For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/application_security/api_posture/endpoint_scanning.md. A documentation index is available at /llms.txt.

Endpoint Scanning

This product is not supported for your selected Datadog site. ().
Endpoint Scanning is in Preview and is subject to change.

Endpoint Scanning probes your API endpoints from outside your environment and records their HTTP responses, rather than inferring behavior from observed traffic. The results enrich the API Inventory with verified authentication and visibility data.

Endpoint Scanning sends only GET requests. It does not call POST, PUT, PATCH, or DELETE endpoints, and never modifies data on your endpoints.

Endpoint Scanning only scans endpoints that AAP discovers from APM traces.

What Endpoint Scanning verifies

For each scanned endpoint, Datadog records:

  • Authentication status: Whether the endpoint requires authentication.
  • Public visibility: Whether the endpoint is reachable without credentials.
  • HTTP response status: The status code returned by the endpoint.
  • Last evaluation timestamp: When the endpoint was last scanned.

Use this information to prioritize exposed endpoints, confirm whether important APIs enforce authentication, and investigate API findings with stronger evidence about how the endpoint behaves.

Enable Endpoint Scanning

Endpoint Scanning is off by default. To enable it:

  1. In App and API Protection settings, go to API Security Testing.
  2. Toggle Enable Endpoint Scanning on.

After you enable it, Datadog scans eligible endpoints in the background in batches. Endpoints are retested approximately every seven days.