Salt Security Review 2026: AI API Discovery

Name: Salt Security
Availability: OnlineOnly

Salt Security is an API security tools platform that uses behavioral ML to discover APIs, detect logic-based attacks, and enforce posture governance across cloud environments. The platform — called Salt Illuminate — works by analyzing live API traffic without adding latency to the request path.

Salt Security Unified Inventory dashboard showing API hosts, data sources, and risk scores

Founded in 2016 and headquartered in Palo Alto, Salt was one of the first companies focused exclusively on API security. Co-founded by CEO Roey Eliyahu and COO Michael Nicosia. Enterprise customers include Alaska Airlines, Hyundai, Stryker, SoFi, Kingston Technology, and Standard Bank Group.

What is Salt Security?

Salt Security addresses a gap most security teams know about but struggle to close: you can’t protect APIs you don’t know exist. The platform combines API discovery, posture governance, and runtime threat detection under one product.

Salt deploys agentlessly. Connect your cloud accounts, API gateways, or traffic mirrors, and the platform starts mapping your API landscape within minutes. No inline agents, no added request latency, no architecture changes required.

Salt Illuminate Platform

The core AI engine that powers discovery, posture analysis, and threat detection across all API traffic and cloud environments.

Agentless Deployment

Connects to cloud environments (AWS, Azure, GCP), API gateways, and traffic sources without inline agents. Zero impact on request latency.

Behavioral Threat Detection

Baselines normal API behavior over time and detects attacker intent through anomalies, not signatures.

Key Features

Feature	Details
API Discovery	Shadow, zombie, internal, external, and third-party APIs via traffic, cloud connectors, and external surface scanning
Posture Governance	~100 pre-loaded policy rules covering PCI DSS, HIPAA, GDPR, SOC 2, NIST, CMMC, FedRAMP
Threat Detection	BOLA, credential stuffing, data exfiltration, account takeover, injection, API abuse
Data Security	PII, PHI, and payment data tracking across API traffic in motion
AI Agent Security	MCP Protect for MCP server monitoring, Agentic AI Governance controls, GitHub Connect for code-level MCP discovery
Deployment	Cloud SaaS or on-premises, agentless with traffic mirroring

API discovery

Salt discovers APIs through multiple data sources simultaneously:

Salt Connect — Pulls API metadata from AWS, Azure, GCP, and gateways like Kong, Apigee, and MuleSoft. Agentless, cloud-native discovery.
Salt Surface — Scans your external attack surface from an adversary’s perspective, finding public-facing APIs that internal tools miss.
Traffic analysis — Monitors live API traffic to identify undocumented endpoints, including shadow APIs and deprecated-but-still-active zombie APIs.
GitHub Connect — Scans public and private GitHub repositories to identify shadow APIs and MCP servers in source code before they reach production. Launched November 2025.

Salt Security API discovery dashboard showing traffic inventory, most attacked APIs, and geographic traffic distribution

The platform automatically tags each discovered API with metadata: risk score, authentication type, data classification (PII, PHI), environment, and service owner. You can filter and group by any of these in the dashboard.

Key Differentiator

Salt combines three discovery methods — cloud connectors, external surface scanning, and live traffic analysis — in one platform. Most API security tools rely on a single approach, which is why Salt’s own research found 30.7% of APIs go undiscovered by CDN-based tools alone.

Posture governance

The Policy Hub ships with nearly 100 pre-loaded posture rules. Categories include PCI DSS, HIPAA, GDPR, SOC 2, NIST, CMMC, FedRAMP, OAuth, access control, data security, and API architecture standards.

Salt Security Posture Policy Hub showing compliance categories including PCI DSS, operational security, and data privacy rules

Each rule triggers a posture gap when violated. The dashboard groups gaps by severity (Critical, High, Medium) so you know where to focus first. You can also create custom posture rules in three clicks and export reports for auditors.

Salt Security Posture Gaps dashboard showing severity breakdown and policy violations per API endpoint

Behavioral threat detection

Salt Protect baselines normal API behavior over days and weeks, then flags deviations that match attacker patterns. This catches logic-based attacks that WAFs and signature tools miss — things like slow credential stuffing, BOLA exploitation, and gradual data scraping.

Attack types Salt detects:

BOLA/IDOR — Broken Object Level Authorization, the #1 API vulnerability per OWASP
Credential stuffing — Automated login attempts across API endpoints
Data exfiltration — Systematic extraction of data through API responses
Account takeover — Session and token manipulation attacks
API abuse — Rate limiting bypasses and resource exhaustion
Injection — SQL, NoSQL, and command injection through API parameters

AI agent and MCP security

Salt added agentic AI security capabilities in 2025, announced at CrowdStrike Fal.Con. Their own research shows only 37% of organizations using agentic AI currently deploy dedicated API security, while 48% operate 6-20 different agent types.

Three components cover the MCP lifecycle:

MCP Protect — Discovers and monitors all MCP server interactions with AI agents in runtime, maps hidden connections, and assesses data exposure risk
Agentic AI Governance — Out-of-the-box security controls enforcing safe AI agent behavior in MCP and A2A environments, enabled by default at first login
GitHub Connect — Identifies risky MCP servers in source code repositories before they deploy to production

As Michael Nicosia, co-founder and COO, put it: “Most organizations’ first AI security gap isn’t model jailbreaks — it’s the invisible API connections powering agents.”

Sensitive data tracking

Salt identifies PII, PHI, payment card data, and custom data patterns flowing through API traffic in real time. The posture engine flags exposed sensitive data in query parameters, unauthenticated responses, and unencrypted channels.

Salt Security unified API inventory showing hosts, API counts, source types, and discovery dates

Integrations

Salt connects to API gateways, cloud platforms, SIEM/SOAR tools, and developer platforms:

API Gateways & Service Mesh

Kong

Apigee

MuleSoft

NGINX

Istio

Cloud & Infrastructure

AWS

Azure

GCP

Kubernetes

Akamai

Cloudflare

SIEM, SOAR & Observability

Splunk

CrowdStrike

Microsoft Sentinel

Jira

Slack

Developer & CI/CD

GitHub

Docker

Kafka

Getting started

Connect your environment — Link cloud accounts (AWS, Azure, GCP), API gateways, or configure traffic mirroring. Salt deploys agentlessly with no inline components.

Automatic API discovery — Salt Illuminate maps your full API landscape including shadow, zombie, and third-party APIs. Discovery starts within minutes of connection.

Review posture gaps — The Policy Hub evaluates your APIs against ~100 pre-loaded rules covering PCI DSS, HIPAA, GDPR, SOC 2, and more. Gaps appear with severity ratings.

Monitor for threats — Behavioral ML baselines your API traffic and flags anomalies. Alerts include full attack timelines, affected endpoints, and remediation steps.

Salt also offers a free external attack surface scan through their website, giving you an adversary-perspective view of public-facing APIs before committing to the platform.

When to use Salt Security

Salt fits organizations that need to find and protect APIs they don’t fully know about — especially in environments with fast-moving development teams, multiple cloud accounts, or third-party integrations.

It’s a good fit if:

You suspect your actual API count is larger than what your gateway or documentation shows
You need compliance mapping across PCI DSS, HIPAA, GDPR, or SOC 2 for API traffic
You’re adopting agentic AI and need visibility into MCP server interactions
You want threat detection that catches logic-based attacks (BOLA, credential stuffing) rather than just signature matches
You need an agentless deployment that doesn’t add latency or require architecture changes

Best For

Security teams at enterprises with large, fast-growing API portfolios who need to discover undocumented APIs and enforce posture governance across multiple compliance frameworks. Particularly relevant if you’re running agentic AI workloads and need MCP server visibility.

Consider other options if:

You primarily need pre-production API testing rather than runtime protection — tools like 42Crunch focus on API security testing in CI/CD
You’re looking for a free or open-source solution
Your API estate is small and fully documented, making discovery less critical

Frequently Asked Questions

What is Salt Security?

Salt Security is a commercial API security platform built on the Salt Illuminate engine. It discovers all APIs — including shadow, zombie, and third-party endpoints — by analyzing live traffic and cloud connections. The platform detects behavioral threats like BOLA attacks and data exfiltration, and maps API posture against PCI DSS, HIPAA, GDPR, and SOC 2 frameworks.

How does Salt Security discover APIs?

Salt uses multiple data sources: Salt Connect pulls API metadata from cloud environments (AWS, Azure, GCP) and gateways (Kong, Apigee, MuleSoft), Salt Surface scans your external attack surface from an adversary’s perspective, and traffic analysis identifies undocumented endpoints. GitHub Connect also scans source code repositories for shadow APIs and MCP servers before deployment.

Does Salt Security detect AI agent and MCP risks?

Yes. Salt’s MCP Protect discovers and monitors MCP server interactions with AI agents, maps hidden API connections, and assesses interaction risk. Agentic AI Governance provides out-of-the-box security controls that enforce safe AI agent behavior in MCP and A2A environments. GitHub Connect identifies risky MCP servers in source code before deployment.

What attacks does Salt Security detect?

Salt detects logic-based API attacks including BOLA/IDOR, credential stuffing, data exfiltration, account takeover, and API abuse. Its behavioral ML baselines normal API traffic patterns and flags anomalies that indicate attacker intent, rather than relying on signatures.

Is Salt Security free or commercial?

Salt Security is a commercial enterprise platform. It’s available as cloud SaaS or on-premises deployment. Pricing is based on API traffic volume and deployment scope. A free external attack surface scan is available through their website.