---
title: Zombie endpoint receives traffic
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Zombie endpoint receives traffic
---

# Zombie endpoint receives traffic
 
## Description{% #description %}

A zombie API endpoint is absent from the latest deployed version of a service yet is still receiving traffic due to deployment drift — for example, a forgotten container, a failed rollout, or a legacy environment still running an outdated version. These endpoints are typically unmaintained and unpatched, making them a high-risk attack surface.

## Rationale{% #rationale %}

This finding works by identifying an API endpoint that:

- received traffic since the latest deployment (with a 24h grace period after deploy)
- has a `version` tag that does not appear in the set of latest deployed versions

[Deployment Tracking](https://docs.datadoghq.com/tracing/services/deployment_tracking.md) is a prerequisite for detecting Zombie API endpoints.

## Remediation{% #remediation %}

Identify and decommission the legacy deployment still serving this endpoint (e.g. a forgotten container, a stuck rollout, or an outdated staging environment). Ensure all environments are running the latest version of the service so that removed endpoints can no longer receive traffic.