Shadow and zombie APIs: detection and cleanup

Why they appear

Shadow APIs come from rogue teams or forgotten prototypes; zombie APIs linger after migrations. Both widen your attack surface and often skip auth and observability.

Discovery tactics

• Compare ingress logs against the official OpenAPI inventory.
• Scan source repos for router definitions that lack spec coverage.
• Use eBPF or service mesh telemetry to spot untracked services.
• Run external scanners and correlate findings with your spec.

Mitigation

• Deprecate with timelines and clear RFC 7807 errors for retired routes.
• Disable or rate-limit legacy endpoints; add auth immediately.
• Automate weekly inventory checks in CI with SAST testing for APIs.
• Assign ownership for every service and spec.