Astra launches platform to combat API threats & shadow APIs

Astra Security has launched an API Security Platform designed to identify and secure undocumented, zombie, and shadow APIs across distributed infrastructures.

The new platform combines real-time traffic monitoring with automated penetration testing, offering organisations continuous visibility into every API in use, including those that may not be catalogued or properly managed. This is aimed at addressing the growing risk posed by unnoticed APIs that can expose sensitive data to exploits.

API security is of increasing concern, as APIs underpin key digital operations such as user authentication, transactions, and access to sensitive records. The unchecked proliferation of these interfaces, often termed API sprawl, has created significant security vulnerabilities. Abandoned or outdated zombie APIs can persist within systems, providing attackers with an unguarded route to systems or data. Similarly, shadow APIs - created outside of official development or governance processes - can bypass standard controls and protocols, increasing the risk to corporate data.

Astra's platform confronts this challenge by autonomously discovering all active, dormant, and unauthorised APIs across a business's cloud and network infrastructure. It conducts live traffic analysis and applies more than 15,000 Dynamic Application Security Testing (DAST) scenarios to detect vulnerabilities in real time. The platform also integrates with widely-used cloud environments, including AWS, GCP, Azure, as well as services such as NGINX, Istio, Apigee, Kong, and Postman, keeping an up-to-date inventory of all APIs.

API-centric attacks are increasing, with a reported 90% year-over-year rise in demand for API penetration testing. Emerging technologies, including AI agent APIs and MCP servers, are introducing new risks. According to Astra's research, 23% of IT professionals have observed AI agents leaking credentials, while 80% report bots taking unauthorised actions, such as accessing systems without proper clearance.

"APIs continue to be the unguarded backdoor to corporate data," said Shikhil Sharma, co-founder and CEO of Astra Security. "Automated security tools tend to focus on web applications, overlooking APIs. All the innovation happening in the AI world, with AI Agents to MCP servers, has APIs as its backbone. With the release of the Astra API security platform, we can now discover, scan, and secure APIs in real time, closing the gaps before hackers can exploit them."

The Astra API Security Platform utilises a hybrid approach by supplementing automated scans with manual penetration tests performed by cybersecurity professionals accredited in OSCP, CEH, and eWPTXv2. This dual strategy is aimed at ensuring thorough coverage, by detecting misconfigurations, authentication shortcomings, and improper authorisation controls that automated tools alone might overlook.

"It's essential to identify weaknesses before they lead to compromised data," said Ananda Krishna, co-founder & CTO of Astra Security. "By applying a hybrid strategy, our API Security Platform identifies security issues others miss, from misconfigurations and broken authentications to authorization flaws."

Last year, Astra Security reported finding over 2.8 million vulnerabilities, a reflection of the broad attack surface present in contemporary API-driven environments. The company's solutions are utilised globally, with its penetration testing platform bringing together automated DAST scenarios and manual testing performed by CREST-accredited ethical hackers. Astra Security's certifications include CREST accreditation, ISO27001, CERT-in empanelment, and PCI DSS Approved Scanning Vendor status.

The platform is positioned to help companies shift from a traditional DevOps approach to DevSecOps, integrating security testing throughout the application lifecycle by means of CI/CD compatibility. The company's AI-powered scanning engine, Attack AI, is designed to emulate attacker techniques, running more than 15,000 security tests per application.

Security professionals and technology decision-makers are increasingly seeking automated, continuous solutions that keep pace with the rapid expansion of APIs and the associated growth in threats. Astra Security's latest release is intended to provide organisations with ongoing monitoring and proactivity, directly addressing the challenge of uncontrolled API exposure in a rapidly evolving digital ecosystem.