Salt Security — Securing APIs, the Building Blocks of Modern Software Apps

By Sam Fort, Kevin Tu, and Delaney Ugelstad, DFJ Growth

DFJ Growth is excited to announce our investment in the $70 million Series C of Salt Security as it advances the modern security paradigm for APIs.

For decades, cybersecurity has been a constant game of cat-and-mouse, with new software architectures demanding new security layers as hackers find novel ways to infiltrate their targets. We recently partnered with market leaders across several emerging threat vectors. For example, the proliferation of IoT endpoints led to our investment in Armis, and the inflection of containers and Kubernetes led to our investment in Sysdig. We have also seen the need arise for a dedicated security layer to address a newer, high-growth software primitive — Application Programming Interfaces or APIs. As APIs are a high priority attack surface increasingly targeted by malicious actors, we believe a new security platform is needed — and we are proud to be partnering with the emerging market leader for API security: Salt.

Salt founders Roey Eliyahu, CEO, and Michael Nicosia, COO

We first were introduced to the Salt Security team through our trusted friends at Armis — CEO Yevgeny Dibrov and CTO Nadir Izrael. Our ears perked up when Nadir described Salt CEO Roey Eliyahu as one of the best founders he’s ever worked with and a great friend. Nadir originally met Roey in the Israeli Defense Force, and Yevgeny had worked with Salt COO Michael Nicosia at their prior startup, Adallom. As a Salt customer, Armis’ glowing recommendation on the product and Salt’s AI-driven foundation certainly caught our attention. With each subsequent meeting, we quickly built conviction that Salt Security has a differentiated, market-leading platform with compelling tailwinds at its back. This financing will fuel Salt’s hypergrowth trajectory and enable it to capitalize on the significant market opportunity ahead in API Security.

The API explosion

APIs are a foundational unit of modern software — enabling applications to interact, share data, and abstract away business logic. In fact, according to a recent Akamai report, API calls now comprise over 80 percent of all web traffic. The recent surge in digital transformation has only accelerated their already exponential growth, and as software eats the world, APIs will continue to proliferate. This explosion of connectivity has opened a new threat vector that attackers are exploiting to gain access to privileged data and systems, and even the largest companies aren’t safe.

Recently, Peloton’s leaky API made headlines as President Biden attempted to move his beloved bike to the White House. As Michael Isbitski, Salt’s technical evangelist, explains, “Any user with internet access could query the API and obtain private Peloton user information including user ID, location, workout statistics, gender, age, and more.” These headlines are popping up more frequently every day. Gartner predicts that by 2022 API breaches will become the most frequent attack vector as APIs account for 90 percent of the exposed enterprise attack surface. The sheer volume, dynamic nature, and inherent openness of APIs make securing this frontier all the more challenging.

An ML-first approach

Salt secures APIs in three ways. First, Salt’s product discovers a company’s API inventory — many companies simply don’t know how many APIs are in their environment, let alone how they’re being tampered with. Then, Salt uses machine learning (ML) to baseline typical API behavior and identify anomalies. Finally, Salt provides remediation by supplying developers with insights to patch API vulnerabilities.

In order to keep pace with API-first development, a new paradigm of ML-based security is needed to fully secure all the unknown threat vectors in production. That’s where Salt comes in — it takes a big-data approach to identify APIs, detect threats, and prevent attacks. Each detected anomaly feeds its algorithm to make the system stronger. As this model improves, so does Salt’s ability to mitigate risks — not just in real-time, but also before an application goes into production.

Leading the charge

We talked to numerous CISOs who instantly understood the current and future scale of the API security problem. Many noted that it is at the top of their priority list, and that its urgency will only grow in the coming years.

“We’ve hit the inflection for API security as people are realizing that APIs are a massive breach vector.”
–Industry expert and CISO

The more security professionals we talked to, the clearer the pain point and market opportunity became. Across all our conversations, Salt consistently stood out from the competition. CISOs unanimously deemed it the most mature product in the category and raved about its near-immediate value-add.

“It was very clear in the evaluation that Salt was the best — in just minutes, it becomes obvious to a security professional that Salt has the most superior technical capabilities.”
— Salt customer and director of security compliance and assurance

Salt is leading the charge in the significant opportunity ahead for API security, and DFJ Growth couldn’t be more thrilled to partner with Roey, Michael, and the entire Salt team on the journey ahead!