The endpoint that wasn't in the data room
Here is how it actually goes. The deal is moving. Your CFO and the buyer's deal team are aligned on a number, the LOI is signed, and technical due diligence is supposed to be a formality. Then in week two of the audit, the buyer's engineers run a discovery scan against your environment and surface an endpoint nobody on your side recognizes — a JSON API spun up eighteen months ago for a partner integration that never shipped, still live, still pointed at a customer table, still bypassing the authentication everyone assumed was universal. Nobody on your team can say who owns it. That silence is the moment your valuation starts moving in the wrong direction.
This is not a hypothetical edge case at B2B SaaS companies; it is the median outcome. According to Forrester's 2025 security budget planning data on API sprawl, only about 10% of organizations fully document their APIs. The other 90% are running on tribal knowledge — endpoints that live in a senior engineer's head and nowhere else. In a high-growth software business, the gap between "the APIs we maintain" and "the APIs that exist" widens with every sprint, because shipping velocity is rewarded and inventory hygiene is not. I have rebuilt this exact capability inside three scaling companies after a buyer's audit blew a hole in the timeline, and the root cause never changed: the org optimized for delivery, and the API surface grew faster than anyone's ability to name it.
The reason this lands so hard in a transaction is that a buyer reads an undocumented endpoint as a proxy for everything they cannot see. PKWARE's summary of data-breach cost benchmarks puts the average U.S. breach at $10.22 million, with API-related exposure pushing detection times — and therefore costs — higher. A deal team that finds one orphaned endpoint does not assume it found the only one. It assumes it found the first one, prices the remediation it can see, and adds a contingency for the remediation it cannot. If you want the broader picture of what a technical auditor treats as a kill signal, our breakdown of the 10 red flags in technology due diligence that kill deals maps the full list.
Why your gateway didn't catch it
When I raise this with a CTO mid-deal, the first reflex is almost always: "We have an API gateway, we're covered." You are not covered, and it is worth being precise about why. A gateway enforces policy on the endpoints that are registered with it. The orphaned partner API, the internal service a team stood up to hit a quarter, the legacy endpoint left behind when you migrated off the old billing system — none of those route through the gateway. A gateway is a tollbooth on the highway you built; it does nothing for the dirt roads people graded around it. You cannot enforce a policy on traffic you never see, and the endpoints that matter most in due diligence are exactly the ones the gateway has no record of.
The scale problem is what makes manual cleanup hopeless. Astra's API security trend analysis reports that roughly 99% of organizations hit an API security incident in the prior year, and that for every human identity inside the enterprise there are about 82 machine identities — service accounts, integration tokens, internal calls — each one capable of touching an API. A 200-person SaaS company is not securing a few dozen endpoints; it is governing thousands of machine-to-machine paths, most created without a ticket. Hand-auditing that surface before a buyer does is not a sprint task. It is a discovery problem that has to run continuously, or it is not solved at all.
And the category is getting structurally worse, not better. Gartner's 2026 cybersecurity threats and trends analysis projects that nonpatchable attack surface will expand to cover more than half the enterprise through 2026. Undocumented APIs are the most volatile slice of that surface, because you cannot patch what your scanner cannot enumerate. This is the same trap we dissected in why a "platform" acquisition is often a monolith in disguise: the architecture looks integrated on the slide, and the runtime tells a different story. If discovery, classification, and posture management do not happen at runtime — not in a wiki, not in a quarterly review — your integration story is a narrative, not a control.
What to have ready before the auditor arrives
The goal is not perfect security; no one expects that, and claiming it makes a buyer suspicious. The goal is a defensible, owned inventory — being able to answer "what is this endpoint, what does it touch, and who is accountable for it" without a pause. Start there. Run automated discovery using open-telemetry instrumentation so every API in the environment gets mapped regardless of whether it sits behind the gateway, on a server someone forgot, or in a cloud account a team opened on a corporate card. Every endpoint that exists gets inventoried, risk-ranked by the data it can reach, and assigned a named owner. The orphaned endpoint isn't dangerous because it's insecure; it's dangerous because no one is accountable for it. Naming an owner is the cheapest control you can buy, and it's the first thing an auditor checks.
From there, govern the highest-risk paths first — the ones touching customer data or third parties. The vendor surface deserves particular paranoia. Vorlon's 2025 healthcare third-party API risk study reports breach costs reaching $10.93 million per incident in that sector, with most successful attacks running through weak third-party APIs and over-broad data-sharing permissions. You may not be in healthcare, but if your SaaS product brokers data between customer systems and outside vendors, that same blast radius applies. Enforce least privilege on every integration token, require sender-constrained credentials for machine-to-machine calls, and treat any third-party API with standing access to your data as a line item a buyer will scrutinize — because they will.
The Monday move is small and concrete: pull a list of every API token and service account with production access, and for each one, write down the human who owns it and the last time anyone confirmed it's still needed. The rows you cannot fill in are your shadow surface, and you would rather find them this week than have a buyer's engineer find them in week two. Bake that discipline into CI/CD so new endpoints register and deprecated ones get retired automatically, and the inventory stays true on its own. When you're assembling the broader data room, our security posture assessment checklist for M&A due diligence lays out what a buyer expects to see — and the difference between a clean inventory and a confident "I don't know" is, very literally, a number on the term sheet.
