API Protection
API Protection samples your API request/response traffic to discover endpoints, then watches them for threats, data loss and vulnerabilities. It's a plan feature — if your plan doesn't include it, the pages show an upgrade prompt.
Enable it

The Management page turns the capability on. Click Enable API Protection to start request/response sampling — analytics and findings appear here once it's collecting data. The API Protection group then exposes four more pages.
Discovery
Auto-discovers your APIs from custom rules and request/response sampling, building an inventory of your real, live API surface (including shadow/undocumented endpoints).

- Custom Rules — Add Custom Rule to define custom API-discovery rules per website.
- API Request/Response Sampling Frequency — an Enable toggle (then Save) that turns on the traffic sampling Discovery feeds on.
Threat Detection
Flags malicious API behaviour (abuse, injection and other API-specific attacks) on the discovered endpoints. Three tabs: Overview · Threats · Detection Rules.

- Overview — a threat summary for your APIs.
- Threats — the detected threat events.
- Detection Rules — Custom Rules you add (Add Custom Rule) to define custom threat-detection logic.
Data Loss Prevention
Detects sensitive data (PII, secrets…) leaving through API responses. Two tabs: Overview · Detection Rules.

- Overview — a DLP summary.
- Detection Rules — Managed Rules (VNETWORK-maintained data-loss rules) available for the website.
Vulnerability Detection
Surfaces weaknesses in your API endpoints to remediate before they're exploited. Three tabs: Overview · Vulnerabilities · Detection Rules.

- Overview — a dashboard (filter by Time Range): Application / API with Vulnerabilities, Vulnerabilities Risk Level, Vulnerability Trend, and Top-10 breakdowns (API with vulnerability, vulnerability, vulnerability type, source IP).
- Vulnerabilities — the detected findings list.
- Detection Rules — rules that drive vulnerability detection.
Rollout
Enable sampling and let Discovery build the endpoint inventory first, then review Threat Detection / DLP / Vulnerability findings and act. Combine with the AI-WAF API-Specific policy and rate limiting on API routes for layered defense.