DataDog · drichards-87 · Apr 30, 2026 · Apr 30, 2026 · May 1, 2026 · May 1, 2026
@@ -2092,7 +2092,7 @@ menu:
       parent: platform_heading
       identifier: internal_developer_portal
       weight: 110000
-    - name: Catalog
+    - name: Catalog
       url: internal_developer_portal/catalog/
       parent: internal_developer_portal
       identifier: catalog
@@ -4540,7 +4540,7 @@ menu:
       parent: tracing
       identifier: tracing_services
       weight: 9
-    - name: Catalog
+    - name: Catalog
       url: /internal_developer_portal/catalog/
       parent: tracing_services
       identifier: tracing_software_catalog
@@ -8103,11 +8103,36 @@ menu:
       parent: application_security
       identifier: aws_waf_int
       weight: 8
-    - name: API Security Inventory
-      url: security/application_security/api-inventory/
+    - name: API Posture
+      url: security/application_security/api_posture/
       parent: application_security
-      identifier: asm_api_security
+      identifier: application_security_api_security
       weight: 9
+    - name: API Inventory
+      url: security/application_security/api_posture/api_inventory/
+      parent: application_security_api_security
+      identifier: asm_api_security
+      weight: 1
+    - name: API Endpoints
+      url: security/application_security/api_posture/api_inventory/api_endpoints/
+      parent: asm_api_security
+      identifier: asm_api_security_api_endpoints
+      weight: 10000
+    - name: Services
+      url: security/application_security/api_posture/api_inventory/services/
+      parent: asm_api_security
+      identifier: asm_api_security_services
+      weight: 10001
+    - name: API Findings
+      url: security/application_security/api_posture/api_findings/
+      parent: application_security_api_security
+      identifier: application_security_api_findings
+      weight: 2
+    - name: Endpoint Scanning
+      url: security/application_security/api_posture/endpoint_scanning/
+      parent: application_security_api_security
+      identifier: application_security_endpoint_scanning
+      weight: 3
     - name: Guides
       url: security/application_security/guide/
       parent: application_security

@@ -65,6 +65,7 @@ Whether you're defending public-facing APIs, internal services, or user-facing a
 * Identify unprotected, undocumented, or overly permissive endpoints.  
 * Get detailed, contextual findings tied to specific endpoints, misconfigurations, and observed behavior.  
 * Evaluate API configurations against posture rules based on security best practices and compliance frameworks (e.g., OWASP API Top 10).
+* Actively verify endpoint reachability and authentication with [Endpoint Scanning][17].
 
 ### Runtime threat detection and protection
 
@@ -137,4 +138,4 @@ For information on disabling AAP or its features, see the following:
 [14]: /security/application_security/exploit-prevention/
 [15]: /security/application_security/waf-integration/
 [16]: /security/application_security/setup/
-
+[17]: /security/application_security/api_posture/endpoint_scanning/
@@ -0,0 +1,19 @@
+---
+title: API Posture
+description: Discover API endpoints, assess endpoint risk, and verify endpoint behavior with API Posture in App and API Protection.
+---
+
+API Posture in Datadog [App and API Protection][1] (AAP) helps you discover API endpoints, understand the risk they expose, and verify how they behave.
+
+API Posture includes:
+
+- **API Inventory**: A catalog of the API endpoints and services in your environment.
+- **API Findings**: Security findings, weaknesses, and misconfigurations tied to your API endpoints.
+- **Endpoint Scanning**: Active scanning that verifies whether discovered endpoints are publicly accessible and require authentication.
+
+{{< whatsnext desc="Explore API Posture capabilities:" >}}
+    {{< nextlink href="/security/application_security/api_posture/api_inventory/" >}}API Inventory: View and triage API endpoints and services.{{< /nextlink >}}
+    {{< nextlink href="/security/application_security/api_posture/endpoint_scanning/" >}}Endpoint Scanning: Actively scan discovered endpoints to verify public accessibility and authentication status.{{< /nextlink >}}
+{{< /whatsnext >}}
+
+[1]: /security/application_security/
@@ -0,0 +1,33 @@
+---
+title: API Findings
+description: Triage detected API risks across definitions, gateways, and live traffic.
+---
+
+**API Findings** provides a central triage view of all detected API risks across definitions, gateways, and live traffic. It provides a set of default rules to detect common vulnerabilities and misconfigurations. You can also set up [custom rules][1] to adapt to specific use cases.
+
+**API Findings** columns:
+
+- **Severity:** Each issue is ranked by risk.
+- **Endpoints:** Shows how many endpoints are affected and their services.
+- **Status and Ticketing:** `Open` or `In Progress` tracks remediation progress and workflow integration.
+
+Use the **Service** facet to see each service's endpoints to identify ownership and prioritize by business impact.
+
+## Common operations
+
+Click a finding to view its details and perform a workflow such as Validate > Investigate > Fix > Track:
+
+1. Validate:
+   - Review **What Happened** and **Detected In** to ensure the detection is accurate (service, endpoint, method).
+   - In **Next Steps**, choose whether to **Mute**, **Create Ticket**, or **Run Workflow** depending on ownership and impact.
+2. Investigate:
+   - Use the **Context** tab to examine the endpoint snapshot and attributes (method, path, authentication flags, tags).
+   - **Detected In** provides information for routing ownership and remediation.
+   - In **Detection Rule Query**, you can edit an API finding rule by clicking **See Detection Rule**.
+3. Fix: 
+   - Follow the guidance under **Remediation**.
+4. Track:
+   - Use **Create Ticket** to link the issue to your tracking system.
+   - Use **Reference Links** for developer education or code review.
+
+[1]: /security/application_security/policies/custom_rules/
@@ -0,0 +1,38 @@
+---
+title: API Inventory
+description: Catalog API endpoints and services, and assess API security risk across your environment.
+aliases:
+  - /security/application_security/api-inventory/
+further_reading:
+- link: "https://www.datadoghq.com/blog/primary-risks-to-api-security/"
+  tag: "Blog"
+  text: "Mitigate the primary risks to API security"
+---
+
+API security relies on visibility. The biggest failure mode in most applications isn't missed vulnerabilities, it's missed APIs.
+
+[API Inventory][1] provides a comprehensive, up-to-date catalog and risk assessment of all API endpoints and services in your environment.
+
+**Inventory** is comprised of explorers that correspond to distinct layers in the API security lifecycle:
+
+1. **API Endpoints:** *What APIs exist, and what risk do they expose?*
+
+    Each API endpoint is a unique entry point where data or functionality can be accessed. The API Endpoints explorer enables shadow API (undocumented endpoints with no API definition and not detected from Amazon API Gateway) and orphan API (documented endpoints without traffic) detection, asset management, and risk prioritization at the granularity attackers exploit.
+
+2. **Services:** *Where do risky APIs live, who owns them, and how severe is their collective risk?*
+
+    A service groups multiple endpoints into a logical or deployed component (typically aligned with a microservice, app, or backend system).
+
+The Inventory explorers cover the discovery and context steps of the API security operational flow:
+
+1. **Discover:** Identify what endpoints exist using **API Endpoints**.
+2. **Contextualize:** Identify ownership and dependencies using **Services**.
+
+To detect and respond to specific weaknesses, attacks, or misconfigurations, use **[API Findings][2]**. Each endpoint row in the API Endpoints explorer displays a findings chip; selecting it opens the finding in API Findings.
+
+## Further reading
+
+{{< partial name="whats-next/whats-next.html" >}}
+
+[1]: https://app.datadoghq.com/security/appsec/inventory/apis
+[2]: /security/application_security/api_posture/api_findings/