API security testing has a foundational problem. The tools that find vulnerabilities need to know what endpoints exist before they can test them. Static analysis reads the code. Documentation, where it exists, reflects what someone remembered to write down. Neither approach reliably captures what an API actually does in production — the undocumented endpoints, the deprecated routes still accepting requests, the internal paths exposed through a frontend nobody audited.

Vespasian approaches this differently. Rather than reading what the API is supposed to be, it watches what the API does.

How it works

Vespasian is an open-source tool that captures live HTTP traffic — either through a headless browser session or by ingesting existing captures from Burp Suite, HAR files, or mitmproxy — and converts that observed traffic into structured API specifications. REST traffic becomes OpenAPI 3.0. GraphQL traffic produces SDL. SOAP produces WSDL. The pipeline separates capture from generation deliberately, which means you can feed it existing traffic data without re-running a session.

The classification engine uses confidence-scored heuristics to distinguish API types, normalises paths with parameterised deduplication to avoid treating /user/123 and /user/456 as separate endpoints, and includes a tiered GraphQL introspection strategy with WAF bypass fallbacks — a meaningful detail for environments where introspection is intentionally restricted.

The output is not a report. It is a machine-readable specification that feeds directly into downstream testing. Vespasian integrates with Praetorian's Hadrian platform for automated BOLA and BFLA testing, which closes the loop: discover endpoints from live traffic, generate the spec, run authorisation logic testing against what was actually observed. No manual spec creation. No guesswork about what the API surface actually looks like.

Why this matters operationally

BOLA — broken object level authorisation — has sat at the top of the OWASP API Security Top 10 because it is both common and genuinely difficult to detect without knowing the full endpoint inventory. Vespasian addresses the inventory problem directly. For AppSec teams running penetration tests or continuous attack surface management, the gap between what documentation claims and what traffic reveals is often where the material findings live.

The open-source release also means this capability is now available outside commercial engagement budgets.

Defender actions

  • Run Vespasian against your own applications before your next penetration test — the delta between your documented API surface and the observed surface is your blind spot
  • Use generated OpenAPI specs as input for automated authorisation testing, specifically BOLA and BFLA checks on object-level access controls
  • Feed Vespasian captures into your DAST pipeline to replace or supplement manually maintained specs
  • In SIEM, cross-reference observed API endpoints from traffic logs against your documented inventory — undocumented endpoints in production are an unmanaged risk surface
  • Treat any endpoint not present in your official specification as requiring explicit security review before the next release cycle
None