It's almost a certainty that a good pen test or Red Team exercise will find APIs that are out-of-date, misconfigured or not properly managed. Defending these--and establishing a stronger security stance--is difficult, if not impossible, for many organizations simply because they do not know about a considerable portion of APIs they have in use. APIs often come into play directly from departments, business units and even individuals without the knowledge of security or IT. With many of these APIs being invisible to security teams, they are impossible to properly secure. This presentation examines the problem of hidden APIs and how to establish a practice of complete discovery and maintain an up-to-date inventory and knowledge of APIs.