---
title: API Posture
description: >-
  Discover API endpoints, assess endpoint risk, and verify endpoint behavior
  with API Posture in App and API Protection.
breadcrumbs: Docs > Datadog Security > App and API Protection > API Posture
---

# API Posture

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

Use API Posture in [App and API Protection](https://docs.datadoghq.com/security/application_security.md) (AAP) to discover your APIs, assess the risks they expose, and track your security posture.

To get started, [set up AAP](https://docs.datadoghq.com/security/application_security/setup.md) on your services to discover endpoints from your live traffic. Other data sources, such as Amazon API Gateway and source code, require additional setup; see [API Endpoints](https://docs.datadoghq.com/security/application_security/api_posture/api_inventory/api_endpoints.md) for details.

## How API Posture works{% #how-api-posture-works %}

API Posture brings together several capabilities, all built on the same live API data. With them, you can:

- Discover which APIs exist with [API Inventory](https://docs.datadoghq.com/security/application_security/api_posture/api_inventory.md). Inventory is a continuously updated catalog of the endpoints and services discovered across your environment, including those that are undocumented or no longer in use.
- Assess what each API exposes with [API Findings](https://docs.datadoghq.com/security/application_security/api_posture/api_findings.md) and [Sensitive Data](https://docs.datadoghq.com/security/application_security/api_posture/sensitive_data.md). Findings aggregate the vulnerabilities and misconfigurations tied to your endpoints, and sensitive data tagging shows which endpoints process PII, credentials, or payment data.
- Verify which endpoints are publicly accessible, and which require authentication, using [Endpoint Scanning](https://docs.datadoghq.com/security/application_security/api_posture/endpoint_scanning.md). Endpoint Scanning probes your endpoints from outside your environment, rather than inferring behavior from observed traffic.
- Measure your organization-wide posture in the API Posture section of the [Overview page](https://app.datadoghq.com/security/appsec/overview/summary). It shows how your endpoints are discovered, which ones are exposed to attacks or process sensitive data, and your open findings by severity.

## Further reading{% #further-reading %}

- [From discovery to defense: Securing APIs with Datadog App and API Protection](https://www.datadoghq.com/blog/secure-api-with-datadog)