What is Checkmarx API Security?

Checkmarx API Security is the API-specific scanner inside the Checkmarx One Code pillar. It discovers shadow and zombie APIs, detects drift between OpenAPI documentation and the runtime surface, runs runtime risk scoring per endpoint, and covers REST, GraphQL, gRPC, and SOAP. Findings flow into the same Checkmarx One backlog as SAST, SCA, and DAST. Licensing arrives through Merito alongside the implementation engagement.

How is this different from running DAST against the API?

DAST exercises documented endpoints with realistic payloads. API Security additionally discovers undocumented endpoints, detects drift between OpenAPI specs and runtime, and runs per-endpoint risk scoring. Programs running pure DAST against APIs are scanning the documented surface and missing shadow endpoints. Merito recommends running both: API Security for inventory and drift, DAST for runtime exploitation testing.

How is Checkmarx API Security different from Salt Security or Noname?

Salt Security and Noname are specialist API security vendors with strong runtime detection and behavioral analytics. Checkmarx API Security differentiates on schema-first integration with OpenAPI and GraphQL, cross-product correlation with SAST, SCA, and DAST inside Checkmarx One, and Triage and Remediation clustering. Programs picking Checkmarx are picking platform consolidation; programs picking Salt or Noname are picking specialist depth.

What is shadow API discovery?

Shadow APIs are endpoints exposed at runtime but missing from documentation. They drift in over time as developers ship endpoints, fork internal versions, or expose debugging routes that become load-bearing. Checkmarx API Security crawls the runtime, reconciles against OpenAPI or GraphQL schemas in source control, and surfaces the delta. Pure SAST and DAST cannot do this.

Does API Security work without authoritative schemas?

Partially. Runtime discovery still works (the scanner infers the endpoint surface from traffic) but drift detection requires authoritative schemas to compare against. Programs without OpenAPI specs in source control get inventory and risk scoring but lose the drift advantage. Merito treats schema discipline as part of the implementation engagement rather than a precondition.

How is Checkmarx API Security licensed?

API Security is part of the Checkmarx One Advanced and Enterprise bundles. Pricing is by API count, gateway integration scope, and bundle. Pricing flows through Merito; implementation, schema wiring, drift-detection rules, and gateway integration scope under a separate program engagement.

How long does a Checkmarx API Security implementation take?

First runtime scan and shadow-API discovery in one to two weeks. Drift detection wired against source-control schemas in three to six weeks. Enterprise rollout across the portfolio runs three to six months. Merito treats schema discipline and drift-rule authoring as central work in the first month.

What services does Merito provide for Checkmarx API Security?

Tenant setup, runtime discovery configuration, schema-source wiring, drift-detection rules, gateway integration, MAPS Assessment for AppSec program scoping, Premium Support, Managed Services for ongoing run, training for AppSec architects and API platform owners, and staff augmentation.

Checkmarx • Application security

Checkmarx API Security

Checkmarx API Security discovers shadow and zombie APIs, detects drift between documented and actual API surfaces, runs runtime risk scoring per endpoint, and covers REST, GraphQL, gRPC, and SOAP inside the same Checkmarx One backlog as SAST, SCA, and DAST.

A Merito Checkmarx API Security engagement reconciles OpenAPI documentation with the runtime surface, configures shadow-API discovery, and routes findings into the unified Checkmarx One backlog so AppSec sees one queue instead of stitching together API governance separately.

Get Checkmarx API Security pricing Talk to a Merito Checkmarx API Security specialist

Best for: AppSec leaders securing the API surface across REST, GraphQL, and gRPC, API platform owners and API governance leads, Engineering leaders running OpenAPI-first or schema-first API programs
Hosting: SaaS
Time to value: First runtime scan and shadow-API discovery in one to two weeks. Drift detection wired against source-control schemas in three to six weeks. Enterprise rollout across portfolio typically runs three to six months.
Security posture: GDPR, HIPAA-aligned design, SAML SSO
Last reviewed: 2026-04-26

What it is

Checkmarx API Security in the enterprise stack

Checkmarx API Security is the API-specific scanner inside the Checkmarx One Code pillar. Where DAST exercises the application end-to-end, API Security focuses on the API contract: the endpoints exposed, the auth model on each, the schema validation, the rate limits, and the runtime drift between what the OpenAPI document says and what the runtime actually serves. Programs running pure DAST against the web frontend are missing the structural risk; the API surface is usually the actual application.

Shadow API discovery is the load-bearing capability. In real environments, the API surface drifts: developers ship endpoints, deprecate them informally, fork an internal version, or expose a debugging route that becomes load-bearing. Checkmarx API Security crawls the runtime, reconciles against the OpenAPI or GraphQL schema in source control, and surfaces the delta. Endpoints that exist in production but are missing from documentation are shadow APIs; endpoints in documentation that no longer exist are zombie APIs. Both create risk that pure SAST and DAST never catch.

Runtime risk scoring per endpoint is the prioritization signal. Not every API endpoint carries the same risk: a public unauthenticated read endpoint is low-risk; an internal write endpoint with authorization-only access to a financial record is high-risk. Checkmarx scores per endpoint based on auth shape, data sensitivity, traffic patterns, and historical findings. The AppSec team triages high-risk endpoints first instead of treating an OpenAPI document as a flat list.

What disrupts API Security adoption is incomplete schema. The product reconciles against documented OpenAPI, GraphQL, or gRPC contracts, and programs without authoritative schemas in source control end up with the scanner inferring everything from runtime traffic alone. That works but loses the drift-detection advantage. Merito's engagement starts with schema discipline: are the OpenAPI specs authoritative, are they current, and are they checked into the same repo as the implementation. Without that, API Security degrades to runtime scanning, which is still useful but not the full product.

Ideal use cases

Shadow API and zombie API discovery across runtime versus documented surface
Runtime risk scoring on portfolios with hundreds or thousands of endpoints
Drift detection between OpenAPI specs in source control and the runtime API
API Security findings flowed into the same Checkmarx One backlog as SAST, SCA, and DAST
Regulated API governance for PCI DSS, HIPAA, and SOC 2 audits

What it is best at

Where Checkmarx API Security earns its seat

Shadow and zombie API discovery

Reconciles runtime traffic against OpenAPI, GraphQL, and gRPC schemas to surface endpoints that exist in production but not in documentation, and endpoints documented but no longer running. Pure DAST cannot do this.

Runtime risk scoring per endpoint

Scores each endpoint by auth shape, data sensitivity, traffic patterns, and historical findings so the AppSec team triages high-risk endpoints first.

REST, GraphQL, gRPC, and SOAP coverage

One engine across the API protocols enterprises actually run. Programs stop stitching together specialist tools per protocol.

Cross-product correlation with SAST, SCA, and DAST

API findings link back to the SAST flow path that exposed the endpoint, the SCA dependency at the runtime layer, and the DAST runtime confirmation. AppSec sees the full chain in one ticket.

Schema-first integration with OpenAPI and GraphQL

Ingests OpenAPI 3.x, GraphQL schema, and gRPC proto files directly. Programs running schema-first development get drift detection as a default rather than an upsell.

Core capabilities

Checkmarx API Security capabilities, grouped by outcome

Discovery and inventory

Knowing what API surface actually exists at runtime versus what documentation claims.

Runtime API discovery
Crawls runtime traffic and infers the live endpoint surface, including endpoints not present in any OpenAPI document.
Shadow API detection
Surfaces endpoints exposed at runtime but missing from documentation. Common in fast-moving services where ops drift past governance.
Zombie API detection
Surfaces documented endpoints that no longer exist or have been silently deprecated. Cleans up consumers calling dead routes.
API inventory
Single inventory of every API endpoint across the portfolio with auth shape, data sensitivity tags, and risk score.

Drift detection and governance

Reconciling runtime against documentation continuously so drift is caught quickly.

OpenAPI and GraphQL drift detection
Compares runtime API surface against OpenAPI 3.x, GraphQL schema, or gRPC proto files in source control. Surfaces drift as it appears.
Schema validation
Validates that documented schemas match the runtime payloads. Catches breaking changes and drift between contract and implementation.
Auth-model verification
Verifies that the auth model documented in OpenAPI matches what is actually enforced at runtime. Surfaces missing auth on endpoints that should require it.

Risk scoring and remediation

Prioritizing the API surface so triage focuses on what actually matters.

Per-endpoint risk scoring
Scores each endpoint by auth shape, data sensitivity, traffic patterns, and historical findings.
Cross-product correlation
API findings cross-link to SAST flow paths, SCA dependencies, and DAST runtime confirmations inside Checkmarx One.
Triage and Remediation clustering
Related API findings cluster with SAST and SCA findings on root cause for single-fix remediation.
Compliance reporting
Audit-ready evidence for PCI DSS, HIPAA, SOC 2, and ISO 27001 attestations on the API surface.

Where it fits in the stack

How Checkmarx API Security connects to the rest of your landscape

Checkmarx One platform (native)

Native

Checkmarx SASTAPI findings cross-link back to the SAST flow path that exposed the endpoint.
Checkmarx SCAAPI runtime exercise informs SCA reachability scoring on dependencies that serve API endpoints.
Checkmarx DASTShadow-API discovery feeds DAST scan scope so dynamic scanning covers endpoints DAST would otherwise miss.
Checkmarx Triage and RemediationAPI findings cluster with related SAST and SCA findings on root cause.

API gateways and developer tooling (certified)

Certified

Apigee, Kong, AWS API Gateway, Azure API Management, MuleSoftIngests gateway traffic logs to bootstrap runtime API discovery.
OpenAPI 3.x, GraphQL schema, gRPC protoSchema ingestion drives drift detection and risk scoring.
Postman, Insomnia, Swagger UIAPI documentation tools feed inventory and scan scope.
Jira, Azure Boards, ServiceNowFindings flow into ticketing as work items with bi-directional status sync.

Custom integrations

Custom

Internal API gateways and service meshesDiscovery integration with Istio, Linkerd, internal proxies, or custom gateways.
SIEM and risk dashboardsAPI findings export into internal SIEM, GRC, and risk-management platforms via the Checkmarx One API.
Custom compliance reportingCustomer-specific reports for PCI DSS, HIPAA, SOC 2, and FedRAMP audits on the API surface.

Deployment and implementation

How it rolls out

Hosting: SaaS (North America, EMEA, APJ)
Implementation complexity: High
Typical time to value: First runtime scan and shadow-API discovery in one to two weeks. Drift detection wired against source-control schemas in three to six weeks. Enterprise rollout across portfolio typically runs three to six months.
Prerequisites: Runtime API surface accessible from Checkmarx scanners (or internal scanning agent)
OpenAPI, GraphQL schema, or gRPC proto files in source control
Named API platform owner
Auth-model documentation per endpoint
Scan-window schedule agreed with API owners
What Merito usually handles: Checkmarx API Security runs as Checkmarx One SaaS with optional internal scanning agents for APIs behind a corporate firewall. Merito handles tenant setup, runtime discovery configuration, schema-source wiring, drift-detection rules, and findings-routing design.

Licensing and packaging

How it is bought

Model: Subscription
What to expect: Checkmarx API Security is part of the Checkmarx One Advanced and Enterprise bundles and licensed by API count and bundle tier. Pricing depends on endpoint volume, gateway integration scope, and bundle. License acquisition flows through Merito; the API governance program is scoped under a separate engagement.
Editions and modules: Checkmarx One Advanced
Adds API Security alongside DAST, IaC Security, Malicious Package Protection, and Repository Health to the Essentials baseline.
Best for: Programs adding API Security to an existing SAST or SCA footprint.
Checkmarx One Enterprise
Advanced plus AI agents (Developer Assist, Triage and Remediation), AI Supply Chain Security, Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs running API Security inside a fully consolidated AppSec platform.
Common expansion areas: Add Checkmarx DAST coverage for end-to-end runtime testing of API-backed apps
Layer Triage and Remediation to cluster API findings with SAST and SCA
Add Checkmarx Container Security and IaC Security for cloud-native programs serving APIs
Add Software Supply Chain Security for SBOM and signing on API service binaries

Merito services

How Merito helps you win with Checkmarx API Security

Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.

Checkmarx API Security Implementation

Tenant setup, runtime discovery configuration, schema-source wiring, drift-detection rules, and findings-routing design.

Explore service 02

MAPS Assessment

AppSec program scoping for Checkmarx API Security adoption alongside Salt Security, Noname, and StackHawk API.

Explore service 03

DevOps Consulting

API Security integrated with API gateways, service meshes, and CI/CD release pipelines.

Explore service 04

CRAFT Enablement

Developer enablement and AppSec champion programs around API governance and schema discipline.

Explore service 05

Premium Support

Named engineer, priority SLAs, and release-time coverage for Checkmarx API Security.

Explore service 06

Managed Services

Long-term run support including drift-rule maintenance, gateway-integration upkeep, and risk-scoring evolution.

Explore service 07

Training and Enablement

Role-based training for AppSec architects, API platform owners, and developers consuming API Security output.

Explore service 08

Staff Augmentation

Merito-placed AppSec engineers and Checkmarx specialists embedded on long-running programs.

Explore service

Checkmarx API Security licensing

License the scanner and write the drift rules in one engagement.

Pricing arrives with the runtime discovery configuration, schema-source wiring, drift-detection rules, and gateway integration that turn Checkmarx API Security into a working API governance program.

Request Checkmarx API Security pricing

Merito point of view

The API surface is the application. The web frontend is the easy half.

Merito has audited AppSec programs that ran rigorous DAST against the web frontend and zero scanning against the API surface, then discovered breach exposure on shadow API endpoints nobody knew existed. The web app is the visible part of the application; the API is the structural part. Programs running DAST without API Security are scanning what is easy to scan and missing what an attacker actually exploits.

Merito recommends Checkmarx API Security specifically when the API surface has more than a few dozen endpoints, when schema discipline (OpenAPI in source control) is real or in reach, and when consolidation onto Checkmarx One pays back the integration cost. For programs without authoritative schemas, the runtime discovery still works but loses the drift-detection advantage. Merito surfaces that during scoping rather than overstating what the product delivers without inputs.

Specialist API security vendors (Salt Security, Noname) are competitive on runtime detection and behavioral analytics. Checkmarx API Security differentiates on schema-first integration and cross-product correlation with SAST, SCA, and DAST inside one backlog. Programs picking Checkmarx are picking platform consolidation; programs picking Salt or Noname are picking specialist depth. Both decisions are valid.

What buyers usually underestimate

Adopting API Security without authoritative OpenAPI or GraphQL schemas in source control, losing drift detection.
Treating shadow-API findings as a one-time inventory exercise instead of a continuous reconciliation loop.
Scanning APIs without auth-model documentation, missing the highest-risk findings (missing or wrong auth).
Skipping cross-product correlation, so API findings never link to the SAST source they came from.
Running API Security in isolation from DAST, missing the dynamic confirmation of static issues.

Related from Merito

Continue exploring Checkmarx API Security on Merito

Checkmarx API Security FAQs

Consultation request

Talk to Merito about Checkmarx API Security

Share your API surface (REST, GraphQL, gRPC), schema posture, and gateway tooling. A Merito Checkmarx specialist follows up within one business day.

Shadow APIs

Find what is undocumented

Reconciles runtime against OpenAPI, GraphQL, and gRPC schemas. Surfaces shadow and zombie endpoints pure DAST cannot see.

Cross-product correlation

One ticket, not three

API findings cross-link to SAST flow paths and DAST runtime confirmations inside Checkmarx One.

Next step

Discover the shadow APIs before an attacker does.

A Merito Checkmarx API Security engagement starts with runtime discovery and schema reconciliation. Programs running pure DAST against the web frontend are scanning the easy half.

Book a Checkmarx API Security consultation

Checkmarx API Security

How it rolls out

Hosting

SaaS (North America, EMEA, APJ)

Implementation complexity

High

Typical time to value

First runtime scan and shadow-API discovery in one to two weeks. Drift detection wired against source-control schemas in three to six weeks. Enterprise rollout across portfolio typically runs three to six months.

Prerequisites

Runtime API surface accessible from Checkmarx scanners (or internal scanning agent)
OpenAPI, GraphQL schema, or gRPC proto files in source control
Named API platform owner
Auth-model documentation per endpoint
Scan-window schedule agreed with API owners

What Merito usually handles

Checkmarx API Security runs as Checkmarx One SaaS with optional internal scanning agents for APIs behind a corporate firewall. Merito handles tenant setup, runtime discovery configuration, schema-source wiring, drift-detection rules, and findings-routing design.

How it is bought

Model

Subscription

What to expect

Checkmarx API Security is part of the Checkmarx One Advanced and Enterprise bundles and licensed by API count and bundle tier. Pricing depends on endpoint volume, gateway integration scope, and bundle. License acquisition flows through Merito; the API governance program is scoped under a separate engagement.

Editions and modules

Checkmarx One Advanced
Adds API Security alongside DAST, IaC Security, Malicious Package Protection, and Repository Health to the Essentials baseline.
Best for: Programs adding API Security to an existing SAST or SCA footprint.
Checkmarx One Enterprise
Advanced plus AI agents (Developer Assist, Triage and Remediation), AI Supply Chain Security, Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs running API Security inside a fully consolidated AppSec platform.

Common expansion areas

Add Checkmarx DAST coverage for end-to-end runtime testing of API-backed apps
Layer Triage and Remediation to cluster API findings with SAST and SCA
Add Checkmarx Container Security and IaC Security for cloud-native programs serving APIs
Add Software Supply Chain Security for SBOM and signing on API service binaries

Talk to Merito about Checkmarx API Security

Share your API surface (REST, GraphQL, gRPC), schema posture, and gateway tooling. A Merito Checkmarx specialist follows up within one business day.

Shadow APIs

Find what is undocumented

Reconciles runtime against OpenAPI, GraphQL, and gRPC schemas. Surfaces shadow and zombie endpoints pure DAST cannot see.

Cross-product correlation

One ticket, not three

API findings cross-link to SAST flow paths and DAST runtime confirmations inside Checkmarx One.