When New endpoint detected

When a new endpoint is detected during a scan, the system flags an endpoint that was not previously documented in your API inventory. This indicates a surface change that may affect security posture, contract stability, and operational risk. Treat the finding as a prompt to verify authorization, versioning, and expected behavior rather than as an immediate vulnerability.

The scanner identifies new endpoints through a combination of spec parsing and runtime probing. OpenAPI 3.0, 3.1, and Swagger 2.0 documents are parsed with recursive $ref resolution, and each declared path is compared against observed responses. Paths returned by the server that do not appear in the spec, or that differ in method or response code from the spec, are surfaced as new endpoints. This approach supports read-only methods (GET and HEAD) and text-only POST for LLM probes, completing in under a minute.

Confirm ownership and authorization before taking action. Use the dashboard to review the endpoint path, HTTP method, response codes, and response body samples. Cross-check with your source of truth for API design, such as the canonical OpenAPI definition or version control history. If the endpoint is unexpected, check for shadow APIs, deprecated routes, or changes introduced by a dependent service.

• Compare the discovered path against your repository and CI artifacts.
• Verify whether the method and parameters align with intended behavior.
• Inspect response headers and body for data exposure or error leakage.
• Map the endpoint to applicable security schemes and authentication requirements.

Findings align with controls described in OWASP API Top 10 (2023), supporting audit evidence for SOC 2 Type II and PCI-DSS 4.0. A new endpoint that lacks defined authentication or exposes sensitive data can indicate missing access controls or documentation drift. Use these findings to validate that security schemes are present, correctly applied, and consistent across versions. For regulated workflows, treat the scan output as input for your audit preparation process rather than a compliance determination.

Remediation depends on whether the endpoint is intentional. If the endpoint is expected, update your inventory and specification, and ensure appropriate authentication and authorization are enforced. If the endpoint is unexpected, disable or secure it at the boundary, and investigate the change source. With Pro tier, enable continuous monitoring to receive diffs across scans, including new findings and score drift. Configure email alerts and HMAC-SHA256 signed webhooks to automate notification when new endpoints appear.

middlebrick scan https://api.example.com --output json