Discover what matters most, before you test.

Where do you start security testing when your company has hundreds of services and thousands of APIs? That’s the question we kept hearing from teams using StackHawk—and it’s big. In modern environments, it’s not just about discovering APIs. It’s about understanding which APIs matter most.

And that’s why we built Sensitive Data Identification — currently in beta and available in API Discovery.

This new capability helps you identify where sensitive data is being handled (such as PII, PCI, or HIPAA-related information) across your repositories before scanning, allowing you to focus on the APIs that truly matter to your business and customers.

Why We Built It

Let’s be honest: most teams are guessing.

When it comes to prioritizing what to test, many rely on tribal knowledge, spreadsheets, or what’s top-of-mind, not actual data. That might get you part of the way there, but it leaves big gaps when it comes to understanding which APIs carry the most risk.

And while some teams try to patch those gaps with static analysis or runtime monitoring tools, those solutions:

• Often requires heavy tuning
• Don’t provide source-level context
• Only work after an API is deployed

We wanted to change that.

What It Does

API Discovery, now with Sensitive Data Identification, analyzes your codebase for references to sensitive data types, including PII fields, cardholder data, and health information. Then, it brings that context right into your Attack Surface view inside API Discovery. Now, instead of sifting through hundreds of repositories to wonder where to start, you get a prioritized view of what to test, based on what’s most sensitive and most important.

No manual tagging. No guesswork. Just clear, actionable insights.

What This Unlocks

With this new capability, you can:

• Focus on what matters – prioritize APIs based on actual data sensitivity
• Reduce manual effort – let StackHawk surface key targets automatically
• Accelerate security onboarding – get new services under test faster
• Support compliance efforts – with clear visibility into regulated data coverage

Early adopters are already seeing the benefits — including up to 55% more applications under test after enabling API Discovery.

Built for Modern Teams

Security is shifting left — but not everyone’s moving at the same pace. Our goal with Sensitive Data Identification is to provide teams with a clearer map, not just more tools. Whether you’re in AppSec, platform engineering, or just trying to wrangle API sprawl across your org, this release helps answer a critical question:

“Are we testing the right things?”

Now you’ll know.

Try It Today

Sensitive Data Identification is live for all StackHawk customers using API Discovery.

Log in to your StackHawk account and start prioritizing what matters

– KaaKaww