I've sat on both sides of that table, and the pattern repeats with almost boring consistency at companies that grew fast on a small, heroic engineering team. Rapid revenue growth hides architectural rot because nobody gets promoted for documenting an integration — they get promoted for shipping the one that closed the enterprise logo. So the endpoints accumulate, ownership evaporates, and you arrive at exit with a platform that looks impressive on a slide and reads as a liability in a code audit.
You are emphatically not the only company in this spot. Salt Security's State of API Security research found that 94 percent of organizations turned up shadow APIs running in their environment during routine audits — endpoints operating entirely outside the visibility of IT and security. And per Enterprise Management Associates' API documentation benchmark, only about 10 percent of organizations fully document their APIs. So when a buyer's diligence team asks you to produce an inventory and you can speak to a third of it, you've just confirmed the rule, not the exception. The problem is that the rule gets priced into your enterprise value.
]]>Here is the mechanical reality of what happens to that 227-endpoint mystery pile. A technical diligence reviewer doesn't get emotional about spaghetti architecture; they model it. They take your count of unmanaged, unauthenticated endpoints, attach a probability of incident, and multiply by a remediation cost they already have on file. Akamai's API Security Impact research pegs the average cost to remediate a single API security breach in the US at $591,404. That figure is not abstract to the buyer — it's a line item they will subtract from what they're willing to pay, and they'll subtract it with a straight face because you can't prove the exposure isn't there.
The risk isn't theoretical, and your buyer knows the trend line. Salt's more recent global survey reported that 57 percent of organizations suffered an API-related data breach within a two-year window, and of those that were hit, 73 percent had three or more separate incidents. Attackers have moved off the traditional web perimeter and onto APIs precisely because that's where the undocumented, unmonitored doors are. IBM's Threat Intelligence Index found that 31 percent of malicious transactions explicitly targeted shadow APIs — the exact category of endpoint you can't account for.
But the discount isn't only about a hypothetical breach. The deeper penalty is velocity. When two-thirds of your integration layer is undocumented, every new feature ships slower because your engineers spend half their time reverse-engineering whether they're about to break something invisible. A buyer underwriting your forward roadmap sees that drag and re-rates the asset: you presented a turn-key platform, they're now pricing a remediation project with a revenue product attached. That reframing is what costs real multiple, and I unpack the mechanics of it in why a "platform" acquisition is often just a monolith in disguise. If you want to see how this red flag stacks alongside the others buyers hunt for, read the technology due diligence red flags that kill deals before you start cleanup.
]]>
You cannot fabricate API governance during a code audit, and you cannot fix this the week the LOI lands. But you can compress it into one focused 90-day sprint that takes you from "we run 342 things and can explain 115" to "here is a documented, owned, gateway-managed inventory." The sequence matters more than the tooling.
Weeks 1–3: discover before you defend. Stand up an API discovery tool that watches live traffic and maps every active endpoint, not just the ones in your code repo. This is the step that produces the honest 342. Gartner's API security forecasting calls APIs a leading attack vector largely because organizations lack basic visibility into their own environment — so visibility is the whole game in this phase. You're building a baseline of truth that separates the endpoints carrying real traffic from the stale ones processing zero and the shadow ones running outside your gateway.
Weeks 4–8: route everything through one front door. Force every endpoint to authenticate through a single API gateway. This stops the bleeding immediately: one control plane gives you universal rate limiting, access control, and logging across all 342 endpoints at once, instead of 342 inconsistent decisions. The act of routing them through one gateway also surfaces which ones simply can't be authenticated cleanly — those are your deprecation candidates. For how to sequence this against your other engineering debt without triggering a doomed rewrite, see a CEO's guide to prioritizing technical debt.
Weeks 9–12: deprecate with a rule, not a debate. Adopt a hard heuristic so the cleanup doesn't dissolve into meetings: if an endpoint has processed no legitimate traffic in 60 days and has no named internal owner, it gets shut down. Apply it to the 227, and watch the number that survives — typically a fraction of the original count — become your documented, owned inventory. When the diligence engineer reruns the capture and you can speak to all of it, the "spaghetti tax" line item disappears from their model. That's not glamorous engineering, but it's likely the highest-return work you'll do in the year before you sell.
]]>