The API Security Crisis: How Broken Authorization Is Fueling Global Data Breaches

‍

The contemporary digital economy is increasingly reliant upon the seamless exchange of data between disparate systems, a requirement that has elevated Application Programming Interfaces (APIs) from simple backend tools to the foundational pillars of modern software architecture. As organizations undergo rapid digital transformation, the shift from monolithic application structures toward microservices and cloud-native environments has created a sprawling web of interconnectivity. This architectural evolution is evidenced by the fact that API traffic now constitutes approximately 57% of all dynamic internet traffic globally, reflecting a monumental transition in how data is consumed and processed.¹ However, this explosive growth in API adoption—characterized by a 30% increase in API volume for many enterprises and growth exceeding 100% for a significant quarter of organizations—has outpaced the development of robust security frameworks.³ The resulting "governance gap" has exposed critical vulnerabilities, most notably in the realm of broken authorization and improper inventory management. Recent high-profile events, including the 2022 Optus data breach in Australia and the 2025 research into S&P 500 firms utilizing the AutoSwagger discovery tool, have highlighted the systemic nature of these risks. These incidents demonstrate that even the world’s largest and most technologically sophisticated corporations are susceptible to basic authorization failures that can be exploited with minimal technical skill.

The Microservices Paradox and the Rise of Internal Vulnerability

The transition to microservices was initially championed as a means to enhance system resilience and security through isolation. In theory, by breaking a monolithic application into smaller, independent services, an organization could limit the blast radius of a potential compromise. However, the practical implementation of this architecture has led to what industry experts define as the "Microservices Security Paradox".⁴ Rather than creating isolated, secure enclaves, organizations have inadvertently created a massive internal attack surface. Audits of over forty B2B Software-as-a-Service (SaaS) platforms revealed that the average environment now supports approximately 73 internal APIs.⁴ The critical failure lies in the underlying assumption that the internal network is a trusted environment. This "castle-and-moat" mentality has resulted in a landscape where 31% of internal APIs lack any form of authentication, 68% fail to validate security tokens correctly, and 89% implement no rate limiting on internal endpoints.⁴ In such environments, the compromise of a single internal service can lead to lateral movement and widespread data exfiltration, as these disparate pieces of the broken monolith often trust each other blindly.⁴

This lack of internal oversight is compounded by the phenomenon of "Shadow APIs"—undocumented or uninventoried endpoints that exist outside the purview of the central security team. Market data indicates that machine learning discovery tools consistently identify approximately 30.7% more API endpoints than what organizations self-report, suggesting that nearly a third of an enterprise's API estate is effectively invisible and therefore unsecured.² These shadow APIs are frequently the result of rapid development cycles where "automatic documentation" is seen as a convenience for developers but a liability for security.⁶ When APIs are designed to be self-documenting through tools like Swagger or OpenAPI, they often inadvertently expose their internal structure, parameter requirements, and data types to the public internet.⁷

Case Study: The Optus Breach as a Global Benchmark for API Failure

Arguably the most significant modern example of the dangers inherent in unmanaged API exposure is the September 2022 data breach of Optus, Australia's second-largest telecommunications provider. The incident served as a wake-up call for the global cybersecurity community, illustrating how a single unauthenticated endpoint can lead to the compromise of a nation's sensitive data. The breach affected between 9.5 million and 10 million current and former customers, representing roughly 40% of the Australian population.⁹

Technical Mechanism and the BOLA Epidemic

The Optus breach was not the result of a sophisticated nation-state attack or a zero-day exploit. Instead, it was an exploitation of an unauthenticated API endpoint left exposed on a dormant subdomain.¹⁰ This endpoint was connected to a customer database but lacked any requirement for an API token, key, or user login.¹⁰ The vulnerability was a classic case of Broken Object Level Authorization (BOLA), also known as Insecure Direct Object Reference (IDOR). The attacker identified that the API endpoints were structured predictably, likely utilizing a format such as /users/{userId}. By simply incrementing the userId in a basic Python loop, the attacker could systematically query and receive sensitive customer records.¹⁰

The failure at Optus was two-fold: a failure of inventory management (the dormant subdomain) and a failure of authorization logic (the lack of per-object checks). The system verified neither the identity of the requester nor their right to access specific object instances.¹⁰ This simplicity is what makes BOLA the most dangerous vulnerability in the modern API landscape, as it allows attackers to bypass traditional security controls by abusing legitimate application workflows.¹¹

‍

Organizational and Social Fallout

The consequences for Optus extended far beyond immediate technical remediation. The breach triggered a national security crisis in Australia, requiring federal and state government agencies, including the Australian Cyber Security Centre (ACSC), to coordinate a massive identity replacement program.⁹ In Queensland alone, the Department of Transport and Main Roads was forced to replace over 178,000 driver's licenses.⁹ The incident also led to a $1.5 million ransom demand in Monero cryptocurrency on a dark web forum, though the attacker later claimed to have deleted the data and issued an "apology".¹⁰

The fallout included significant legal challenges, such as class action investigations by law firms like Slater & Gordon and Maurice Blackburn.¹⁷ Furthermore, the breach highlighted the risks of excessive data retention. Millions of the records exposed belonged to individuals who were no longer Optus customers, some dating back years, which increased the organization's attack surface unnecessarily.¹⁴ This led to a broader regulatory shift toward data minimization—the principle that if an organization does not need data, it should not hold it.⁹

Automated Discovery and Testing: The AutoSwagger Paradigm

To address the recurring theme of exposed and unauthenticated APIs, the security research firm Intruder developed and released AutoSwagger in 2025. AutoSwagger is an open-source command-line tool designed to automate the discovery, parsing, and testing of Swagger and OpenAPI documentation for authorization flaws.²⁰ The tool's existence underscores a critical reality in modern cybersecurity: the same tools that help developers build applications faster can be weaponized by attackers to find vulnerabilities more efficiently.

Operational Mechanics of AutoSwagger

AutoSwagger leverages the "self-documenting" nature of modern APIs to map an organization's attack surface. It functions through a series of systematic phases designed to identify endpoints that return sensitive data without proper authentication.

1. Discovery Phase: The tool scans organizational domains to locate exposed API specifications. It attempts to parse direct URLs (ending in .json or .yaml), searches known paths for the Swagger UI (e.g., /swagger-ui.html), and utilizes brute-force methods to find common schema locations like /swagger.json or /openapi.json.⁶
2. Analysis Phase: Once a schema is identified, AutoSwagger parses the documentation to extract every path and method. It generates a list of endpoints to test, including required path and query parameters and expected data types.²¹
3. Testing Phase: The tool sends concurrent, multi-threaded requests to the identified endpoints. It specifically targets the GET method by default but can be configured to include POST, PUT, and DELETE operations.²⁰ It looks for "valid" responses (HTTP 200) where a 401 (Unauthorized) or 403 (Forbidden) response should be expected.⁶
4. Content Analysis: Responses are analyzed for sensitive information. AutoSwagger uses the Presidio engine for PII recognition (names, emails, phone numbers) and regex patterns for secret detection (API keys, tokens, environment variables).²⁰

The Psychology of Vulnerability

The research team at Intruder noted that the vulnerabilities AutoSwagger finds are so simple to exploit that they could be taught to a non-technical user in a single day.⁶ This simplicity is what makes them so pervasive. Developers often prioritize speed and ease of integration, leading them to deploy extensions or plugins that expose API documentation for easier consumption by internal teams or partners. However, if these documentation pages are internet-facing, they provide a "map" for attackers to find deeply nested and complex paths that would be impossible to discover through traditional brute-force.⁶ For example, a path like /1/dashboard/mpn/program/api/config/ is six layers deep; without the schema provided by Swagger, an attacker would never guess its existence.⁶

‍

Research Findings: S&P 500 and Global Enterprise Exposure

In 2025, Intruder conducted a research sweep of S&P 500 firms and major bug bounty targets using AutoSwagger, uncovering a range of critical authorization weaknesses in large-scale production environments.⁶ These findings demonstrate that even three years after the high-profile Optus breach, basic API security hygiene remains a major challenge for the world's most prominent companies.

Exposure in the Microsoft Partner Network (MPN)

One of the most striking findings involved the Microsoft Partner Network. Researchers identified an unauthenticated endpoint named /config that was publicly accessible.⁶ This single endpoint exposed an extensive list of production credentials and API keys for various Microsoft Partner Program data stores. Among the exposed secrets were valid credentials for a Redis database.⁶ Upon verification, these credentials allowed direct access to a database containing the personally identifiable information (PII) of Microsoft Partners, including their names, email addresses, and specific details regarding the training courses and certifications they had completed.⁶ This data is highly valuable for targeted phishing campaigns, as an attacker could pose as internal HR or training staff using legitimate, verified details to gain the trust of employees.⁶

SQL Query Execution at a Multinational Soda Company

Another critical vulnerability was discovered in an API running on Azure Functions for a well-known multinational soda corporation.⁶ The API supported an internal staff training application but was inadvertently exposed to the internet with broken authentication. The researchers discovered an endpoint that allowed the execution of arbitrary SQL queries against the underlying database.⁶ By simply querying the database for its tables and then extracting data from those tables, an attacker could have harvested the entire internal staff directory.⁶ While the data was limited to names, emails, and training progress, the ability to execute direct queries represents a fundamental breakdown in the application's security posture and provides a gateway for more advanced attacks on the organization's identity infrastructure.⁶

Salesforce Data Exposure at a Large Tech Firm

In a third case, AutoSwagger identified an unauthenticated API linked to a Salesforce instance for a large multinational technology company.⁶ The API contained a ByDate URL parameter that could be iterated to retrieve customer records in batches of 1,000.⁶ The research team found that they could potentially exfiltrate over 60,000 customer records, including full names, contact information, and detailed purchase orders.⁶ This type of exposure is particularly dangerous because it bypasses the sophisticated access controls typically associated with enterprise Salesforce environments, instead exposing the data through a poorly secured middleware API.⁶

CVE-2025-0589: Octopus Deploy and AD Enumeration

The vulnerability research also extended into the DevOps toolchain, identifying a significant flaw in Octopus Deploy, a popular deployment automation tool.²³ Designated as CVE-2025-0589, this vulnerability allowed unauthenticated attackers to enumerate Active Directory (AD) user information if the Octopus server was integrated with AD for authentication.²³

The flaw existed in two specific API endpoints:

• GET /api/externalusers/directoryServices?partialName=<Query>
• GET /api/externalgroups/directoryServices?partialName=<Query>

These endpoints were intended for administrators to search for users to assign roles, but due to broken authentication, they were accessible to anyone on the internet.²³ A simple wildcard search allowed an attacker to retrieve JSON blobs containing email addresses, staff names, local AD usernames (DN and SAM), and User Principal Names (UPNs).²³ While responses were capped at 1,000 records, an attacker could iterate through partial names to harvest the entire directory. This information is a "goldmine" for attackers, as it enables highly effective password-spraying and phishing attacks against an organization's internal estate.²³

‍

Vulnerability Profile: CVE-2025-0589

Details

Affected Product

Octopus Deploy (On-Premise versions) ²³

CVSS Severity Score

6.9 (Medium) ²⁴

Attack Vector

Network (Unauthenticated API) ²⁵

Information Exposed

AD Usernames, Emails, Display Names, UPNs ²³

Mitigation Strategy

Upgrade to version 2024.4.7065 or 2024.3.13071 ²³

Patch Release Date

January 14, 2025 ²⁴

The Evolving Standard: OWASP API Security Top 10 (2023)

The recurrence of these vulnerabilities is addressed by the Open Web Application Security Project (OWASP) through its API Security Top 10 project. The 2023 update to the list reflects a shift in the threat landscape, emphasizing that authorization failures are now the primary concern for security practitioners.¹¹

API1:2023 – Broken Object Level Authorization (BOLA)

BOLA remains the number one threat to APIs. It occurs when an API fails to verify if the user has permission to access a specific object instance.¹¹

• Real-world Example: A user changes their own invoice ID from 1001 to 1002 in the URL and successfully retrieves another customer’s billing data.⁴
• Core Mitigation: Implement authorization checks at the data layer for every single function that accesses a database using a user-supplied ID.¹¹

API2:2023 – Broken Authentication

This category focuses on flawed authentication mechanisms that allow attackers to impersonate legitimate users.¹¹

• Real-world Example: An API endpoint for password reset lacks rate limiting, allowing an attacker to brute-force a temporary PIN.²⁹
• Core Mitigation: Use secure, standardized authentication protocols (like OAuth2) and implement strict rate limiting and account lockouts.²⁹

API3:2023 – Broken Object Property Level Authorization (BOPLA)

A new entry for 2023, BOPLA combines "Excessive Data Exposure" and "Mass Assignment." It targets the lack of validation at the field or property level within an object.¹¹

• Real-world Example: An API for updating a user profile allows the client to send a JSON field "is_admin": true, which the server blindly processes, elevating the user's privileges.²⁹
• Core Mitigation: Use allow-lists for properties that can be updated by the client and ensure that API responses only return the minimum required data.¹¹

API5:2023 – Broken Function Level Authorization (BFLA)

BFLA occurs when sensitive administrative functions are exposed to unprivileged users because the system fails to verify the user’s role for specific actions.¹¹

• Real-world Example: A regular user discovers they can access the /api/admin/export_all_users endpoint simply by knowing the URL, as the server only checks if they are logged in, not if they are an admin.²⁹
• Core Mitigation: Implement a consistent authorization module that is called before any sensitive function is executed, ensuring proper Role-Based Access Control (RBAC).²⁹

API9:2023 – Improper Inventory Management

This category addresses the proliferation of Shadow and Zombie APIs. APIs tend to expose more endpoints than traditional web apps, making updated documentation and version control critical.¹¹

• Real-world Example: An organization migrates to v2 of their API but leaves v1 running for legacy support. An attacker finds that v1 lacks the new security patches and exploits it to steal data.²⁹
• Core Mitigation: Maintain a central API registry, decommission old versions aggressively, and implement automated discovery to find untracked endpoints.²⁹

Quantitative Analysis of the Global API Threat Landscape

Industry reports from Salt Security and Cloudflare provide a stark quantitative look at the challenges organizations face. These statistics highlight a widening gap between the scale of API deployment and the maturity of security controls.

Growth and Visibility Challenges

API ecosystems are expanding rapidly, driven by cloud migration and data monetization. Approximately 30% of organizations experienced a 51% to 100% increase in APIs over the past year, while 25% reported growth exceeding 100%.³ Despite this, only 19% to 20% of organizations feel "very confident" in the accuracy of their API inventory.³ This lack of visibility is a critical vulnerability, as 58% of organizations monitor their APIs less than daily.³

Furthermore, the "Shadow API" problem is systemic. Cloudflare’s data shows that machine learning-based discovery consistently uncovers 30.7% more endpoints than what customers manually report.² This suggests that for every three APIs an organization knows about, there is a fourth "ghost" API that is completely unmanaged.

Attack Origins and Targets

A significant trend in API security is the move toward targeting authenticated sessions. Statistics show that 95% of API attack attempts originate from authenticated sources, indicating that attackers are not just trying to "break in"—they are stealing or purchasing legitimate credentials to exploit APIs from the inside.³ External-facing APIs remain the primary target, accounting for 98% of attack attempts, as they are the most accessible entry point into the corporate network.³

‍

API Security Metric (2024-2025)

Percentage of Organizations/Incidents

Organizations experiencing an API incident in the past year

94% ³³

Organizations suffering an API-related data breach (past 2 years)

57% ³⁴

API attacks originating from authenticated users

95% ³

Organizations lacking continuous, real-time API monitoring

80% ³¹

Organizations that have delayed application rollouts due to API risk

50% to 55% ³

Increase in API-related breaches year-over-year (Verizon)

40% ⁷

The financial impact of these security failures is significant. Beyond the immediate costs of remediation (like the AUD 140 million spent by Optus), the average API security incident costs organizations roughly USD 4.45 million.⁸ For many small to medium businesses, these costs are existential, with 60% closing within six months of a major attack.⁸

Regulatory Evolution and The Cost of Non-Compliance

The Optus breach and subsequent research have served as a catalyst for a global shift in regulatory enforcement. In Australia, the fallout has led to record-breaking penalties and a tightening of privacy laws that will serve as a model for other jurisdictions.

The ACCC and Unconscionable Conduct

In October 2024, the Australian Competition and Consumer Commission (ACCC) secured a AUD 100 million penalty against Optus for unconscionable conduct.¹⁵ While the case focused on the exploitation of vulnerable consumers during sales and debt collection, it signaled a new era of aggressive regulatory oversight for large telecommunications providers. The court noted that senior management had been aware of deficiencies in their systems but failed to take prompt action to fix them.¹⁵ This "failure to act" is a recurring theme in major security incidents, where known risks are deprioritized in favor of operational speed.

The OAIC and the Privacy Act 1988

The Office of the Australian Information Commissioner (OAIC) has launched significant civil penalty proceedings against Optus for its failure to protect the PII of 9.5 million Australians.¹⁹ The Commissioner alleges that between October 2019 and September 2022, Optus failed to take "reasonable steps" to protect personal information from unauthorized access, in violation of Australian Privacy Principle 11.1.¹⁹

The potential financial liability for such failures is immense. Under the updated Privacy Act, the Federal Court can impose penalties that are the greater of AUD 50 million, three times the benefit obtained, or 30% of the organization's adjusted turnover.³⁵ Furthermore, a new statutory tort for serious invasions of privacy, commencing in June 2025, will allow individuals to sue organizations directly for reckless intrusions upon seclusion, even without proving actual financial loss.³⁵ This shift significantly increases the legal risk for organizations that fail to implement robust API authorization controls.

Future Horizons: AI Agents and the MCP Security Gap

As organizations integrate Generative AI and autonomous agents into their business flows, a new frontier of API risk is emerging. AI models do not operate in isolation; they depend on APIs to call tools, retrieve data, and execute actions. This has led to the adoption of the Model Context Protocol (MCP) and the deployment of MCP servers.³⁶

The Risks of Autonomous Autonomy

The rush to operationalize AI agents has outpaced security oversight. MCP servers are often deployed without central management and are frequently exposed to the public internet, making them a new and high-value target for attackers.³⁶ If an AI agent has access to an unauthenticated API, it can be manipulated through "prompt injection" to exfiltrate data or perform unauthorized actions. Salt Security’s research found that only 19% of organizations feel confident in their ability to monitor these new AI-driven API connections, creating a critical blind spot in the modern security fabric.³¹

The Defensive Shift: AI-Powered Protection

To counter these threats, security providers are launching "Defensive AI" solutions. These include behavior-based user risk scoring and natural language interfaces like "Ask Pepper AI," which allow security analysts to query their entire API estate for risks using plain English.³⁶ These tools use machine learning to differentiate between benign anomalies and actual attacks, identifying malicious intent with a claimed 92% accuracy.³⁹ The goal is to provide "Illuminate Everything" capabilities—surfacing shadow, zombie, and unmanaged APIs across complex multi-cloud and hybrid environments.³⁷

Strategic Conclusions and Future Outlook

The current state of API security is defined by a systemic failure in basic authorization and inventory management. The research into S&P 500 firms and the devastating fallout from the Optus breach demonstrate that "complex" vulnerabilities are rare; most catastrophic failures stem from simple, unauthenticated endpoints that return massive volumes of sensitive data. The emergence of tools like AutoSwagger has democratized the ability to find these flaws, making them accessible to attackers of all skill levels.

To secure the digital future, organizations must move beyond reactive scanning and embrace a "Posture Governance" model. This includes:

1. De-Exposure of Documentation: Implementing "defense in depth" by ensuring that API specifications and Swagger UI pages are not publicly accessible unless there is a legitimate business requirement.⁶
2. Shift-Left Authorization: Integrating authorization testing into the CI/CD pipeline, ensuring that every new endpoint is checked for BOLA and BFLA before it reaches production.⁸
3. Data Minimization and Retention Reform: Drastically reducing the volume of sensitive data held by the organization. As the Optus case proved, if you don't hold the data, you can't lose it.⁹
4. Real-Time, Behavior-Based Monitoring: Moving away from static IP-based rate limiting toward session-based, behavioral analysis that can detect the slow, iterative exfiltration patterns characteristic of BOLA attacks.⁵
5. Unified API Inventory: Bridging the gap between what developers ship and what security sees by using machine learning-based discovery to eliminate the 30% "Shadow API" blind spot.²

The transition to an API-centric world is irreversible, but the current levels of exposure are unsustainable. As regulatory bodies impose billion-dollar penalties and individuals gain the right to sue for privacy invasions, the "governance gap" in API security will increasingly determine not just an organization's security posture, but its long-term viability in the global market. The lesson from 2022 through 2025 is clear: in the age of the programmable web, a single unauthenticated endpoint is a doorway to systemic failure.

Works cited

1. 2024 API Security Trends and Predictions - Cloudflare TV, accessed January 7, 2026, https://cloudflare.tv/event/2024-api-security-trends-and-predictions/ja43n3vn
2. New Cloudflare Report Shows Organizations Struggle to Identify and Manage Cybersecurity Risks of APIs, accessed January 7, 2026, https://www.cloudflare.com/press/press-releases/2024/new-cloudflare-report-shows-organizations-struggle-to-identify-and-manage/
3. 99% of Organizations Report API-Related Security Issues - Infosecurity Magazine, accessed January 7, 2026, https://www.infosecurity-magazine.com/news/99-organizations-report-api/
4. The API Security Hole That Cost Optus $11M (And Why Your Microservices Are Next), accessed January 7, 2026, https://medium.com/@thekareneme/the-api-security-hole-that-cost-optus-11m-and-why-your-microservices-are-next-aff60d947f0f
5. Introducing Cloudflare's 2024 API security and management report, accessed January 7, 2026, https://blog.cloudflare.com/2024-api-security-report/
6. Broken Authorization in APIs: Introducing Autoswagger - Intruder.io, accessed January 7, 2026, https://www.intruder.io/research/broken-authorization-apis-autoswagger
7. Intruder releases free tool to detect broken API authorization - SiliconANGLE, accessed January 7, 2026, https://siliconangle.com/2025/07/22/intruder-releases-free-tool-detect-broken-api-authorization/
8. Autoswagger: The Free API Security Tool Every Developer Needs in 2025 - Medium, accessed January 7, 2026, https://medium.com/@neorusiwork/autoswagger-the-free-api-security-tool-every-developer-needs-in-2025-e429086bacfe
9. Optus data breach | Community support - Queensland Government, accessed January 7, 2026, https://www.qld.gov.au/community/your-home-community/cyber-security/cyber-security-for-queenslanders/case-studies/optus-data-breach
10. Optus-breach-lessons-top-10-api-security-takeaways - AppSentinels, accessed January 7, 2026, https://appsentinels.ai/blog/optus-breach-lessons-top-10-api-security-takeaways/
11. OWASP API Security Project, accessed January 7, 2026, https://owasp.org/www-project-api-security/
12. What is the OWASP API Security Top 10? - Cloudflare, accessed January 7, 2026, https://www.cloudflare.com/learning/security/api/owasp-api-security-top-10/
13. 2022 Optus data breach - Wikipedia, accessed January 7, 2026, https://en.wikipedia.org/wiki/2022_Optus_data_breach
14. 5 Lessons from the Optus Data Breach for Telecom and Third-Party Risk - SecurityScorecard, accessed January 7, 2026, https://securityscorecard.com/blog/5-lessons-from-the-optus-data-breach-for-telecom-and-third-party-risk/
15. Federal Court orders Optus to pay $100m penalty for unconscionable conduct | ACCC, accessed January 7, 2026, https://www.accc.gov.au/media-release/federal-court-orders-optus-to-pay-100m-penalty-for-unconscionable-conduct
16. OPTUS 2022 CYBER ATTACK: SHINING A LIGHT ON THE INEVITABLE - IIS Partners, accessed January 7, 2026, https://iis-partners.squarespace.com/s/Optus-Data-Breach-Whitepaper-2022-10-25.pdf
17. Optus Data Breach Insights and Actions | PDF - Scribd, accessed January 7, 2026, https://www.scribd.com/document/834742353/Optus-Used-Websites
18. 2022 Optus Data Breach Representative Complaint - Maurice Blackburn, accessed January 7, 2026, https://www.mauriceblackburn.com.au/class-actions/join-a-class-action/optus-data-breach-2022/
19. Australian Information Commissioner takes civil penalty action against Optus - OAIC, accessed January 7, 2026, https://www.oaic.gov.au/news/media-centre/australian-information-commissioner-takes-civil-penalty-action-against-optus
20. intruder-io/autoswagger: Autoswagger by Intruder - detect ... - GitHub, accessed January 7, 2026, https://github.com/intruder-io/autoswagger
21. Autoswagger: Open-source tool to expose hidden API authorization flaws, accessed January 7, 2026, https://www.helpnetsecurity.com/2025/07/24/autoswagger-open-source-tool-expose-hidden-api-authorization-flaws/
22. Intruder Introduces Autoswagger: The Free Tool To Expose Hidden API Authorization Flaws, accessed January 7, 2026, https://www.businesswire.com/news/home/20250722587023/en/Intruder-Introduces-Autoswagger-The-Free-Tool-To-Expose-Hidden-API-Authorization-Flaws
23. Unauthenticated Access to Active Directory via Octopus Deploy (CVE-2025-0589), accessed January 7, 2026, https://www.intruder.io/research/octopus-deploy-cve-2025-0589
24. CVE-2025-0589 Impact, Exploitability, and Mitigation Steps | Wiz, accessed January 7, 2026, https://www.wiz.io/vulnerability-database/cve/cve-2025-0589
25. CVE-2025-0589 | Vulnerability Database | Aqua Security, accessed January 7, 2026, https://avd.aquasec.com/nvd/2025/cve-2025-0589/
26. In affected versions of Octopus Deploy where customers... · CVE-2025-0589 - GitHub, accessed January 7, 2026, https://github.com/advisories/GHSA-p76j-345f-qxpw
27. Octopus Deploy | Specs, reviews and EoL info - InvGate, accessed January 7, 2026, https://invgate.com/itdb/octopus-deploy
28. OWASP API Security Top 10 Vulnerabilities: 2023 - APIsecurity.io, accessed January 7, 2026, https://apisecurity.io/owasp-api-security-top-10/
29. OWASP API Security Top 10 (2023) — Explained with Examples and Mitigations - Medium, accessed January 7, 2026, https://medium.com/@mukundsv333/owasp-api-security-top-10-2023-explained-with-examples-and-mitigations-f7759801b532
30. OWASP Top 10 API Security Risks – 2023, accessed January 7, 2026, https://owasp.org/API-Security/editions/2023/en/0x11-t10/
31. H2 2025 State of API Report - EM360Tech, accessed January 7, 2026, https://em360tech.com/whitepapers/h2-state-of-api-report
32. Q1 2025 State of API - Salt Security, accessed January 7, 2026, https://content.salt.security/rs/352-UXR-417/images/2024%20State%20of%20API%20Security_x.pdf
33. The Future of API Security: Trends, AI & Automation in 2025 - Aikido, accessed January 7, 2026, https://www.aikido.dev/blog/future-of-api-security
34. 2025 Global State of API Security | Traceable AI, accessed January 7, 2026, https://www.traceable.ai/wp-content/uploads/2024/10/2025-Global-State-of-API-Security.pdf
35. Optus faces OAIC legal action following 2022 data breach - DMAW Lawyers, accessed January 7, 2026, https://dmawlawyers.com.au/insights/optus-faces-oaic-legal-action-following-2022-data-breach
36. Salt Security Unveils New AI-Powered Capabilities, Expanding API Visibility and Protecting Emerging MCP Infrastructure, accessed January 7, 2026, https://www.itsecurityguru.org/2025/12/05/salt-security-unveils-new-ai-powered-capabilities-expanding-api-visibility-and-protecting-emerging-mcp-infrastructure/
37. Salt Security Outpaces API Security Market with "12 Months of Innovation" in 2025, Delivering a New API and AI Security Breakthrough Every Month - PR Newswire, accessed January 7, 2026, https://www.prnewswire.com/news-releases/salt-security-outpaces-api-security-market-with-12-months-of-innovation-in-2025-delivering-a-new-api-and-ai-security-breakthrough-every-month-302644308.html
38. Security Week 2024 - Updates and Annoucements - Cloudflare, accessed January 7, 2026, https://www.cloudflare.com/security-week-2024/updates/
39. Salt Security Named an Overall Leader in KuppingerCole 2025 Leadership Compass for API Security and Management, accessed January 7, 2026, https://www.itsecurityguru.org/2025/08/20/salt-security-named-an-overall-leader-in-kuppingercole-2025-leadership-compass-for-api-security-and-management/
40. Cloudflare Releases 2024 API Security and Management Report - InfoQ, accessed January 7, 2026, https://www.infoq.com/news/2024/01/cloudflare-api-security-report/

‍