A zombie API is an outdated, deprecated, or supposedly retired API that remains reachable and usable in practice. It matters because old endpoints often escape modern review, authorization fixes, and telemetry coverage.
What is Zombie API?
Zombie APIs can persist through compatibility shortcuts, forgotten deployments, undocumented routes, or infrastructure drift. Attackers value them because they may expose older auth logic, broader responses, or less monitored behavior than current versions.
What Zombie API Commonly Supports
Common uses include API governance, deprecation review, attack-surface cleanup, and exposure management.
Zombie API vs. Retired and Inaccessible API
A zombie API still responds even though teams assume it is gone. A truly retired API is removed, blocked, or otherwise unavailable for use.
Frequently Asked Questions
Why are zombie APIs dangerous?
Because defenders stop thinking about them while attackers keep testing them.
How do teams find zombie APIs?
Traffic review, external scanning, schema inventory, and deprecation audits are common methods.
