Short answer: traditional DAST scanners miss most API vulnerabilities because they crawl HTML pages an API does not have, ignore the schema that defines its real attack surface, and test for injection instead of the broken-authorization flaws that cause actual API breaches. The fix is schema-aware, authenticated testing wired into CI/CD so it runs on every pull request. The rest of this article shows why the old model breaks and how to close the gap.

In September 2022 an attacker walked off with the personal records of up to 10 million Optus customers, close to 40% of Australia, straight out of a public API (as Reuters reported). No exploit chain, no zero-day. The endpoint required no authentication and returned a customer record for whatever identifier you asked for, so the attacker just counted upward and collected the lot. A conventional DAST scanner pointed at that service would almost certainly have reported nothing wrong.

That gap is what this article is about. Most dynamic application security testing tools were built for a web of server-rendered pages and HTML forms, and they quietly fall apart on the APIs that now carry the bulk of application traffic. The analyst firm Gartner had already projected that API abuses would become the leading attack vector behind enterprise data breaches (via VentureBeat), and incidents like Optus turned that forecast into routine news. What follows is why classic scanners miss API flaws, a bug one will never flag, and how to get real API coverage running on every pull request.