Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post


API Security Tipping Point — Gartner just “Created the Category”

Michelle McLean
Aug 31, 2021

Something big happened last week — Gartner® issued a report* that definitively establishes API security as its own essential category in securing platform services. It’s not a subset of the WAF, it’s not an add-on to an API gateway — it’s its own category.

With any new technology, people love to ask, “is this a product or a feature?” The security industry spurs this debate more than any other tech sector, with a constant cycle of startups and acquisitions. For the API security market, we believe Gartner just ended that debate.

The report, focused on guiding organizations on how to improve PaaS security, includes a Security Reference Architecture showing what’s needed to protect these platforms. The following version of the architecture is modified to better illuminate its key pillars — you’ll find the original at the bottom of the blog.

Correcting an inaccurate and incomplete perspective

For years, Gartner built this security reference architecture on three pillars:

  • WAF, WAAP (web application and API protection), API gateway, and CDN — which Gartner describes as protecting the edge
  • CWPP (cloud workload protection platform) — securing the data plane
  • CSPM (cloud security posture management) — securing the control plane

All this time, Gartner has graphically nested API security within the WAF/WAAP/gateway/CDN pillar. Gartner coined the term “WAAP” to convey that WAF and API protection capabilities would be blended.

Does it really matter how Gartner draws a picture? Yes — it really does.

In multiple research notes, Gartner has acknowledged in the writing of the reports that many organizations need dedicated API security, but we all know the power of a picture vs. words, and API security was not “in the picture” … until now.

Get useful guidance on the future of APIs and learn how to maximize the benefits of APIs while mitigating your risk.

API Security Takes its Rightful Place in the Picture

API attacks have tripled in the past six months. This Gartner pictorial change — this visual clarity that API security is “its own thing” — will do more than 1000s of words ever could to educate organizations that their WAFs and gateways simply don’t cut it for API security.  

With this new architecture, Gartner affirms that existing tooling leaves gaps in API security. Until now, every security architect, AppSec lead, and head of API platforms who has had to make the case for investing in API security has always needed to fight the “but we already have a WAF so we’re covered” battle.

This visual representation empowers those leaders with Gartner-based evidence of the transformed API security landscape, giving them the ammo they need to explain that:

  • API attacks are not the same as application attacks
  • APIs are an enormous hacker target and need dedicated protection
  • WAFs and gateways can catch only pre-defined, known attacks
  • APIs, and therefore API attacks, are unique to each organization, so finding and stopping these attacks requires context with a deep understanding of API behaviors

This Gartner security reference architecture validates what those leaders have been saying all along — that a few cursory features stapled onto a WAF or gateway do not equate to API gateway security. The tooling is different, the architecture must be different, and making the right security investment is crucial.

Everyone knows the power of having Gartner place a technology on a reference architecture diagram — it establishes the product category, and it signals a robust and meaningful market. I’d love to say this architectural shift signals that Salt Security has finally arrived. But the reality is, Salt has been in the lead here for years.

Salt pioneered this market more than five years ago. The Salt vision has always been to accelerate business innovation by making APIs attack proof. We’ve been in the lead from the start — with the most customers, the most proven platform, the most advanced algorithms, and the broadest application ecosystem support. With this report, Gartner is now amplifying the reality that organizations must take a new approach to protecting APIs.

And we couldn’t be happier. To learn more about how Salt can help defend your organization from API risks, you can connect with a rep or schedule a personalized demo.

* Gartner report: Advance Your Platform-as-a-Service Security, 25 August 2021, by Richard Bartley available to Gartner clients of GTP (Gartner for Technical Professionals) at


Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

July 16, 2024

Eric Schwake
Head of Product Marketing


The Biggest Factors Influencing API Security Today

Several key factors are driving the current state of API security, including the rise of AI, the ongoing digital transformation, a booming app economy, and the challenges posed by shadow IT and regulatory compliance.

Read more

July 9, 2024

Eric Schwake
Head of Product Marketing


Salt Security Empowers API Governance with New Posture Policies Hub

Salt Security's Posture Policies Hub is a powerful new tool designed to help organizations simplify and streamline API posture governance.

Read more

June 21, 2024

Amanda Fitzsimmons
Head of Legal


Don't Get Salted: Why API Inventory is Key to PCI DSS 4.0 Compliance (and How Salt Security Can Help You Achieve It)

A secure API ecosystem starts with a clear understanding of what APIs you have and how they interact with your data.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide