# APIs at Risk
Identify and manage APIs at risk with Pynt’s automated risk scoring system. Pynt assigns a risk score to each API endpoint based on the likelihood and impact of detected vulnerabilities, using a sophisticated risk matrix. This scoring system helps you quickly identify which APIs are most at risk, allowing you to prioritize security efforts where they are needed most.
The risk score is calculated by analyzing the vulnerabilities found during security scans, considering both the probability of exploitation and the potential damage they could cause. By understanding the risk levels of your APIs, you can take targeted actions to mitigate threats and protect your critical assets. Pynt’s risk scoring system provides a clear and actionable overview of your API security posture, helping you maintain a secure and resilient API environment.
### Likelihood
The likelihood of occurrence is determined through a systematic evaluation of the potential that a threat actor can successfully exploit a specific vulnerability or a combination thereof.
### Impact
The Impact score for a threat signifies the potential extent of harm resulting from the exploitation of a detected vulnerability. This includes unauthorized information disclosure, unauthorized information alteration, unauthorized information destruction, or the loss of both information and information system availability.
The below table shows the impact and likelihood assigned for each of the vulnerabilities category\*
| Category | Impact | Likelihood |
| ----------------------------------- | ------ | ---------- |
| Business Logic | 2 | 4 |
| Injections | 4 | 4 |
| Authentication bypass | 2 | 4 |
| Mass Assignment | 2 | 1 |
| Server-Side request forgery | 3 | 3 |
| Stack trace in response | 2 | 1 |
| Lack of Resources and Rate Limiting | 2 | 4 |
| File path manipulation | 3 | 3 |
* When the endpoint processes Personally Identifiable Information (PII), it amplifies the impact score of the vulnerabilities.
* The presence of multiple vulnerabilities within a single endpoint can elevate the impact, such as when Broken Object Level Authorization (BOLA) and insufficient rate limiting co-occur, leading to the highest impact score. In other cases the maximum score in applied
* Should our system lack sufficient details regarding the endpoint, such as absent documentation and tests not executed on the endpoint, the risk will be indicated as N/A.
### Risk Matrix
Each finding's risk level is determined from four possible categories: Critical, High, Medium, or Low risk level. This determination was made by assessing the potential impact magnitude and the likelihood of exposure exploitation, with reference to the provided table.
Risk Matrix
### Open API/Swagger based risk calculation
When risk is assessed using API documentation only, it is determined as follows:
Likelihood:
Likelihood is derived from factors such as the attack surface (e.g., parameter count), authentication methods or their absence and parameter types
The likelihood score is calculated based on the attack surface (e.g. number of parameters), the authentication method or lack there of and the type of the handled parameters
Impact: The impact score is calculated based on the endpoint's sensitivity, such as its handling of PII
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.pynt.io/documentation/api-catalog/navigate-api-catalog/apis-at-risk.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.