From eea8b884ae33fd05a2fa369475e29edfe5034ff2 Mon Sep 17 00:00:00 2001
From: DeForest Richards <deforest.richards@datadoghq.com>
Date: Tue, 12 May 2026 12:54:25 -0600
Subject: [PATCH 1/3] Extract Services and API Findings into their own pages

---
 config/_default/menus/main.en.yaml            | 10 +++
 .../_index.md}                                | 71 ++-----------------
 .../api_posture/api_inventory/api_findings.md | 33 +++++++++
 .../api_posture/api_inventory/services.md     | 33 +++++++++
 .../guide/security-findings-migration.md      |  2 +-
 layouts/partials/nav/left-nav.html            |  2 +-
 6 files changed, 84 insertions(+), 67 deletions(-)
 rename content/en/security/application_security/api_posture/{api_inventory.md => api_inventory/_index.md} (77%)
 create mode 100644 content/en/security/application_security/api_posture/api_inventory/api_findings.md
 create mode 100644 content/en/security/application_security/api_posture/api_inventory/services.md

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index 66f26b9de92..47d80af616d 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -7896,6 +7896,16 @@ menu:
       parent: application_security_api_security
       identifier: asm_api_security
       weight: 1
+    - name: Services
+      url: security/application_security/api_posture/api_inventory/services/
+      parent: asm_api_security
+      identifier: asm_api_security_services
+      weight: 10000
+    - name: API Findings
+      url: security/application_security/api_posture/api_inventory/api_findings/
+      parent: asm_api_security
+      identifier: asm_api_security_api_findings
+      weight: 10001
     - name: Endpoint Scanning
       url: security/application_security/api_posture/endpoint_scanning/
       parent: application_security_api_security
diff --git a/content/en/security/application_security/api_posture/api_inventory.md b/content/en/security/application_security/api_posture/api_inventory/_index.md
similarity index 77%
rename from content/en/security/application_security/api_posture/api_inventory.md
rename to content/en/security/application_security/api_posture/api_inventory/_index.md
index d639bff120f..773b5a1ad7b 100644
--- a/content/en/security/application_security/api_posture/api_inventory.md
+++ b/content/en/security/application_security/api_posture/api_inventory/_index.md
@@ -19,18 +19,18 @@ API security relies on visibility. The biggest failure mode in most applications
     
     Each API endpoint is a unique entry point where data or functionality can be accessed. The API Endpoints explorer enables shadow API (undocumented endpoints with no API definition and not detected from Amazon API Gateway) and orphan API (documented endpoints without traffic) detection, asset management, and risk prioritization at the granularity attackers exploit.
 
-2. **Services:** *Where do risky APIs live, who owns them, and how severe is their collective risk?*
+2. **[Services][20]:** *Where do risky APIs live, who owns them, and how severe is their collective risk?*
     
     A service groups multiple endpoints into a logical or deployed component (typically aligned with a microservice, app, or backend system).
-3. **API Findings:** *Which API weaknesses, attacks, or misconfigurations require investigation or remediation?*
+3. **[API Findings][21]:** *Which API weaknesses, attacks, or misconfigurations require investigation or remediation?*
     
     API Findings are security detections and policy evaluation results tied to endpoints. These represent known or inferred weaknesses or threats in API behavior or configuration.
 
 These explorers correspond to the common API security operational flow: 
 
 1. **Discover:** Identify what endpoints exist using **API Endpoints**.
-2. **Contextualize:** Identify ownership and dependencies using **Services**.
-3. **Detect and respond:** See where misconfigurations are, and where attacks could occur, using **API Findings**.
+2. **Contextualize:** Identify ownership and dependencies using **[Services][20]**.
+3. **Detect and respond:** See where misconfigurations are, and where attacks could occur, using **[API Findings][21]**.
 
 ## API Endpoints
 
@@ -239,66 +239,6 @@ Custom authentication detection is possible by configuring [Endpoint Tagging Rul
 |PHP       | v1.15.0                |
 |Golang    | v2.4.0                 |
 
-## Services
-
-The **Services** explorer shows where findings from API Endpoints, vulnerabilities, and runtime signals converge by service. Consider it the operational risk view of your applications.
-
-Review your services for the following:
-
-- **Vulnerability risk:** The **Vulnerability Risk** column shows aggregated SCA and IAST results for each service. Vulnerable services have components needing patching or upgrading.
-- **Signals and attacks:** Click a service to see charts showing ongoing detections for active exploit attempts or recurring attack patterns.
-- **Sensitive data exposure:** Services processing PII (such as SSNs or emails) demand stricter controls and monitoring.
-- **Coverage and mode:** Use the **App & API Protection In Monitoring Mode**, **App & API Protection In Blocking Mode**, and the **Inactive** facet to identify where App and API Protection is enabled and enforcing runtime protection.
-- **Trend graphs:** The **Trend** column indicates activity and attack frequency over time.
-
-### Coverage
-
-The **Coverage** column shows the active protection and analysis capabilities for each service. Use **Coverage** to measure the completeness of your protection stack.
-
-For example, here are some use cases for **Coverage**:
-
-- **Runtime protection coverage with App and API Protection**: 
-  - Identify the services in **Monitoring** or **Blocking** mode.
-  - Move ready-to-block services into blocking mode to actively stop attacks.
-  - Investigate inactive services to see if instrumentation or configuration gaps are leaving APIs exposed.
-- **Software Composition Analysis (SCA) coverage**:
-  - Track the services with analyzed open source dependencies.
-  - Enable SCA for unscanned services to detect vulnerable libraries early.
-  - Prioritize patching inactive services with high dependency risk.
-- **Runtime Code Analysis (IAST) coverage**:
-  - Pinpoint where code-level vulnerability detection is missing.
-  - Enable IAST for production or high-risk apps to uncover exploitable issues in live traffic.
-  - Use results to confirm whether library vulnerabilities are actually reachable in code.
-
-## API Findings
-
-**API Findings** provides a central triage view of all detected API risks across definitions, gateways, and live traffic. It provides a set of default rules to detect common vulnerabilities and misconfigurations. You can also set up [custom rules][12] to adapt to specific use cases.
-
-**API Findings** columns:
-
-- **Severity:** Each issue is ranked by risk.
-- **Endpoints:** Shows how many endpoints are affected and their services.
-- **Status and Ticketing:** `Open` or `In Progress` tracks remediation progress and workflow integration.
-
-Use the **Service** facet to see each service's endpoints to identify ownership and prioritize by business impact.
-
-### Common operations
-
-Click a finding to view its details and perform a workflow such as Validate > Investigate > Fix > Track:
-
-1. Validate:
-   - Review **What Happened** and **Detected In** to ensure the detection is accurate (service, endpoint, method).
-   - In **Next Steps**, choose whether to **Mute**, **Create Ticket**, or **Run Workflow** depending on ownership and impact.
-2. Investigate:
-   - Use the **Context** tab to examine the endpoint snapshot and attributes (method, path, authentication flags, tags).
-   - **Dectected In** provides information for routing ownership and remediation.
-   - In **Detection Rule Query**, you can edit an API finding rule by clicking **See Detection Rule**.
-3. Fix: 
-   - Follow the guidance under **Remediation**.
-4. Track:
-   - Use **Create Ticket** to link the issue to your tracking system.
-   - Use **Reference Links** for developer education or code review.
-
 ## Further reading
 
 {{< partial name="whats-next/whats-next.html" >}}
@@ -312,7 +252,6 @@ Click a finding to view its details and perform a workflow such as Validate > In
 [9]: /integrations/amazon-web-services
 [10]: /integrations/amazon-api-gateway
 [11]: /security/application_security/setup/
-[12]: /security/application_security/policies/custom_rules/
 [13]: /internal_developer_portal/software_catalog/entity_model/native_entities/?tab=api#native-entity-types
 [14]: https://app.datadoghq.com/security/appsec/policies/scanners
 [15]: https://app.datadoghq.com/security/configuration/asm/trace-tagging
@@ -320,3 +259,5 @@ Click a finding to view its details and perform a workflow such as Validate > In
 [17]: /internal_developer_portal/software_catalog/set_up/create_entities/#through-the-datadog-ui
 [18]: /internal_developer_portal/software_catalog/entity_model/
 [19]: /security/application_security/api_posture/endpoint_scanning/
+[20]: /security/application_security/api_posture/api_inventory/services/
+[21]: /security/application_security/api_posture/api_inventory/api_findings/
diff --git a/content/en/security/application_security/api_posture/api_inventory/api_findings.md b/content/en/security/application_security/api_posture/api_inventory/api_findings.md
new file mode 100644
index 00000000000..5a4513b5b40
--- /dev/null
+++ b/content/en/security/application_security/api_posture/api_inventory/api_findings.md
@@ -0,0 +1,33 @@
+---
+title: API Findings
+description: Triage detected API risks across definitions, gateways, and live traffic.
+---
+
+**API Findings** provides a central triage view of all detected API risks across definitions, gateways, and live traffic. It provides a set of default rules to detect common vulnerabilities and misconfigurations. You can also set up [custom rules][1] to adapt to specific use cases.
+
+**API Findings** columns:
+
+- **Severity:** Each issue is ranked by risk.
+- **Endpoints:** Shows how many endpoints are affected and their services.
+- **Status and Ticketing:** `Open` or `In Progress` tracks remediation progress and workflow integration.
+
+Use the **Service** facet to see each service's endpoints to identify ownership and prioritize by business impact.
+
+## Common operations
+
+Click a finding to view its details and perform a workflow such as Validate > Investigate > Fix > Track:
+
+1. Validate:
+   - Review **What Happened** and **Detected In** to ensure the detection is accurate (service, endpoint, method).
+   - In **Next Steps**, choose whether to **Mute**, **Create Ticket**, or **Run Workflow** depending on ownership and impact.
+2. Investigate:
+   - Use the **Context** tab to examine the endpoint snapshot and attributes (method, path, authentication flags, tags).
+   - **Detected In** provides information for routing ownership and remediation.
+   - In **Detection Rule Query**, you can edit an API finding rule by clicking **See Detection Rule**.
+3. Fix: 
+   - Follow the guidance under **Remediation**.
+4. Track:
+   - Use **Create Ticket** to link the issue to your tracking system.
+   - Use **Reference Links** for developer education or code review.
+
+[1]: /security/application_security/policies/custom_rules/
diff --git a/content/en/security/application_security/api_posture/api_inventory/services.md b/content/en/security/application_security/api_posture/api_inventory/services.md
new file mode 100644
index 00000000000..4394e5414aa
--- /dev/null
+++ b/content/en/security/application_security/api_posture/api_inventory/services.md
@@ -0,0 +1,33 @@
+---
+title: Services
+description: View where API findings, vulnerabilities, and runtime signals converge by service.
+---
+
+The **Services** explorer shows where findings from API Endpoints, vulnerabilities, and runtime signals converge by service. Consider it the operational risk view of your applications.
+
+Review your services for the following:
+
+- **Vulnerability risk:** The **Vulnerability Risk** column shows aggregated SCA and IAST results for each service. Vulnerable services have components needing patching or upgrading.
+- **Signals and attacks:** Click a service to see charts showing ongoing detections for active exploit attempts or recurring attack patterns.
+- **Sensitive data exposure:** Services processing PII (such as SSNs or emails) demand stricter controls and monitoring.
+- **Coverage and mode:** Use the **App & API Protection In Monitoring Mode**, **App & API Protection In Blocking Mode**, and the **Inactive** facet to identify where App and API Protection is enabled and enforcing runtime protection.
+- **Trend graphs:** The **Trend** column indicates activity and attack frequency over time.
+
+## Coverage
+
+The **Coverage** column shows the active protection and analysis capabilities for each service. Use **Coverage** to measure the completeness of your protection stack.
+
+For example, here are some use cases for **Coverage**:
+
+- **Runtime protection coverage with App and API Protection**: 
+  - Identify the services in **Monitoring** or **Blocking** mode.
+  - Move ready-to-block services into blocking mode to actively stop attacks.
+  - Investigate inactive services to see if instrumentation or configuration gaps are leaving APIs exposed.
+- **Software Composition Analysis (SCA) coverage**:
+  - Track the services with analyzed open source dependencies.
+  - Enable SCA for unscanned services to detect vulnerable libraries early.
+  - Prioritize patching inactive services with high dependency risk.
+- **Runtime Code Analysis (IAST) coverage**:
+  - Pinpoint where code-level vulnerability detection is missing.
+  - Enable IAST for production or high-risk apps to uncover exploitable issues in live traffic.
+  - Use results to confirm whether library vulnerabilities are actually reachable in code.
diff --git a/content/en/security/guide/security-findings-migration.md b/content/en/security/guide/security-findings-migration.md
index 5130e224490..de1cac79ac1 100644
--- a/content/en/security/guide/security-findings-migration.md
+++ b/content/en/security/guide/security-findings-migration.md
@@ -150,7 +150,7 @@ Security findings encompass misconfigurations, vulnerabilities, and security ris
 [10]: /security/cloud_security_management/identity_risks/
 [11]: /security/security_inbox/?s=attack%20path#types-of-findings-in-security-inbox
 [12]: /security/code_security/iac_security/
-[13]: /security/application_security/api_posture/api_inventory/#api-findings
+[13]: /security/application_security/api_posture/api_inventory/api_findings/
 [14]: /help
 [15]: /api/latest/security-monitoring/#list-findings
 [16]: /api/latest/security-monitoring/#get-a-finding
diff --git a/layouts/partials/nav/left-nav.html b/layouts/partials/nav/left-nav.html
index 873426ad853..abb7e13e4ed 100644
--- a/layouts/partials/nav/left-nav.html
+++ b/layouts/partials/nav/left-nav.html
@@ -69,7 +69,7 @@
                                             <ul class="list-unstyled sub-menu {{ if not (in (slice "automatic_instrumentation" "custom_instrumentation" "dyninst" "single_step_apm" "auto_dd_libraries" "observability_pipelines_reference_processing_language" "observability_pipelines_vector_configuration" "cloud_cost_container_cost_allocation" "cloud_cost_saas_cost_integrations" "csm_setup_enterprise" "csm_setup_pro" "csm_setup_cloud_workload_security" "cspm_frameworks_benchmarks" "cspm_findings_explorer" "cws_workload_security_rules" "otel_integrations" "otel_collector_configuration" "rum_dashboards"
                                             "rum_browser_setup" "rum_browser" "rum_session_replay_browser" "rum_session_replay_mobile" "rum_mobile_android" "rum_mobile_ios" "rum_mobile_flutter" "rum_mobile_kotlin" "rum_mobile_react_native" "rum_mobile_roku" "rum_mobile_unity" "rum_correlate_with_other_telemetry_profiling" "pa_session_replay_mobile" "pa_session_replay_browser" "cloudcraft_api_aws_accounts" "cloudcraft_api_azure_accounts" "cloudcraft_api_blueprints" "cloudcraft_api_budgets" "cloudcraft_api_users" "appsec_enabling_single_step" "appsec_enabling_tracing_libraries" "synthetics_platform_dashboards" "synthetics_private_location" "synthetics_results_explorer" "ndm_netflow" "dashboards_ddsql_editor_reference" "application_security_software_composition_analysis_setup"
                                             "application_security_code_security_setup" "tracing_proxies" "appsec_threats_management_setup" "observability_pipelines_log_volume_control" "observability_pipelines_dual_ship_logs" "observability_pipelines_archive_logs" "observability_pipelines_split_logs" "observability_pipelines_sensitive_data_redaction" "observability_pipelines_log_enrichment" "observability_pipelines_install_the_worker" "csm_setup_agentless_scanning" "observability_pipelines_generate_metrics" "log_explorer_calculated_fields" "test_impact_analysis_setup" "dbm_setup_postgres_rds" "dbm_postgres_supabase" "sca_setup_runtime" "ndm_setup" "otel-setup-collector-exporter" "otel-setup-intake-endpoint" "otel_guides_migration" "otel-api-dd-sdk" "otel-setup-agent" "ide_plugins_idea" "ide_plugins_vscode" "agent_configuration_proxy"
-                                            "software_catalog_set_up" "software_catalog_entity_model" "asm_serverless" "otel-setup-ddot" "otel-setup-other" "cloud_siem_custom_detection_rules" "llm_obs_managed_evaluations" "llm_obs_external_evaluations" "cnm_analytics" "cloud_siem_open_cybersecurity_schema_framework" "infrastructure_livecontainers_explorer" "otel-dd-sdk-parent" "llm_obs_custom_llm_as_a_judge_evaluations" "ndm_profiles" "synthetics_notifications_template_variables" "dev_tool_int_mcp_server") .Identifier) }}d-none{{ end }}">
+                                            "software_catalog_set_up" "software_catalog_entity_model" "asm_serverless" "otel-setup-ddot" "otel-setup-other" "cloud_siem_custom_detection_rules" "llm_obs_managed_evaluations" "llm_obs_external_evaluations" "cnm_analytics" "cloud_siem_open_cybersecurity_schema_framework" "infrastructure_livecontainers_explorer" "otel-dd-sdk-parent" "llm_obs_custom_llm_as_a_judge_evaluations" "ndm_profiles" "synthetics_notifications_template_variables" "dev_tool_int_mcp_server" "asm_api_security") .Identifier) }}d-none{{ end }}">
 
                                             {{/*  LEVEL 4 */}}
                                             {{ range .Children }}

From ea16f4f7a1d900ff95a5a8dd9c2c126fbc0dd045 Mon Sep 17 00:00:00 2001
From: DeForest Richards <deforest.richards@datadoghq.com>
Date: Tue, 12 May 2026 13:01:14 -0600
Subject: [PATCH 2/3] Extract Sensitive Data Detection into its own page

---
 config/_default/menus/main.en.yaml            |  5 +++
 .../api_posture/api_inventory/_index.md       | 30 ----------------
 .../api_posture/sensitive_data_detection.md   | 34 +++++++++++++++++++
 3 files changed, 39 insertions(+), 30 deletions(-)
 create mode 100644 content/en/security/application_security/api_posture/sensitive_data_detection.md

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index 47d80af616d..e0c5dec82af 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -7911,6 +7911,11 @@ menu:
       parent: application_security_api_security
       identifier: application_security_endpoint_scanning
       weight: 2
+    - name: Sensitive Data Detection
+      url: security/application_security/api_posture/sensitive_data_detection/
+      parent: application_security_api_security
+      identifier: application_security_sensitive_data_detection
+      weight: 10000
     - name: Guides
       url: security/application_security/guide/
       parent: application_security
diff --git a/content/en/security/application_security/api_posture/api_inventory/_index.md b/content/en/security/application_security/api_posture/api_inventory/_index.md
index 773b5a1ad7b..d683f6018df 100644
--- a/content/en/security/application_security/api_posture/api_inventory/_index.md
+++ b/content/en/security/application_security/api_posture/api_inventory/_index.md
@@ -158,35 +158,6 @@ datadog:
 
 Without explicit `codeLocations`, endpoints may not merge correctly with data from other sources.
 
-### Processing sensitive data
-
-[App and API Protection][2] matches known patterns for sensitive data in API requests and responses. If it finds a match, the endpoint is tagged with the category and type of sensitive data processed.
-
-The matching occurs within your application, and none of the sensitive data is sent to Datadog.
-
-#### Supported data types
-
-To see the supported data types (for example, `payment:card`), use the **Schema Sensitive Data** facet. You can also see the data type used in the **Sensitive Data** column.
-
-#### Create API data scanners
-
-By default, Datadog App and API Protection scans for PII, credentials, and payment types. Sensitive Data Detection provides API data scanners to define custom scanner data patterns beyond the defaults and improve visibilty into the sensitive data of your API traffic. 
-
-In an API data scanner, you define a scanner category and type to classify API endpoints processing sensitive data (for example, `health_info:patient_id`). Next, you define the JSON key or value conditions that trigger the scanner.
-
-When the scanner detects sensitive data, it tags the API endpoint with the category and type and displays it in [API Endpoints][7].
-
-To create an API data scanner and view its results, do the following:
-
-1. In App and API Protection **Policies**, go to [Sensitive Data Detection][14].
-2. Click **New Scanner**.
-3. In **Select your scanner tags**, define the category and type to classify the senstive data. The scanner tags API endpoints with the format `category:type`.
-4. In **Define conditions on JSON keys and values**, define the JSON key or value conditions to trigger the scanner.
-5. Click **Save Scanner**. The scanner is enabled by default.
-6. To view the results of the scanner, go to App and API Protection [API Endpoints][7].
-7. In the **Schema Sensitive Data** facet, the category and type of your custom scanner is listed in the format `category:type`. Customer scanner `category:type` tags are also visible in the **Sensitive Data** column of the explorer.
-
-
 ### Business logic
 
 These tags (`(users.login.success`, `users.login.failure`, etc.) are determined by the presence of business logic traces associated with the endpoint.
@@ -253,7 +224,6 @@ Custom authentication detection is possible by configuring [Endpoint Tagging Rul
 [10]: /integrations/amazon-api-gateway
 [11]: /security/application_security/setup/
 [13]: /internal_developer_portal/software_catalog/entity_model/native_entities/?tab=api#native-entity-types
-[14]: https://app.datadoghq.com/security/appsec/policies/scanners
 [15]: https://app.datadoghq.com/security/configuration/asm/trace-tagging
 [16]: /integrations/guide/source-code-integration/
 [17]: /internal_developer_portal/software_catalog/set_up/create_entities/#through-the-datadog-ui
diff --git a/content/en/security/application_security/api_posture/sensitive_data_detection.md b/content/en/security/application_security/api_posture/sensitive_data_detection.md
new file mode 100644
index 00000000000..685ac6eb08c
--- /dev/null
+++ b/content/en/security/application_security/api_posture/sensitive_data_detection.md
@@ -0,0 +1,34 @@
+---
+title: Sensitive Data Detection
+description: Detect and tag API endpoints that process sensitive data in requests and responses.
+---
+
+[App and API Protection][1] matches known patterns for sensitive data in API requests and responses. If it finds a match, the endpoint is tagged with the category and type of sensitive data processed.
+
+The matching occurs within your application, and none of the sensitive data is sent to Datadog.
+
+## Supported data types
+
+To see the supported data types (for example, `payment:card`), use the **Schema Sensitive Data** facet. You can also see the data type used in the **Sensitive Data** column.
+
+## Create API data scanners
+
+By default, Datadog App and API Protection scans for PII, credentials, and payment types. Sensitive Data Detection provides API data scanners to define custom scanner data patterns beyond the defaults and improve visibility into the sensitive data of your API traffic. 
+
+In an API data scanner, you define a scanner category and type to classify API endpoints processing sensitive data (for example, `health_info:patient_id`). Next, you define the JSON key or value conditions that trigger the scanner.
+
+When the scanner detects sensitive data, it tags the API endpoint with the category and type and displays it in [API Endpoints][2].
+
+To create an API data scanner and view its results, do the following:
+
+1. In App and API Protection **Policies**, go to [Sensitive Data Detection][3].
+2. Click **New Scanner**.
+3. In **Select your scanner tags**, define the category and type to classify the sensitive data. The scanner tags API endpoints with the format `category:type`.
+4. In **Define conditions on JSON keys and values**, define the JSON key or value conditions to trigger the scanner.
+5. Click **Save Scanner**. The scanner is enabled by default.
+6. To view the results of the scanner, go to App and API Protection [API Endpoints][2].
+7. In the **Schema Sensitive Data** facet, the category and type of your custom scanner is listed in the format `category:type`. Custom scanner `category:type` tags are also visible in the **Sensitive Data** column of the explorer.
+
+[1]: /security/application_security/
+[2]: https://app.datadoghq.com/security/appsec/inventory/apis
+[3]: https://app.datadoghq.com/security/appsec/policies/scanners

From e95554e7b5d7bd03c29792273a9377b1b3fb04ba Mon Sep 17 00:00:00 2001
From: DeForest Richards <deforest.richards@datadoghq.com>
Date: Wed, 13 May 2026 16:16:52 -0600
Subject: [PATCH 3/3] Extract Data sources into its own page

---
 config/_default/menus/main.en.yaml            |  5 ++
 .../api_posture/api_inventory/_index.md       | 75 +-----------------
 .../api_posture/api_inventory/data_sources.md | 76 +++++++++++++++++++
 3 files changed, 84 insertions(+), 72 deletions(-)
 create mode 100644 content/en/security/application_security/api_posture/api_inventory/data_sources.md

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index e0c5dec82af..178704b0cf4 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -7906,6 +7906,11 @@ menu:
       parent: asm_api_security
       identifier: asm_api_security_api_findings
       weight: 10001
+    - name: Data sources
+      url: security/application_security/api_posture/api_inventory/data_sources/
+      parent: asm_api_security
+      identifier: asm_api_security_data_sources
+      weight: 10002
     - name: Endpoint Scanning
       url: security/application_security/api_posture/endpoint_scanning/
       parent: application_security_api_security
diff --git a/content/en/security/application_security/api_posture/api_inventory/_index.md b/content/en/security/application_security/api_posture/api_inventory/_index.md
index d683f6018df..7cb1b0c50f6 100644
--- a/content/en/security/application_security/api_posture/api_inventory/_index.md
+++ b/content/en/security/application_security/api_posture/api_inventory/_index.md
@@ -86,77 +86,9 @@ API Endpoints uses [Remote Configuration][1] to manage and configure scanning ru
 
 To verify whether discovered endpoints are publicly accessible and require authentication, enable [Endpoint Scanning][19]. Endpoint Scanning actively scans eligible endpoints and enriches API Posture Inventory with verified public accessibility, authentication status, HTTP response status, and last evaluation data.
 
-The following risks are calculated for each endpoint.
-
-### Data sources
-
-In the [API Endpoints][7] explorer, the **Data Sources** show where visibility originates.
-
-The following data sources are explored.
-
-#### Amazon API Gateway
-
-The Amazon API Gateway service formally defines your API structure. Datadog AWS integration reads this pre-defined configuration from the Amazon API Gateway, and then Datadog uses this configuration to create API endpoint entries in **Inventory**.
-
-Use **AWS API Gateway** in **Data Source** to gain visibility into these exposed endpoints. You can also use the query `datasource:aws_apigateway`.
-
-#### Software Catalog
-
-The **Software Catalog** data source shows API endpoints that Datadog learned about from the formal specification uploaded to Datadog. The API specification is attached to, or registered as, a dedicated API component within the IDP service entity.
-
-This source ensures that your API inventory is complete by including all planned and formally documented endpoints.
-
-#### APM traces
-
-The **Spans** data source shows real traffic and data exposure. Remediation should be performed in code, config, or access controls immediately.
-
-What actions you take depend on each of the attack surfaces:
+For details on where endpoint visibility originates, see [Data sources][22].
 
-- **Vulnerabilities:** Patch any vulnerable libraries surfaced by SCA or Runtime Code Analysis, then redeploy the service.
-- **API findings discovered:** Review each issue in context of the traced service, fix any code or configurations, and then validate using new traces.
-- **Processing sensitive data:** Confirm data handling complies with policy, sanitize or encrypt PII, and limit access to necessary services.
-- **Unauthenticated endpoint:** If the endpoint is not intentionally public, enforce authentication and update service configurations.
-
-#### Static Endpoint Discovery
-
-<div class="alert alert-info">Static Endpoint Discovery is in Preview.</div>
-
-{{< site-region region="gov,gov2" >}}
-<div class="alert alert-warning">Static Endpoint Discovery is not available for the {{< region-param key="dd_site_name" >}} site.</div>
-{{< /site-region >}}
-
-The **Source Code** data source shows API endpoints discovered directly from your source code. This complements runtime-based discovery by surfacing endpoints earlier in the development life cycle, including endpoints that may not receive live traffic.
-
-To use this data source, configure the [Source Code Integration][16] with GitHub, GitLab, or Azure DevOps. The following languages and frameworks are supported:
-
-| Language | Framework |
-|----------|-----------|
-| Python   | FastAPI, Flask, Tornado |
-| Java     | Spring    |
-| Go       | Beego, Chi, Echo, Fiber, Gin, Gorilla Mux, fasthttp, go-zero |
-| C#       | ASP.NET Core MVC |
-| Node.js  | Express, Fastify |
-
-To filter for source code endpoints, use **Source Code** in the **Data Source** facet or the query `datasource:source_code`. Scans run when code is pushed to the default branch and on an 8-hour recurring schedule. Discovered endpoints are removed after 12 hours if they are not re-discovered by a subsequent scan.
-
-##### Map source code endpoints to services
-
-Static Endpoint Discovery uses heuristics to infer which service an endpoint belongs to. For more accurate mapping, explicitly define service-to-code relationships using the `codeLocations` field in your [Software Catalog service definition (v3 schema)][18]:
-
-```yaml
-apiVersion: v3
-kind: service
-metadata:
-  name: my-service
-  owner: my-team
-datadog:
-  codeLocations:
-    - repositoryURL: https://github.com/org/myrepo.git
-      paths:
-        - path/to/service/code/**
-```
-
-Without explicit `codeLocations`, endpoints may not merge correctly with data from other sources.
+The following risks are calculated for each endpoint.
 
 ### Business logic
 
@@ -225,9 +157,8 @@ Custom authentication detection is possible by configuring [Endpoint Tagging Rul
 [11]: /security/application_security/setup/
 [13]: /internal_developer_portal/software_catalog/entity_model/native_entities/?tab=api#native-entity-types
 [15]: https://app.datadoghq.com/security/configuration/asm/trace-tagging
-[16]: /integrations/guide/source-code-integration/
 [17]: /internal_developer_portal/software_catalog/set_up/create_entities/#through-the-datadog-ui
-[18]: /internal_developer_portal/software_catalog/entity_model/
 [19]: /security/application_security/api_posture/endpoint_scanning/
 [20]: /security/application_security/api_posture/api_inventory/services/
 [21]: /security/application_security/api_posture/api_inventory/api_findings/
+[22]: /security/application_security/api_posture/api_inventory/data_sources/
diff --git a/content/en/security/application_security/api_posture/api_inventory/data_sources.md b/content/en/security/application_security/api_posture/api_inventory/data_sources.md
new file mode 100644
index 00000000000..c7f4b23acb5
--- /dev/null
+++ b/content/en/security/application_security/api_posture/api_inventory/data_sources.md
@@ -0,0 +1,76 @@
+---
+title: Data sources
+description: Understand the sources Datadog uses to populate the API endpoint inventory.
+---
+
+In the [API Endpoints][1] explorer, the **Data Sources** show where visibility originates.
+
+The following data sources are explored.
+
+## Amazon API Gateway
+
+The Amazon API Gateway service formally defines your API structure. Datadog AWS integration reads this pre-defined configuration from the Amazon API Gateway, and then Datadog uses this configuration to create API endpoint entries in **Inventory**.
+
+Use **AWS API Gateway** in **Data Source** to gain visibility into these exposed endpoints. You can also use the query `datasource:aws_apigateway`.
+
+## Software Catalog
+
+The **Software Catalog** data source shows API endpoints that Datadog learned about from the formal specification uploaded to Datadog. The API specification is attached to, or registered as, a dedicated API component within the IDP service entity.
+
+This source ensures that your API inventory is complete by including all planned and formally documented endpoints.
+
+## APM traces
+
+The **Spans** data source shows real traffic and data exposure. Remediation should be performed in code, config, or access controls immediately.
+
+What actions you take depend on each of the attack surfaces:
+
+- **Vulnerabilities:** Patch any vulnerable libraries surfaced by SCA or Runtime Code Analysis, then redeploy the service.
+- **API findings discovered:** Review each issue in context of the traced service, fix any code or configurations, and then validate using new traces.
+- **Processing sensitive data:** Confirm data handling complies with policy, sanitize or encrypt PII, and limit access to necessary services.
+- **Unauthenticated endpoint:** If the endpoint is not intentionally public, enforce authentication and update service configurations.
+
+## Static Endpoint Discovery
+
+<div class="alert alert-info">Static Endpoint Discovery is in Preview.</div>
+
+{{< site-region region="gov,gov2" >}}
+<div class="alert alert-warning">Static Endpoint Discovery is not available for the {{< region-param key="dd_site_name" >}} site.</div>
+{{< /site-region >}}
+
+The **Source Code** data source shows API endpoints discovered directly from your source code. This complements runtime-based discovery by surfacing endpoints earlier in the development life cycle, including endpoints that may not receive live traffic.
+
+To use this data source, configure the [Source Code Integration][2] with GitHub, GitLab, or Azure DevOps. The following languages and frameworks are supported:
+
+| Language | Framework |
+|----------|-----------|
+| Python   | FastAPI, Flask, Tornado |
+| Java     | Spring    |
+| Go       | Beego, Chi, Echo, Fiber, Gin, Gorilla Mux, fasthttp, go-zero |
+| C#       | ASP.NET Core MVC |
+| Node.js  | Express, Fastify |
+
+To filter for source code endpoints, use **Source Code** in the **Data Source** facet or the query `datasource:source_code`. Scans run when code is pushed to the default branch and on an 8-hour recurring schedule. Discovered endpoints are removed after 12 hours if they are not re-discovered by a subsequent scan.
+
+### Map source code endpoints to services
+
+Static Endpoint Discovery uses heuristics to infer which service an endpoint belongs to. For more accurate mapping, explicitly define service-to-code relationships using the `codeLocations` field in your [Software Catalog service definition (v3 schema)][3]:
+
+```yaml
+apiVersion: v3
+kind: service
+metadata:
+  name: my-service
+  owner: my-team
+datadog:
+  codeLocations:
+    - repositoryURL: https://github.com/org/myrepo.git
+      paths:
+        - path/to/service/code/**
+```
+
+Without explicit `codeLocations`, endpoints may not merge correctly with data from other sources.
+
+[1]: https://app.datadoghq.com/security/appsec/inventory/apis
+[2]: /integrations/guide/source-code-integration/
+[3]: /internal_developer_portal/software_catalog/entity_model/