Salt Security, founded in 2016 by Roey Eliyahu and Michael Nicosia, is the leading API security startup in our lineup. In February 2022, the company raised $140M in Series D, $270M in total, and hit the unicorn milestone at $1.4 billion. One of the key differentiators between the Salt API platform and CDNs API security is its ability to detect issues early on in the build phase and protect APIs across their lifecycle.
Background
- Company: Salt Security
- Founded: 2016
- HQ: Palo Alto
- Raised: $271M
- VCs: Sequoia Capital, Y Combinator, CapitalG (Google), DFJ Growth, and others
- Founders: Roey Eliyahu (CEO) and Michael Nicosia (COO)
- Product: API Security
- Customers: Aon, Telefonica, Amway…
Key Differentiators
The secret sauce behind Salt is a big data platform and machine learning engine that performs anomaly detection, classification, complex graph analysis, regression, and clustering. In an ML nutshell, supervised learning and perhaps semi-supervised learning. These technologies are the foundation for many of the most innovative security companies.
In the world of APIs, it is through these technologies that outlier behavior is detected and mitigated. The defining differentiator between Salt and CDNs is its ability to work throughout the API lifecycle. The lifecycle starts in the build phase and continues to runtime till it ends. Even when the API is deprecated, not correctly removing it from an environment may become a vulnerability.
Salt can also monitor and collect data on attacker reconnaissance, end-to-end, across all surfaces in a container, microservice, VM, REST, SOAP, GraphQL, etc., and prevent or mitigate API attacks. In addition, they can protect against all of the OWASP API Security Top 10.
Features
- Dynamically inventories all APIs without the use of agents or network changes.
- Applies context to API activity to detect and isolate outlier behavior
- Scans and tests APIs during the build phase and helps developers identify vulnerabilities
- Installs in minutes with easy
- Protects REST, GraphQL, and SOAP APIs
- Data types such as social security, PII, account IDs, etc., are categorized by sensitivity.
- The baseline adjusts as APIs change while minimizing false positives.
- Attack data and patterns are displayed in a dashboard.
Modern Approach vs. Legacy
Salt’s core message is that traditional WAFs, API gateways, and IAM technologies are not suited for protecting today’s API economy with APIs numbering in the hundreds of millions. Moreover, attackers understand that the lack of focus on APIs provides an opportunity to skirt static security methods.
Salt’s foundational technology is the API Context Engine (ACE) Architecture. In short, it baselines API, regardless of how many, and creates attributes of the behavior. If there is a deviation, it flags it and remedies it. This process discovers all APIs, including shadow APIs, 3rd party, etc., and all those exposed. In the build phase, it scans and pinpoints issues and provides feedback to development teams.
Key Takeaway
Salt Security is a leader in API security. Their software stack leverages a big data platform and machine learning capabilities to help detect issues and attackers. Its API-only focus helps differentiate them from typical CDN API security solutions and traditional products like WAF, API gateways, and IAM.
Next week, we’ll explore more API security startups.