Hamburger Icon

Redefining API Discovery:
How We Designed API
Discovery, Powered by HawkAI


Scott Gerlach|April 30, 2024

StackHawk's CSO and Co-Founder shares our approach to redefining API discovery using AI and source code insights, as well as the mindful guidelines we have implemented.

At StackHawk, we've helped countless customers find tremendous value in our API security testing capabilities. We are repeatedly chosen for our ability to comprehensively test APIs and seamlessly automate testing within their CI/CD pipelines.

However, a recurring theme has emerged: customers are only uncovering a fraction of their total attack surface.

Our internal analysis of code repositories reveals that many security teams are not testing and are potentially unaware of a significant portion of their APIs. The fast pace of software development makes it difficult for security to keep up, creating this as a natural result. That's why we created API Discovery Powered by HawkAI, to help security teams keep up with software development and own their attack surface.

Discovery – Understanding Your Attack Surface

Modern software development is inherently complex, making it challenging for security teams to pinpoint all the "things" they need to test. At StackHawk, we believe that Source Code is the Source of Truth and HawkAI takes an inside-out approach, empowering developers and AppSec teams to achieve both security and speed. Here's how it works:

  • Effortless Integration: Simply connect your code repositories to StackHawk.

  • AI-Powered Identification: HawkAI utilizes intelligent algorithms to identify repositories containing running applications and APIs.

  • Attack Surface Defined: Uncover previously unknown APIs and gain a comprehensive view of your attack surface.

  • Progress Tracking: Monitor your progress toward achieving complete API coverage.

Attack Surface page image

Observability – Keeping Pace with Change

Once you have a handle on your assets, how do you ensure your security processes keep up with the constant stream of code changes?

  • Continuous Monitoring: HawkAI tracks how often code is deployed to your assets and compares it to your testing frequency.

  • Policy Alignment: Identify discrepancies between your security policies and actual testing coverage.

  • Success Support: We're here to help your security team refine their program and maximize its effectiveness.

Attack Surface page - continuously monitoring coverage image

Understanding AI Concerns

We understand concerns regarding AI and have applied thoughtful guidelines throughout our development process:

  • Code Repository Access: HawkAI maintains read-only access to your repositories and does not have the ability to write or change code on your behalf.

  • Security: Your code and data are protected and will never be sent to third parties.

  • Transparency: HawkAI clearly indicates when AI is involved through the use of icons.

Leveraging Insights

HawkAI goes beyond just discovery. It provides valuable insights to collaborate with your development team. When you discover a previously untested asset, HawkAI identifies the last developer who committed code, allowing you to easily reach out and gain a deeper understanding of the asset's purpose. This fosters communication and streamlines the process of bringing the asset under security testing.

At StackHawk, we believe AI is a powerful tool to help security and developer teams prioritize security efforts and work more efficiently by focusing on what will move the needle toward delivering secure, high-quality software. HawkAI embodies this philosophy by offering a comprehensive approach to API discovery, ensuring your security efforts keep pace with software development.

Ready to own your attack surface coverage? Sign up to get access to the beta

Scott Gerlach  |  April 30, 2024

Read More

What is API Discovery? Everything You Need to Know

What is API Discovery?Everything You Need to Know

5 Best API Security Solutions of 2023

5 Best APISecurity Solutionsof 2023

API Security Testing Overview and Tooling Guide

API Security TestingTools Overview & Guide