Announcing Sensitive Data Identification: Secure the APIs That Matter Most

Here’s what we’re seeing: In late 2024, development teams were shipping 5-8 new applications weekly. This year, that pace has accelerated to 8-12 applications per week. With each application powered by 26-50 APIs on average, enterprises now find themselves managing hundreds to thousands of APIs—an explosion fueled by AI coding assistants like GitHub Copilot, Cursor, and Claude Code that enable developers to write code faster than ever.

The problem? Security teams are only aware of 10% of their rapidly expanding API attack surface, leaving most APIs undiscovered and untested—and once they gain visibility into the full scope, they lack data-driven insights to prioritize which APIs pose the greatest risk.

That’s why we’re excited to announce Sensitive Data Identification, a powerful new capability now available in StackHawk’s API Discovery. This release changes how security teams understand risk across their attack surface. By analyzing your source code directly, Sensitive Data Identification surfaces APIs that reference regulated data types like PII, PCI, and PHI, giving you a prioritized roadmap for testing based on real data exposure, not assumptions or runtime guesswork.

Our Approach: Start With Your Source Code

For too long, security teams have had to make do with incomplete tools or delayed visibility. Legacy approaches depend on production traffic, post-deployment scanning, manual tagging, or attacks. These methods introduce risk, require constant tuning, and delay action.

StackHawk takes a different approach: we analyze your code repositories before anything ships. No agents. No runtime dependencies. Just fast, reliable insights into where sensitive data lives — and what to test and fix first. Combined with our existing code commit activity analysis that shows how often your APIs are changing, this gives you a complete risk picture to make informed decisions about testing priorities.

This makes it possible to:

Identify high-risk APIs early. Sensitive Data Identification scans source code directly to find references to personal, financial, or health-related data. Instead of waiting until APIs are exposed in production, teams get an early signal during development.

Prioritize testing and fixing based on regulated data exposure. Not all APIs are created equal. Some just return status pings, while others transmit Social Security numbers or cardholder data. StackHawk highlights the APIs that handle the most critical information so security teams know exactly where to start.

Eliminate tribal knowledge, spreadsheets, and Slack threads asking “What does this API even do?” Security shouldn’t depend on who remembers what. By providing source-level context, including frameworks, commit metadata, and repository ownership, this feature replaces guesswork with actionable intelligence.

How Sensitive Data Identification Works

The feature integrates directly with API Discovery and the Attack Surface view. Once enabled, it:

Scans your entire codebase for complete API visibility. First, we scan your repositories to discover all APIs – shadow APIs, zombie APIs that are no longer under active development, and ghost APIs that bypass traditional gateways – not just the ones generating current traffic or going through monitored channels.

Automatically identifies high-risk APIs handling sensitive data. The system detects APIs that reference regulated data types like email addresses, card numbers, health records, and identifiers across your entire codebase to create a prioritized list—saving teams from sorting through hundreds of services manually.

Maps this information into a centralized interface for instant triage. All sensitive data references are visualized in the Attack Surface view, making it simple to understand what data is transmitted where and what needs testing next.

Surfaces actionable context for better decision-making. StackHawk includes language, framework, and repo ownership data so AppSec and Dev teams can collaborate efficiently on prioritizing the most critical attack surface for testing and remediation efforts once vulnerabilities are identified.

What You Can Do with It

This release enables AppSec teams to:

Focus security testing on APIs that transmit sensitive data. Get rid of one-size-fits-all scanning and focus on what matters most. By understanding which APIs are handling PII, PCI, or HIPAA-regulated data, teams can prioritize security testing based on actual business risk.

Improve security coverage efficiently. Our customers report an average 55% increase in API coverage after enabling API Discovery—now you can ensure that coverage includes your highest-risk endpoints.

Streamline compliance processes. When you need to demonstrate which APIs handle regulated data, whether it’s an audit, board meeting, or internal policy alignment, you’ll have source-backed evidence to prove which APIs process sensitive data and show they’re under test.

Align security strategy with business risk. Turn your API security strategy into a data-driven process based on data exposure rather than assumptions.

“With visibility into high-risk vulnerabilities and the APIs that handle sensitive data, I can prioritize what matters most. When I see PHI at risk in a critical feature, I know it’s time to get my team on it immediately.” –– Brian, Technical Manager at Unlimited Systems

Built for the Reality of Modern Development

Organizations are moving fast—using AI coding tools, deploying continuously, and managing complex distributed systems. Sensitive Data Identification works with this reality by providing clear, actionable insights without requiring production agents or runtime dependencies.

Whether you’re advancing shift-left practices or improving your existing security program, this release helps answer a fundamental question in modern AppSec:

“Are we testing the right things?”

Now, you’ll know.

Sensitive Data Identification is now generally available to all Enterprise StackHawk customers using API Discovery. No extra configuration required.

Get a Demo