpoint:** If the endpoint is not intentionally public, enforce authentication and update service configurations. + +### Static Endpoint Discovery + +
    Static Endpoint Discovery is in Preview.
    + +{{< site-region region="gov,gov2" >}} +
    Static Endpoint Discovery is not available for the {{< region-param key="dd_site_name" >}} site.
    +{{< /site-region >}} + +The **Source Code** data source shows API endpoints discovered directly from your source code. This complements runtime-based discovery by surfacing endpoints earlier in the development life cycle, including endpoints that may not receive live traffic. + +To use this data source, configure the [Source Code Integration][12] with GitHub, GitLab, or Azure DevOps. The following languages and frameworks are supported: + +| Language | Framework | +|----------|-----------| +| Python | FastAPI, Flask, Tornado | +| Java | Spring | +| Go | Beego, Chi, Echo, Fiber, Gin, Gorilla Mux, fasthttp, go-zero | +| C# | ASP.NET Core MVC | +| Node.js | Express, Fastify | + +To filter for source code endpoints, use **Source Code** in the **Data Source** facet or the query `datasource:source_code`. Scans run when code is pushed to the default branch and on an 8-hour recurring schedule. Discovered endpoints are removed after 12 hours if they are not re-discovered by a subsequent scan. + +#### Map source code endpoints to services + +Static Endpoint Discovery uses heuristics to infer which service an endpoint belongs to. For more accurate mapping, explicitly define service-to-code relationships using the `codeLocations` field in your [Catalog service definition (v3 schema)][13]: + +```yaml +apiVersion: v3 +kind: service +metadata: + name: my-service + owner: my-team +datadog: + codeLocations: + - repositoryURL: https://github.com/org/myrepo.git + paths: + - path/to/service/code/** +``` + +Without explicit `codeLocations`, endpoints may not merge correctly with data from other sources. + +## Processing sensitive data + +[App and API Protection][4] matches known patterns for sensitive data in API requests and responses. If it finds a match, the endpoint is tagged with the category and type of sensitive data processed. + +The matching occurs within your application, and none of the sensitive data is sent to Datadog. + +### Supported data types + +To see the supported data types (for example, `payment:card`), use the **Schema Sensitive Data** facet. You can also see the data type used in the **Sensitive Data** column. + +### Create API data scanners + +By default, Datadog App and API Protection scans for PII, credentials, and payment types. Sensitive Data Detection provides API data scanners to define custom scanner data patterns beyond the defaults and improve visibility into the sensitive data of your API traffic. + +In an API data scanner, you define a scanner category and type to classify API endpoints processing sensitive data (for example, `health_info:patient_id`). Next, you define the JSON key or value conditions that trigger the scanner. + +When the scanner detects sensitive data, it tags the API endpoint with the category and type and displays it in [API Endpoints][1]. + +To create an API data scanner and view its results, do the following: + +1. In App and API Protection **Policies**, go to [Sensitive Data Detection][14]. +2. Click **New Scanner**. +3. In **Select your scanner tags**, define the category and type to classify the sensitive data. The scanner tags API endpoints with the format `category:type`. +4. In **Define conditions on JSON keys and values**, define the JSON key or value conditions to trigger the scanner. +5. Click **Save Scanner**. The scanner is enabled by default. +6. To view the results of the scanner, go to App and API Protection [API Endpoints][1]. +7. In the **Schema Sensitive Data** facet, the category and type of your custom scanner is listed in the format `category:type`. Custom scanner `category:type` tags are also visible in the **Sensitive Data** column of the explorer. + + +## Business logic + +These tags (`(users.login.success`, `users.login.failure`, etc.) are determined by the presence of business logic traces associated with the endpoint. + +
    Datadog can suggest a business logic tag for your endpoint based on its HTTP method, response status codes, and URL.
    + +## Publicly accessible + +Datadog marks an endpoint as public if the client IP address is outside these ranges: + +- 10.0.0.0/8 +- 172.16.0.0/12 +- 192.168.0.0/16 +- 169.254.1.0/16 + +See [Configuring a client IP header][15] for more information on the required library configuration. + +## Endpoint authentication + +Authentication is determined by: + +- The presence of `Authorization`, `Token` or `X-Api-Key` headers. +- The presence of a user ID within the trace (for example, the `@usr.id` APM attribute). +- The request has responded with a 401 or 403 status code. +- Custom [Endpoint Tagging][16] rules that you configured + + +When the type of authentication is available, Datadog reports it in a header through the **Authentication Method** facet. + +### Supported authentication methods + +| Category | Category facet | +|---------------------------------------------------|------------------| +| JSON Web Token (JWT) | `json_web_token` | +| Bearer tokens (found in `Authorization` headers) | `bearer_token` | +| Basic Authentication | `basic_auth` | +| Digest access authentication | `digest_auth` | + +### Custom Authentication support + +Custom authentication detection is possible by configuring [Endpoint Tagging Rules][16]. These rules require the following minimum tracer versions: + +|Technology| Minimum tracer version | +|----------|------------------------| +|Java | v1.55.0 | +|.NET | Coming Soon | +|Node.js | v5.76.0 | +|Python | v3.17.0 | +|Ruby | v2.23.0 | +|PHP | v1.15.0 | +|Golang | v2.4.0 | + +[1]: https://app.datadoghq.com/security/appsec/inventory/apis +[2]: /security/code_security/iast/ +[3]: /security/code_security/software_composition_analysis/ +[4]: /security/application_security/ +[5]: /integrations/amazon-web-services +[6]: /integrations/amazon-api-gateway +[7]: /internal_developer_portal/catalog/entity_model/native_entities/?tab=api#native-entity-types +[8]: /internal_developer_portal/catalog/set_up/create_entities/#through-the-datadog-ui +[9]: /security/application_security/setup/ +[10]: /tracing/guide/remote_config/ +[11]: /security/application_security/api_posture/endpoint_scanning/ +[12]: /integrations/guide/source-code-integration/ +[13]: /internal_developer_portal/catalog/entity_model/ +[14]: https://app.datadoghq.com/security/appsec/policies/scanners +[15]: /security/application_security/policies/library_configuration/#configuring-a-client-ip-header +[16]: https://app.datadoghq.com/security/configuration/asm/trace-tagging From 08bb5df97c384cc8652dc3a0156414b2773fd769 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Wed, 27 May 2026 17:48:16 -0600 Subject: [PATCH 25/26] Reframe API Inventory overview: drop Findings as an inventory explorer, add bridge to API Findings --- .../api_posture/api_inventory/_index.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/content/en/security/application_security/api_posture/api_inventory/_index.md b/content/en/security/application_security/api_posture/api_inventory/_index.md index 795170aa55f..14c8f2dc922 100644 --- a/content/en/security/application_security/api_posture/api_inventory/_index.md +++ b/content/en/security/application_security/api_posture/api_inventory/_index.md @@ -1,6 +1,6 @@ --- title: API Inventory -description: Catalog API endpoints, services, and findings, and assess API security risk across your environment. +description: Catalog API endpoints and services, and assess API security risk across your environment. aliases: - /security/application_security/api-inventory/ further_reading: @@ -22,18 +22,17 @@ API security relies on visibility. The biggest failure mode in most applications 2. **Services:** *Where do risky APIs live, who owns them, and how severe is their collective risk?* A service groups multiple endpoints into a logical or deployed component (typically aligned with a microservice, app, or backend system). -3. **API Findings:** *Which API weaknesses, attacks, or misconfigurations require investigation or remediation?* - - API Findings are security detections and policy evaluation results tied to endpoints. These represent known or inferred weaknesses or threats in API behavior or configuration. -These explorers correspond to the common API security operational flow: +These explorers correspond to the common API security operational flow: 1. **Discover:** Identify what endpoints exist using **API Endpoints**. 2. **Contextualize:** Identify ownership and dependencies using **Services**. -3. **Detect and respond:** See where misconfigurations are, and where attacks could occur, using **API Findings**. + +Findings detected against endpoints in your inventory appear in [API Findings][2]. Each endpoint row in the API Endpoints explorer displays a findings chip; selecting it opens the finding in API Findings. ## Further reading {{< partial name="whats-next/whats-next.html" >}} [1]: https://app.datadoghq.com/security/appsec/inventory/apis +[2]: /security/application_security/api_posture/api_findings/ From d4fcf648eceb278cbe54c8d742207b9ee925dd9c Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Wed, 27 May 2026 17:50:54 -0600 Subject: [PATCH 26/26] Restore detect/respond step in the operational flow on the API Inventory page --- .../application_security/api_posture/api_inventory/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/security/application_security/api_posture/api_inventory/_index.md b/content/en/security/application_security/api_posture/api_inventory/_index.md index 14c8f2dc922..c7f2508f967 100644 --- a/content/en/security/application_security/api_posture/api_inventory/_index.md +++ b/content/en/security/application_security/api_posture/api_inventory/_index.md @@ -23,12 +23,12 @@ API security relies on visibility. The biggest failure mode in most applications A service groups multiple endpoints into a logical or deployed component (typically aligned with a microservice, app, or backend system). -These explorers correspond to the common API security operational flow: +The Inventory explorers cover the discovery and context steps of the API security operational flow: 1. **Discover:** Identify what endpoints exist using **API Endpoints**. 2. **Contextualize:** Identify ownership and dependencies using **Services**. -Findings detected against endpoints in your inventory appear in [API Findings][2]. Each endpoint row in the API Endpoints explorer displays a findings chip; selecting it opens the finding in API Findings. +To detect and respond to specific weaknesses, attacks, or misconfigurations, use **[API Findings][2]**. Each endpoint row in the API Endpoints explorer displays a findings chip; selecting it opens the finding in API Findings. ## Further reading