Pricing alternative to Salt Security

The platform offers four subscription tiers with clearly defined inclusions. The Free tier provides three scans per month and CLI access at no cost. The Starter tier is priced at 99 dollars per month and supports fifteen APIs, monthly scanning, a dashboard for score trends, email alerts, and an MCP Server for AI coding assistants. The Pro tier at 499 dollars per month supports one hundred APIs, with additional APIs billed separately, continuous monitoring, GitHub Action gates, CI/CD integration, Slack and Teams alerts, compliance reports, and signed webhooks. The Enterprise tier is typically 2000 dollars per month and above, providing unlimited APIs, custom rules, SSO, audit logs, an SLA, and dedicated support.

Salt Security positions itself as an in-line runtime protector, whereas this platform is a black-box scanner that requires no agents or code changes. You submit a URL and receive a risk score with prioritized findings within under one minute, using only read-only methods. Unlike solutions that must be integrated into runtime traffic, this approach avoids code instrumentation, framework dependencies, or cloud provider lock-in. The platform maps findings to OWASP API Top 10, PCI-DSS 4.0, and SOC 2 Type II, and supports audit evidence collection without claiming certification or compliance guarantees.

When comparing to Salt Security, consider onboarding effort, integration complexity, and ongoing maintenance. Because there are no SDKs or agents to deploy, implementation time is reduced to submitting target URLs and configuring allowed headers. The platform enforces a domain verification gate so that only domain owners can scan with credentials, limiting exposure of sensitive environments. Ongoing costs are predictable with defined per-tier API counts, and overages are metered transparently. Data retention and deletion policies are built-in, with customer data purged within 30 days of cancellation and never used for model training.

The scanner covers twelve categories aligned to OWASP API Top 10, including authentication bypass, JWT misconfigurations, BOLA and BFLA, property authorization, input validation, rate limiting, data exposure, encryption, SSRF, inventory management, unsafe consumption, and LLM/AI security. It supports OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime behavior. The platform does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities in depth, and does not replace a human pentester for high-stakes audits. It also does not conduct blind SSRF testing that requires out-of-band infrastructure.

Authenticated scanning is available from the Starter tier and supports Bearer, API key, Basic auth, and cookies, restricted to an allowlist of headers. The domain verification gate applies when credentials are used, ensuring only the domain owner can scan authenticated endpoints. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints at multiple layers. Integrations include a web dashboard for reports and trends, a CLI via an npm package with JSON or text output, a GitHub Action for CI/CD gating, an MCP Server for AI coding assistants, and a programmatic API for custom workflows.