Wiz adds API discovery
- Wiz expanded API discovery by integrating with Google Apigee to map gateways, endpoints and authentication risks. - The integration feeds API topology and auth details into the Wiz Security Graph for consolidated risk views. - Treating APIs as first‑class governance objects lets internal teams trace exposures to owners, remediation and evidence collection. (wiz.io)
Application programming interfaces are the doors software uses to talk to other software, and Wiz now says it can map those doors in Google Apigee. (wiz.io) Wiz said on April 21, 2026 that its Google Cloud connector now discovers Apigee gateways, environments, proxies, endpoints and authorization schemes, then places them on the company’s Security Graph. The feature works with both Apigee X and Apigee Hybrid, according to the company. (wiz.io) Apigee is Google Cloud’s API management platform, where companies publish API proxies that route requests to backend services and apply controls such as OAuth, API keys and traffic policies. Google’s documentation describes Apigee proxies as the foundation for building and sharing application programming interfaces with internal and external developers. (cloud.google.com, docs.apigee.com) Wiz said its scanner reads flow-level policies and request hooks in each proxy revision to identify the authentication method in use, including OAuth, API key, bearer token, basic authentication, Security Assertion Markup Language and Hash-based Message Authentication Code. When no authentication is present, Wiz flags the endpoint, the company said. (wiz.io) The point of that mapping is context. Wiz said an exposed endpoint can then be linked to the gateway serving it, the compute workload behind it, the data stores it can reach and the network paths that determine whether it is reachable from the internet. (wiz.io, cloud.google.com) That puts APIs into the same inventory and risk model many security teams already use for virtual machines, containers and cloud data stores. Wiz describes its Security Graph as a single graph that correlates cloud findings into attack paths and remediation priorities. (cloud.google.com, assets-global.website-files.com) API discovery has become its own security category because companies often know the code they shipped but not every endpoint that is still reachable, inherited from older services or published through a gateway team. Wiz’s own API security guidance defines discovery as finding and cataloging every active API across an organization’s environment. (wiz.io) Wiz said the Apigee data can also be tied to ownership, remediation workflows and evidence collection inside the platform, which turns an unauthenticated endpoint from a standalone finding into a tracked governance issue. The company said the integration is available out of the box for customers already scanning Google Cloud Platform. (wiz.io) The release adds one more layer to Wiz’s pitch that cloud security tools should understand how applications are exposed, not just where they run. In this case, the new view starts at the API front door. (wiz.io, cloud.google.com)
