State of API Security Report Q3 2022

Learn more

Context-based security for all your APIs

Only Salt delivers the context you need to protect your APIs across build, deploy, and runtime phases. We combine complete coverage and an ML/AI-driven big data engine to provide that context to show you all your APIs, stop attackers during the early stages of an attempted attack, and share insights to improve API security posture.

20 November 2017
"Predicts 2018: Infrastructure Protection" - Strategic Planning Assumption

By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications."

6 December 2021
"Predicts 2022: APIs Demand Improved Security and Management" – A Look Back

As 2022 approaches, this prediction could arguably be counted as “missed” — but only because we underestimated the steep rise in attacks on APIs.

APIs are a top target

APIs fuel digital transformation and are essential components of business-critical, customer-facing applications, development environments, and partner-facing services. APIs today expose application business logic and more sensitive data than ever. Attackers have taken notice, and in recent years, APIs have become the primary target for their efforts.

You need protection for REST, GraphQL, SOAP, and all API types, across the full lifecycle

From eliminating API vulnerabilities during the build phase to automated discovery of new and changed APIs to identifying and stopping attackers in runtime, you need to continuously protect and harden your APIs. Ensure protection across REST, GraphQL, SOAP, and other API types.

Attacks have changed

Bad actors targeting APIs have moved beyond traditional “one-and-done” attacks such as SQLi and XSS. Their focus now is on finding vulnerabilities in the business logic of APIs. Your APIs are unique, so the attacks have to be as well. It takes attackers days, weeks, or even months to probe and learn your APIs, and they use “low-and-slow” techniques that stay under the radar of traditional security tools.

You need context to prevent API attacks

Detecting low-and-slow attack activity that targets an API’s unique vulnerabilities depends on having context. Building that context requires deep analysis of massive amounts of API traffic. This kind of advanced protection must have a rich baseline of normal behavior for every API and user so that the system can spot anomalies quickly and correlate activity over time to build a fingerprint for each bad actor.

See all your APIsSee all your APIs

Traditional tools will never have context

Traditional tools, typically built on a proxy architecture, are not able to analyze activity over time – they see each transaction in isolation and apply pattern matching using signatures and rules to block known attacks. No matter what functionality they gain over time, they will never have the context needed to piece together the subtle malicious activity of someone attacking an API, so they’ll never be able to stop API attacks.

Salt - the new approach to API security

Salt protects the APIs at the core of every modern application with security across the full API lifecycle. Our advantages derive from our cloud-scale big data engine powered by our patented and time-tested AI and ML algorithms -- together, they form the core of our API Context Engine (ACE) Architecture.

We scan and test your REST, GraphQL, and other APIs while they're still in development. In runtime, we cover all your application environments, getting a copy of your API traffic. We store hundreds of attributes about thousands of APIs and thousands of users over time. We baseline your environment and use AI and ML to pinpoint anomalies.

The Salt platform automatically discovers all your APIs and exposed sensitive data, pinpoints and blocks attackers, and tests and scans your APIs during the build phase and provides remediation insights learned in runtime so your dev teams can improve your API security posture.

The Salt architectural advantage

Complete coverage

We support more than 50 options to collect all your REST, GraphQL, and other API traffic and dynamically build a full inventory, including new and changed APIs. We connect to your systems with no agents, and we require no app or network changes and no configuration or tuning.


Cloud-scale big data

Every one of your APIs is unique. Salt applies ML and AI in our big data engine to baseline your APIs and isolate anomalous behavior, differentiating between changes to APIs and malicious activity. By applying the context we learn, we can avoid false positives.


Context-based analysis

Salt combines our complete coverage and big data engine to scan and test APIs during build, discover all your APIs and the sensitive data they expose, find and stop attackers, and capture insights in pre-prod and runtime for development teams to improve your API security posture.

Salt is the leader in API security

Most mature solution – 4+ year head start
Patented cloud-scale big data architecture
Protection for REST, GraphQL, and SOAP APIs
Simplest deployment
Most customers

Tools like WAFs and API gateways don't have any context for what's happening across APIs and, in turn, cannot effectively detect or protect against exploitation. Salt pulls together all the activity of all users, so it can find and stop attackers in their tracks.

Curtis Simpson, CISO

Why WAFs and API Gateways can't protect you

WAFs and API gateways detect attacks that leverage known vulnerabilities (think SQLi, XSS). They see traffic one transaction at a time, in isolation. API attacks are different – they target vulnerabilities in your business logic, and bad actors must probe your APIs to discover these zero-day vulnerabilities. To find and stop API attacks requires context, over time – WAFs and API gateways simply don’t have this context (think a single frame vs. a movie).

The OWASP API Security Top 10 catalogs the most common API attacks. Salt knows what every user did an hour ago, a day ago, a week ago – and we have a baseline of what’s normal for your APIs. We use this context to find and stop API attacks.

API Security Top 10 Threats


API Gateways

A1:2019 - Broken Object Level Authorization

A2:2019 - Broken Authentication

A3:2019 - Excessive Data Exposure

A4:2019 - Lack of Resources & RateLimiting

A5:2019 - Broken Function Level Authorization

A6:2019 - Mass Assignment

A7:2019 - Security Misconfiguration

A8:2019 - Injection

A9:2019 - Improper Assets Management

A10:2019 - Insufficient Logging &Monitoring

How the Salt Security platform works

Learn More
Before you go...

Get a comprehensive list of security best practices

Download the Guide