By The exponential growth of APIs in modern applications has created a critical security blind spot for organizations worldwide. As applications increasingly rely on API-driven architectures—especially those powered by artificial intelligence (AI)—security teams are struggling to maintain visibility and control over their expanding attack surfaces.
In a recent TFiR interview, Joni Klippert, CEO and Co-Founder of StackHawk, outlined how traditional security approaches are failing to keep pace with modern development practices. “Folks were waiting way too long to test their applications for security vulnerabilities,” Klippert explained. “They had to be deployed to production, and then the security team was trying to find vulnerabilities before the engineering team was.”
The API Discovery Challenge
The core problem facing security teams isn’t just the volume of APIs—it’s the lack of visibility into where these APIs exist. Traditional security approaches rely on gateway monitoring, which only captures APIs that are actively deployed and receiving traffic through registered routes. This leaves internal APIs, integration endpoints, and improperly configured services completely invisible to security teams.
StackHawk‘s solution takes a fundamentally different approach. “Your source code is your source of truth. That’s where your APIs are,” Klippert emphasized. By ingesting repositories directly from source code management systems and using AI to identify applications and APIs that require security testing, the platform provides comprehensive visibility that traditional gateway-based monitoring cannot match.
The scope of hidden APIs often surprises organizations. According to Klippert, out of 1,000 repositories, approximately 350 typically contain APIs that need security testing—far more than what security teams initially expect to find through conventional monitoring methods.
Prioritizing Risk with Sensitive Data Detection
With such extensive API discovery capabilities, prioritization becomes crucial. StackHawk’s newly announced sensitive data identification feature addresses this challenge by helping security teams focus on the most critical vulnerabilities first. The platform analyzes codebases to identify APIs that handle personally identifiable information (PII), payment card industry (PCI) data, and healthcare information subject to HIPAA regulations.
“When you think about uptime, or the different things that can happen to an organization and their software, if your software goes down, that’s a bummer,” Klippert noted. “But if one day you log into your banking account and it has way less money in it, or even way more money in it than it should have, you lose trust in the banking system in general.”
The platform considers two key vectors for risk prioritization: the frequency of API changes (since each code change represents a potential new vulnerability) and the presence of sensitive data. This dual approach ensures that security teams can allocate their resources most effectively.
Real-World Adoption in High-Stakes Industries
Despite their reputation for slow technology adoption, industries handling sensitive data—particularly fintech and healthcare—have embraced StackHawk’s approach. Klippert attributes this to the intense pressure these organizations face: executive demands for faster feature delivery combined with regulatory requirements that prevent deployment of inadequately tested applications.
One UK-based fintech customer exemplifies this value proposition. “I got a notification within two minutes of a new repository being added that had an API in it, and I contacted the person who deployed it and ensured that we had that under test before that thing actually hit production,” the customer reported.
This rapid response capability represents a fundamental shift from reactive to proactive security management—a transformation that’s become essential as API security challenges continue to evolve in complexity and scale.
The Shift-Left Security Imperative
StackHawk’s approach exemplifies the broader shift-left security movement, which seeks to integrate security testing earlier in the development lifecycle. Rather than throwing JIRA tickets “over the wall” to developers after vulnerabilities are discovered in production, the platform enables engineers to find and fix security issues while they’re still in context of their code.
This alignment with DevSecOps practices ensures that security becomes an integral part of the development process rather than an afterthought. By applying DevOps principles to cybersecurity—limiting noise, focusing on truly important issues, and making fixes easy to implement—StackHawk enables developers to maintain their primary focus on delivering customer value.
As organizations continue to expand their API footprints and integrate AI-driven capabilities, the need for comprehensive, proactive API security will only intensify. StackHawk’s combination of AI-powered discovery, sensitive data identification, and developer-friendly integration points toward a future where security keeps pace with the rapid evolution of modern application architectures.
The message is clear: in an era where APIs serve as the backbone of digital experiences, security teams can no longer afford to remain reactive. The organizations that will thrive are those that embrace tools and processes that make security as dynamic and scalable as the applications they protect.
Edited Transcript
Swapnil Bhartiya: Today, we are tackling a critical challenge faced by security teams worldwide: the explosive growth of APIs and the urgent need to secure sensitive data flowing through them. Joining me today is Joni Klippert, CEO and Co-Founder of StackHawk, a company revolutionizing application security by making it easier for teams to identify and mitigate vulnerabilities in their APIs and web applications. Thank you so much for having me. Great to see you.
Joni Klippert: Thank you so much for having me. Great to see you.
Swapnil Bhartiya: Thanks for joining me. Before we deep dive into the specifics of today’s announcement, since you are here on the show and this is the first time I’m talking to you, and you’re also Co-Founder of the company, I would love to know what led to the creation of this company. What problem did you see that still needed to be solved?
Joni Klippert: Yeah, so I actually come out of the DevOps ecosystem. I’ve been building products for software engineers for about 10 years before starting StackHawk. With this company, and with security in particular, what I found was folks were waiting way too long to test their applications for security vulnerabilities. They had to be deployed to production, and then the security team was trying to find vulnerabilities before the engineering team was. So what that meant was they deployed code to production that had been sitting in production for—God knows how long—could be weeks, could be months, it could be a year. And then they find vulnerabilities in that code, write a bunch of JIRA tickets, and throw them over the wall to software engineers and say, “You need to stop what you’re doing and you need to fix these bugs.”
And I was like, “This is so backwards. We have to enable our software engineers to actually find and fix these security vulnerabilities while they’re in context of their code and while they’re writing code.” And so what we did with StackHawk was apply a lot of DevOps principles to cybersecurity—ensuring that we limit noise, we make sure that we’re only really addressing or popping up or taking the engineer’s attention if something is really important, and then making it easy for them to fix these vulnerabilities so they can get back to their day job, which is writing value and delivering value for customers.
Swapnil Bhartiya: It might sound like a cliché or stereotype, but we kind of live in an AI-driven world. Can you talk about why APIs are such a high-stakes battleground for security teams today?
Joni Klippert: In today’s applications, especially those that are built with AI, apps are really just front ends on top of a collection of APIs. So those APIs are what actually talk to your databases. They’re the things that handle sensitive data. They expose business logic. So when we talk about attack surface, what we’re really saying is that APIs are the attack surface. So we have to not only know where our APIs are, but we have to ensure that we’re testing them for security vulnerabilities before they’re getting out into the wild.
Swapnil Bhartiya: That’s a crucial point. APIs are the backbone of modern applications, but they’re also a gold mine for attackers if sensitive data is not properly protected. Today, of course, we are here to discuss StackHawk’s new sensitive data identification feature, which is designed to help security teams zero in on high-risk APIs. But I want to also know: how does StackHawk even begin to locate the thousands of APIs hiding in plain sight across organizational infrastructure?
Joni Klippert: Yeah, it’s so funny because we used to joke about this when security teams would say, “I don’t even know where my APIs are.” We’d say, “Well, they’re in your code base. Your software engineers are working on them constantly, right?” But that isn’t really an interface or a world that cybersecurity teams really understand.
And so the legacy way of understanding our API attack surface from security teams was to monitor the gateway for visibility. So the way that security teams are used to doing this is they look at the gateway, and then they can only see what’s been deployed, what’s been routed through the gateway, and is actively receiving traffic. So there are a whole bunch of APIs that the security team isn’t seeing—internal APIs, integration endpoints, or anything that’s not properly registered, meaning going through the gateway. They’re completely missing those.
So the way that StackHawk thinks about this is: your source code is your source of truth. That’s where your APIs are. And so the way that we are approaching API discovery is to ingest all of your repositories out of your source code repository, and then we use AI to determine which of those contain applications or APIs that need to be under test with something like StackHawk. And it ends up being a lot more than what the security team really ever imagined. So it’s a very code-first approach to identifying the API landscape.
Swapnil Bhartiya: It’s fascinating. So StackHawk is not just about finding APIs; it’s about giving security teams the clarity to prioritize what truly matters. Now let’s dig deeper into this new feature. How does sensitive data identification work, and why should security teams and CISOs care about it?
Joni Klippert: Yeah, I’m really excited about this capability that we’re talking about today. So what we found happens is when we identify the attack surface for an organization, it ends up being a lot larger than they had anticipated. So out of 1,000 repositories, on average, probably 350 of them have APIs that need to be under test with StackHawk. That’s a lot of work to put all of those things under test if you don’t have the processes in place to have your engineers do it from the beginning, right?
And so how do we help engineering teams and security teams prioritize where to put their efforts in the cybersecurity landscape? There are two vectors that we help support the security team with in showing where they need to address risk the most.
The first one is: how often are these APIs changing? So if they’re constantly under development and being pushed to production, every code change is an opportunity for a new vulnerability. So that’s vector one.
Vector two, that we’re releasing today, is sensitive data detection. So we can identify, by looking at the code base, which of these APIs handle PII, PCI, or HIPAA data—so financial data or healthcare data, or just personal information, personally identifiable information. And that’s where you want to start your program. So this is a subset of that attack surface we talked about, to make sure that we start here because this is where the crown jewels are, as some people might say. We want to make sure that those things are under test and secure first.
Swapnil Bhartiya: Got it. So it’s not just about detecting data types; it’s also about contextualizing the risk. But how would you define a high-risk API in the first place? What kind of sensitive data are we talking about? You did give some examples—is it payment information, is it healthcare, or is it something entirely different?
Joni Klippert: There are a lot of fields, essentially, that we look for sensitive data. But imagine that you’re a consumer—we all are—of a FinTech app or a banking app, right? So the types of data that we might find are card number, CVV, expiry date, right? So those key-value pairs that we’re looking for are definitely PCI-regulated data, and they’re endpoints that essentially could allow somebody to steal our own credit card information.
And when you think about the importance of these APIs, when you think about uptime or the different things that can happen to an organization and their software, if your software goes down, that’s a bummer, right? You’re losing money; you want your software to be up. But if one day you log into your banking account and it has way less money in it, or even way more money in it than it should have, you lose trust in the banking system in general, right? We have to trust that this data is being handled correctly and is not subject to vulnerabilities that actually can harm specifically a company or an industry.
Swapnil Bhartiya: You mentioned AI, and we all use and leverage AI and GenAI, but as soon as we let AI in, we kind of lose a bit of control, where we don’t even know what kind of access AI may have, how it may use that data, as long as it’s not running on our own data center. So how do you ensure that by leveraging AI, we don’t compromise on data security or AI security?
Joni Klippert: Yeah, so what we pull in is metadata, not the actual data. And so we can see files, we can see key-value pair names, but we are not copying down the entire code base. And so the way that we architected the feature is very safe because we know the world that we live in, which is cybersecurity. So we have to ensure that we can leverage these tools to help our users be more effective, but also fit within the realm of the tooling that they’re comfortable with right now with AI.
Swapnil Bhartiya: Now let’s talk about traction. You mentioned industries like healthcare and FinTech. These are some of the oldest industries. They have been around for a long time. They have their own infrastructure, very sensitive data, so they sometimes seem slow to move quickly. But they are sitting on mountains of sensitive data—exactly the kind of data attackers want. Can you talk about how StackHawk has been adopted in these high-stakes sectors? What is driving this adoption, and what feedback do you get from these teams who are leveraging your tools to protect their APIs?
Joni Klippert: Yeah, so believe it or not, in FinTech, they’ve gone very API-first very quickly because of the types of data that they’re moving around and because of all of their compliance requirements in handling this type of data. They have a lot of pressures on them, right? Which is from the top, from the C-suite: “Let’s get out more features and capabilities to our customers. We have to go faster.” But from the security side, they’re saying, “Wait, we can’t deploy until we test these applications for security vulnerabilities because of the types of data we handle.”
So they’ve really flocked to StackHawk—oh my god, that was the worst pun, and I didn’t even mean it—they’ve come to StackHawk because they know that we’re the only API security company that’s going to help them test their APIs for vulnerabilities as they’re being written. And so the whole mission of StackHawk is: deliver secure code faster. And it just so happens to be that we’ve invested a lot in API security testing and the ability to surface these APIs to a security team that didn’t have access to that information before.
For example, we have a FinTech customer in the UK that contacted us and said, “I love this attack surface discovery feature. I got a notification within two minutes of a new repository being added that had an API in it, and I contacted the person who deployed it and ensured that we had that under test before that thing actually hit production.” So it’s that kind of value that we’re providing to security teams in FinTech and health tech that are handling very sensitive data that really drives them and creates such adoption with StackHawk.
Swapnil Bhartiya: Thanks for walking us through that. It’s clear that StackHawk’s approach—combining API discovery, risk prioritization, and actionable insights—is hitting a nerve in a world where shift-left security is not optional anymore. It’s not an afterthought. It’s not someone else’s problem. For our viewers, this is a prime example of how proactive security strategies are evolving to meet the demands of modern development. Stick around for more episodes of Secure by Design, and don’t forget to subscribe. Joni, thank you so much, and I look forward to chatting with you again.
Joni Klippert: Thank you. Thank you so much.
