Is Salt Security worth it?

Salt Security positions itself as an API security testing platform, but as a scanner its coverage is limited to passive inspection and surface-level detection. It performs black-box scans that require no code access or agents, and it supports any language, framework, or cloud target. The engine only uses read-only methods such as GET and HEAD, with text-only POST reserved for LLM probes, and scans typically complete in under a minute. This approach avoids intrusive exploit behavior, but also means findings are restricted to what can be inferred from network interactions and response analysis.

The tool maps findings to the OWASP API Top 10 (2023) and to PCI-DSS 4.0 and SOC 2 Type II controls, which helps you prepare for audit evidence around common API risks. It detects issues such as authentication bypass, JWT misconfigurations including alg=none and expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation indicators, and common input validation concerns like CORS wildcards and dangerous HTTP methods. It also surfaces data exposure signals such as email patterns, Luhn-validated card numbers, API key formats, and error or stack-trace leakage, while reporting on rate-limit headers, HTTPS redirects, HSTS, and cookie security flags.

For LLM security, the scanner runs 18 adversarial probes across Quick, Standard, and Deep tiers, targeting system prompt extraction, instruction override, jailbreak techniques, data exfiltration attempts, and token smuggling. Note that business logic flaws and blind SSRF are explicitly out of scope, and these gaps mean the tool cannot replace a human pentester for high-stakes audits.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can submit credentials. The scanner forwards a restricted header allowlist containing Authorization, X-API-Key, Cookie, and X-Custom-* headers. These constraints reduce false positives tied to authentication but also limit the depth of session-based testing you can perform. Continuous monitoring in the Pro tier reschedules scans every six hours, daily, weekly, or monthly, and provides diff detection across runs to highlight new findings, resolved items, and score drift.

Salt Security does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. If you require automatic blocking or runtime protection, you would need additional tooling. The platform offers multiple integration paths, including a web dashboard for managing scans and viewing trend reports, a CLI via the middlebrick npm package with JSON or text output, a GitHub Action that can fail builds when scores drop below a set threshold, and an MCP server for use with AI coding assistants. An API client is available for custom integrations, and Pro tier subscribers receive signed webhooks with auto-disable after five consecutive failures.

Salt Security is worth it for teams that need a lightweight, black-box scanner to maintain an ongoing view of API surface risk without invasive testing. It suits organizations that want continuous monitoring at scale, with clear score trends and compliance reporting aligned to PCI-DSS 4.0 and SOC 2 Type II. Teams already invested in CI/CD pipelines can benefit from the GitHub Action gate and the CLI for automated checks. Conversely, it is not worth it if you expect deep business logic analysis, blind SSRF detection, or remediation capabilities, since those areas are intentionally out of scope. Organizations that require agent-based instrumentation or that expect a tool to replace manual penetration testing for high-risk audits will find the coverage insufficient.