Salt Security review

This review evaluates the product as an API security scanner that focuses on black-box analysis. The tool accepts a target URL and returns a risk grade from A to F along with prioritized findings. It does not require agents, SDKs, or access to source code, and it supports any language or framework. Scan duration is under one minute, and the methods used are limited to read-only operations plus text-based probes for LLM endpoints.

The scanner covers 12 categories aligned to the OWASP API Top 10 (2023), including authentication bypass, JWT misconfigurations, broken object level authorization, property exposure, input validation issues, rate limiting characteristics, data exposure patterns, encryption misconfigurations, SSRF indicators, inventory weaknesses, unsafe consumption surfaces, and LLM/AI security probes. It parses OpenAPI 3.0, 3.1, and Swagger 2.0 files with recursive $ref resolution and cross-references spec definitions against runtime behavior to identify mismatches such as undefined security schemes or deprecated operations.

For LLM testing, the tool runs 18 adversarial probes across three scan tiers labeled Quick, Standard, and Deep. These include system prompt extraction attempts, instruction override probes, DAN and roleplay jailbreaks, data exfiltration simulations, token smuggling, prompt injection variants, and model abuse scenarios. Each category includes concrete probe examples such as base64 or ROT13 encoding bypass, translation-embedded injection, few-shot poisoning, and multi-turn manipulation.

GET /api/docs/openapi.json HTTP/1.1
Host: example.com
Accept: application/json

Authenticated scanning is available from the Starter tier onward, supporting Bearer tokens, API keys, Basic authentication, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring that only the domain owner can submit credentials. The scanner forwards a restricted allowlist of headers, including Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The tool maintains a strict safety posture by using only read-only methods. Destructive payloads are never transmitted, and infrastructure for private IPs, localhost, and cloud metadata endpoints is blocked at multiple layers. Customer data can be deleted on demand and is purged within 30 days of cancellation. It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), and it supports audit evidence collection for these frameworks.

The web dashboard provides centralized scan management, trend visualization, and the ability to download branded compliance PDFs. A CLI distributed as an npm package enables scripted usage with JSON or text output. A GitHub Action is available to gate CI/CD pipelines, failing builds when the risk score drops below a defined threshold. An MCP server allows integration with AI coding assistants such as Claude and Cursor, and a programmatic API supports custom workflows.

For ongoing monitoring, the Pro tier offers scheduled rescans at intervals ranging from every six hours to monthly, diff-based detection of new or resolved findings, hourly rate-limited email alerts, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. Collaboration channels such as Slack and Teams are supported in higher tiers, along with compliance reporting features.

The scanner does not fix, patch, block, or remediate issues; it reports findings and provides remediation guidance. It does not execute active SQL injection or command injection tests, as those require intrusive payloads outside its scope. Business logic vulnerabilities are not detected, as they demand domain-specific understanding from a human analyst. Blind SSRF and certain infrastructure-sensitive issues are out of scope due to the absence of out-of-band verification mechanisms.

While the tool aligns with security controls described in SOC 2 Type II and other frameworks, it does not claim certification or compliance status. It is designed to complement, not replace, human-led penetration tests for high-assurance audits.