70–90% of REST APIs are undocumented. API eNVy™ — NightVision's API discovery engine — reads your source code and emits a complete OpenAPI/Swagger spec covering every endpoint: documented, undocumented, and shadow. No running app. No traffic capture. No code changes.
Every API security program starts with inventory — and inventory is where most programs silently fail.
Traffic-based tools watch production requests — so endpoints are only "discovered" after they're deployed and exposed, sometimes by the attacker who found them first. Spec-driven scanners test exactly what your OpenAPI file says exists, which means the endpoint your team shipped last sprint without updating Swagger gets zero coverage. Both approaches share the same blind spot: the APIs nobody wrote down.
API eNVy™ reads the source of truth — your source code. Every route, parameter, and response shape in the codebase becomes part of a complete OpenAPI spec, generated in under 20 seconds, before the code ships. Shadow endpoints, legacy routes, framework-implicit APIs: if it's in the code, it's in the spec — and everything in the spec gets dynamically tested.
Connect a repo or run the CLI against your source tree. No running application, no agents, no instrumentation, no code changes.
API eNVy™ statically analyzes routes, parameters, auth patterns, and response shapes, then writes a complete OpenAPI/Swagger specification — flagged by documented vs undocumented.
The spec feeds NightVision's DAST engine directly: every discovered endpoint is dynamically tested in 3–10 minutes, with validated findings tied to the exact file and line.
Find the endpoints running in your environment that no spec, gateway config, or security tool knows about — before an attacker enumerates them.
Generate accurate, current OpenAPI/Swagger documentation for legacy services and fast-moving codebases where specs never keep up.
Feed the generated spec into DAST on every pull request so new endpoints are tested the moment they're written — not after they're deployed.
Export the OpenAPI spec into gateways, runtime protection platforms, and spec-driven scanners that are blind without it.
"NightVision discovered 200%+ more API endpoints than the documentation said existed — including the ones that mattered most."NightVision customer benchmark · see it on your own repo with a free trial
The process of finding and inventorying every API endpoint in your applications — including undocumented, shadow, and zombie endpoints missing from your OpenAPI specs. With 70–90% of REST APIs undocumented, discovery is the prerequisite for any API security program.
API eNVy™ statically analyzes your source to identify every route, parameter, and response shape, then emits a complete OpenAPI (Swagger) spec — in under 20 seconds, with no running app, no traffic capture, and no code changes.
An endpoint running in your environment that your security and documentation tooling doesn't know about — shipped without spec updates, left over from previous versions, or created implicitly by frameworks. Untested, unmonitored, and a primary attack vector.
Traffic-based tools find APIs by watching production traffic — after deployment, after exposure. Source-code discovery finds every endpoint before it ships, including ones that haven't received a single request yet.
The major web frameworks across common backend languages — see docs.nightvision.net for the current matrix, or run it free against your repo.
Yes — the generated spec feeds NightVision's DAST engine directly, dynamically testing every endpoint in 3–10 minutes with findings pinpointed to file and line.
Run API eNVy™ against one of your repos — free, no credit card — and count the endpoints you didn't know you had.