Salt Security

1.1 Identity, product scope, and corporate structure

Salt Security was founded in 2016 by IDF cybersecurity veterans Roey Eliyahu (CEO) and Michael Nicosia (COO), with the company’s early operating roots in Israel before scaling into its current Palo Alto headquarters. The company was originally registered under the name Secful before rebranding to Salt Security as it emerged from stealth with a commercial API protection platform. Salt Security is incorporated in Delaware, maintains its headquarters in Palo Alto, and concentrates its research and development in Tel Aviv, Israel, operating a dual-hub model common among Israeli cybersecurity companies. The company's core offering is the Salt Security API Protection Platform, a cloud-delivered SaaS solution that combines cloud-scale big data processing with machine learning and artificial intelligence to provide three integrated capabilities: automated API discovery (including shadow and zombie APIs), behavioral runtime threat detection, and developer- facing posture governance. Salt markets itself as the first vendor to have built a dedicated, patented API security platform, framing the company as the category creator. As of mid-2025, the platform had been extended to cover agentic AI security, MCP server protection, and conversational security investigation via "Ask Pepper AI." Salt Security targets enterprise security teams, CISOs, and application-security practitioners at large organizations running complex, API-intensive application stacks. The company positions its product as a complement to API gateways, WAFs, and SIEM platforms rather than a replacement, reflected in its CrowdStrike Falcon and AWS WAF integrations. Stage is Series D / late-stage private; no IPO has been announced as of the run date.[CO001, CO002, CO003, CO004, CO005, CO006]

1.2 Founders, leadership bench, and governance

Roey Eliyahu co-founded Salt Security and serves as CEO. Before Salt, Eliyahu co-founded Eshkol College, a cybersecurity training institution focused on preparing graduates for elite IDF cybersecurity units; he also served three years in IDF cyber, culminating in a team-leader role. Michael Nicosia, co-founder and COO, previously served as VP of Global Sales at Adallom (acquired by Microsoft as part of the Cloud App Security product line), providing direct enterprise security sales experience. The executive bench grew substantially during and after the Series D. Key additions include Kfir Lippmann (CFO), who led finance at monday.com from 40 employees through its Nasdaq IPO; Matt Quarles (CRO), hired in 2023 to scale global revenue; Michael Callahan (CMO), former CMO at Acronis; Renee Hollinger (Chief People Officer), formerly CHRO at Reltio; Gilad Gruber (SVP Engineering), former CTO at Payoneer; and Yaniv Balmas (VP Research), who spent eight years running cyber research at Check Point before founding Salt Labs. Board representation reflects the investor syndicate: Tom Banahan (Tenaya Capital) joined after the Series A; Carl Eschenbach (Sequoia Capital) joined after the Series B; James Luo (CapitalG) joined as part of the Series D investment; and Haim Sadger and Ayala Peterburg (S Capital VC) represent the founding-era investor. This five-seat board composition with heavy investor representation is typical for a late-stage venture-backed company. Key- person dependency remains material: both co-founders are operational, Eliyahu is the primary public face, and Lippmann's monday.com IPO experience makes him an important resource for any public-market pathway.[CO009, CO010, CO011, CO012, CO013, CO014]

1.3 Financing history, investors, and valuation

Salt Security's capital formation occurred in six publicly documented rounds spanning 2018 to 2022. The company filed a Form D with the SEC for a seed round in September 2018. The first disclosed-amount rounds were a $20 million Series A in June 2020, led by Tenaya Capital with participation from S Capital VC and Y Combinator, which brought total funding to roughly $30 million at that point. Six months later, Sequoia Capital led a $30 million Series B in December 2020, bringing the total to $60 million and adding Carl Eschenbach to the board. This compressed 2020 capital cadence—two rounds in six months—reflected strong early product-market fit and rapid revenue growth. In May 2021, Salt raised a $70 million Series C led by Advent International, with participation from Alkeon Capital, DFJ Growth, and existing investors. The Series C announcement cited 400% revenue growth and 160% headcount growth in the prior twelve months. In September 2022, CrowdStrike's Falcon Fund made a strategic investment in Salt Security, initiating a go-to-market partnership. The defining capital event was the February 2022 Series D: $140 million led by CapitalG (Alphabet's independent growth fund), with all existing investors participating. The round was filed with the SEC on 18 February 2022 (File No. 021-434118, CIK 0001753414) and valued Salt at $1.4 billion, securing unicorn status. The Globes report noted the company raised $210 million in the twelve months preceding the Series D. The stated use of Series D capital was to accelerate R&D, expand sales and marketing, and grow international operations. As of the run date, no Series E or subsequent primary round has been announced. Secondary-market observers (Forge, notice.co) suggest shares may trade at a discount to the 2022 peak valuation in current private-market transactions.[CO018, CO019, CO020, CO021, CO022, CO023]

1.4 Cover metrics, scale markers, and disclosure posture

Salt Security discloses enough to anchor a directional investment view but not enough to underwrite the business without management access. The most reliable cover metrics from public sources are: last-round valuation $1.4 billion (Feb 2022); total equity raised approximately $271 million; ARR approximately $48.5 million (November 2024) and approximately $75 million (June 2025) per the Latka database, implying roughly 54% ARR growth; headcount approximately 135 (Feb 2022), approximately 192 (Dec 2022), approximately 202 (Dec 2023), and approximately 201 (Nov 2025) per LinkedIn-derived estimates. Customer traction signals are qualitative. The Series D press release cited 500% revenue growth, 300% customer base growth, and 900% growth in signed Fortune 500 and Global 500 customers in the preceding year. Named enterprise customers include Equinix, Amway, OneMain Financial, Finastra, Aon, Telefónica, City National Bank, Live Oak Bank, HealthEquity, Navan, Takeda Pharmaceuticals, BP Launchpad, Markel, Berkshire Bank, Icatu Seguros, and Apiture. Absolute customer count has not been disclosed in any reviewed public source. Precise ARR per customer (ACV), net revenue retention, and gross margin are private and cannot be confirmed without management access. The company's disclosure posture is private- undisclosed in the standard taxonomy.[CO028, CO029, CO030, CO031, CO032, CO033]

1.5 Milestones, partnerships, and adverse signals

Salt Security's milestone arc spans four phases: founding-era technical development (2016–2019), rapid capital formation and category definition (2020–2021), unicorn scaling and international expansion (2022), and product broadening plus ARR ramp (2023–2025). Significant product milestones include the company's stealth-phase launch of the patented C-3A Context-based API Analysis Architecture, the 2023 launch of the STEP (Salt Technical Ecosystem Partner) program to formalize technology integrations, the CrowdStrike Falcon integration announced at Fal.Con 2023, the Falcon Next-Gen SIEM extension in late 2024, and twelve consecutive months of product releases in 2025 that included GitHub Connect, MCP Finder, MCP protection for AWS WAF, and the Ask Pepper AI conversational assistant. The launch of Salt Labs—Salt's dedicated API security research unit—added publication credibility and brand authority; by its own claims, Salt Labs has discovered more API vulnerabilities than any other research team. Adverse signals are limited but material for a security company. A competitor comparison by Escape.tech (2025) criticized Salt's testing capabilities, noting reliance on HTTP header analysis over deep payload inspection and limitations in discovering unmonitored APIs that sit outside gateways or proxies. Akto's competitor analysis cited platform complexity and premium pricing as barriers for mid-market buyers. No WARN Act filings or publicized mass layoffs were found for Salt Security in layoffs.fyi or related trackers through the run date, though absolute headcount appears to have plateaued near 200 since late 2022. Secondary-market platform Forge lists Salt Security as actively traded with market activity, while noting that the displayed price may reflect discounts to the last primary-round valuation. The lack of a new funding round since February 2022—now over four years—raises a question about runway adequacy and whether the company is managing toward an exit or a bridge round.[CO035, CO036, CO037, CO038, CO039, CO040]

1.6 Exhibits

2.1 Market definition and boundary

API security addresses the protection of Application Programming Interfaces across discovery, posture governance, runtime threat detection, and developer-facing shift-left controls. The market sits within the broader Web Application and API Protection (WAAP) category defined by Gartner to encompass web application firewalls (WAF), bot protection, distributed denial-of-service (DDoS) mitigation, and API-specific controls. Dedicated API security vendors such as Salt Security focus exclusively on the API layer, while incumbent WAAP vendors bundle API protections into broader platform offerings. Included spend covers: API discovery and inventory tools, API posture governance and compliance platforms, behavioral runtime threat detection for APIs, API security testing (DAST, fuzzing, schema validation), and agentic/AI API security. Excluded from the narrow API security market are traditional WAF spend (counted in WAAP or application security), API gateway management and developer tooling (counted in API management), general AppSec testing platforms (SAST, SCA), and identity and access management (IAM) spend. Status-quo substitutes include: enterprise WAF rules (Imperva, Akamai, F5, Cloudflare) that provide partial API visibility; API gateway security policies (Kong, MuleSoft, AWS API Gateway); homegrown API inventory spreadsheets and manual pen-testing; and SaaS security posture management (SSPM) tools with limited API coverage. These substitutes serve budgets not yet committed to a dedicated API security line item. The OWASP API Security Top 10 (2023 edition) anchors the risk taxonomy buyers reference when evaluating solutions. The G2 API Security category qualifies products that must discover and inventory APIs, enforce authentication and RBAC, encrypt data, log access activities, and perform vulnerability assessments—criteria that define the minimum viable product floor and shape the purchasing checklist.[CM001, CM002, CM003, CM004, CM005, CM006]

2.2 Market sizing — TAM, SAM, and contradictory estimates

The standalone API security market is estimated at USD 3,034 million by 2028 at a CAGR of 32.5% (MarketsandMarkets, July 2023). This figure covers platforms and solutions, professional services, and managed services for API security only, and is geographically global. The methodology is a bottom-up vendor revenue aggregation with top-down growth modeling; limitations include reliance on vendor-provided data, scope creep from inclusion of adjacent categories, and compressed publication window relative to the run date. The broader application security market offers a wider addressable frame: MarketsandMarkets (July 2026) projects the App Security market at USD 41.16 billion in 2026 growing to USD 66.03 billion by 2031 at a 9.9% CAGR, of which API security is one sub-segment alongside SAST, DAST, SCA, container security, and mobile AppSec. API security's share of App Security spend is not precisely isolated but analyst notes suggest 10–15% of App Security budgets are earmarked for API-specific tools where programs are mature. Contradictory estimates are preserved: the MarketsandMarkets $3.0B by 2028 figure implies a 2023 base of approximately $680M (back-calculated at 32.5% CAGR), while some analyst summaries cited in industry press position the 2026 API security market at $3–5B. These divergences reflect definitional boundary differences (narrow API security vs. WAAP vs. full App Security), methodology (vendor revenue vs. buyer spend), and inclusion or exclusion of professional services. The SAM for Salt Security—focusing on large enterprise accounts above 1,000 employees with complex API-intensive application stacks in regulated verticals—cannot be precisely isolated from public sources; an evidence gap is documented. Industry signals corroborate demand growth: Salt's 2024 State of API Security report found 66% of organizations manage more than 100 APIs (up from 59% in 2023), and API count grew 167% year-on-year. The Gartner 2021 revised prediction stated that API abuses would constitute the most-frequent attack vector for enterprise web-application breaches. These data points are lagging indicators that validate market creation but do not translate directly to addressable revenue pools.[CM007, CM008, CM009, CM010, CM011, CM012]

2.3 Buyer segmentation and adoption path

API security buying is predominantly enterprise-led. The primary buyer persona is the Chief Information Security Officer (CISO) or VP of Application Security at organizations with annual revenues above USD 500 million, complex API surface areas (100+ external APIs), and regulated data obligations. The CISO owns the budget in most procurement cycles; the AppSec or DevSecOps team is the technical evaluator; DevOps and platform engineering teams are the end users and integration owners. Vertical concentration is high: Salt Security's named customer set spans financial services (OneMain Financial, Berkshire Bank, City National Bank, Live Oak Bank, Apiture, Finastra, Icatu Seguros), insurance (Aon, Markel), pharmaceutical (Takeda), technology/SaaS (Equinix, Navan, HealthEquity, Apiture), and energy/industrial (BP Launchpad). This distribution mirrors the OWASP Top 10 threat exposure: financial APIs carry BOLA/authentication risk; healthcare APIs carry data-privacy regulatory exposure (HIPAA, GDPR); digital commerce APIs carry business-logic abuse and bot-attack risk. The adoption path typically follows a discovery-first motion: organizations begin with API inventory and shadow API discovery (no agent required), observe behavioral baselines, then expand to posture governance and runtime threat detection. The proof-of-concept (POC) cycle has been noted as 3–6 months at enterprise scale, which lengthens sales cycles and compresses recognized ARR relative to bookings. Platform consolidation toward WAAP bundles (Akamai, Imperva, Cloudflare) creates an alternative adoption path where API security is added to an existing WAF license rather than purchased as a standalone product. The budget owner's decision frame is increasingly compliance-driven: PCI DSS v4.0 (effective 2025) introduces API-specific requirements; GDPR enforcement actions for API data exposures are rising; the U.S. Executive Order on Improving the Nation's Cybersecurity (EO 14028) elevated software supply-chain and API security for federal contractors. These regulatory tailwinds convert API security from a discretionary to a compliance-mandated budget line item in regulated verticals.[CM016, CM017, CM018, CM019, CM020, CM021]

2.4 Growth drivers and adoption constraints

Five primary growth drivers are shaping the API security market through 2028. First, API proliferation: the Salt 2024 report documents a 167% increase in API count year-on-year, with 66% of organizations managing more than 100 APIs and 67% receiving more than 10 million API requests monthly. Each new API is a potential attack surface that legacy tools do not cover. Second, attack escalation: 37% of survey respondents experienced an API security incident in the past 12 months (up from 17% in 2023), and the proportion with advanced API security programs declined from 12% (2023) to 7.5% (2024)—indicating supply of mature defenses is lagging demand from attackers. Third, regulatory and compliance pressure: OWASP API Security Top 10 (2023) codified risk categories that procurement teams now reference directly; PCI DSS v4.0 and GDPR create enforceable obligations in financial and healthcare verticals; and U.S. and EU AI-governance frameworks impose API-level controls for agentic AI workloads. Fourth, agentic AI and LLM adoption: as organizations deploy AI agents that communicate via Model Context Protocol (MCP) servers and REST/GraphQL APIs, the API attack surface expands to include prompt injection, over-permissioned agents, and unvetted third-party tool integrations—a new risk category that incumbent WAF and gateway vendors do not address natively. Salt's 2025 roadmap (Salt Illuminate, MCP protection, Ask Pepper AI) is specifically positioned on this driver. Fifth, digital transformation and cloud migration: multi-cloud architectures multiply the number of API endpoints and the number of environments requiring consistent policy enforcement; microservices decomposition converts monolith business logic into API-exposed services, compounding the discovery and governance challenge. Adoption constraints are material. Budget concentration limits: 7.5% of organizations have dedicated API testing and threat modeling programs, meaning the mass market is not yet spending on standalone API security tools. POC cycles of 3–6 months, deployment complexity (traffic mirroring, sensor placement, SIEM integration), and high logging costs (Salt's traffic-mirroring approach was criticized by Escape.tech as increasing logging costs) slow time-to-value and extend payback. Incumbent WAAP bundling by Akamai, Cloudflare, and Imperva allows large enterprise customers to address a checklist API security requirement at zero or near-zero incremental cost on an existing contract, reducing standalone API security deal size and win rates. Market consolidation (Akamai's ~$450M acquisition of Noname Security in 2024) concentrates channel power and credentialing in incumbent hands.[CM023, CM024, CM025, CM026, CM027, CM028]

2.5 Exhibits

3.1 Landscape and competitor classes

Salt no longer competes in a clean pure-play API-security lane. The direct API-native set still matters most in product-to-product evaluations: Akamai after its Noname acquisition, Traceable by Harness, Cequence, Wallarm, and 42Crunch each sell a recognizably dedicated API-security story. But the market boundary has widened in two directions. First, broader WAAP and CNAPP vendors such as Prisma Cloud, Cloudflare, Fastly, and Imperva now market discovery, protection, and posture capabilities as part of bigger app, edge, or cloud-security platforms. Second, substitutes such as Kong-style gateways and bot specialists like DataDome can absorb narrower budget lines when a buyer wants validation, rate limiting, or abuse defense rather than a full API-security control plane. The category is also consolidating. Noname was absorbed by Akamai, while Traceable merged with Harness, showing that API security is increasingly being distributed through larger security and delivery platforms rather than remaining a standalone procurement motion. That matters for Salt because buyer shortlists now mix pure-play vendors, edge or WAAP suites, CNAPP platforms, and status-quo controls in the same evaluation. The chapter therefore treats the field as four classes: direct API-native rivals, bundled WAAP and cloud incumbents, gateway or edge substitutes, and partner platforms that both help Salt distribute and highlight where the market is converging.[CP001, CP007, CP010, CP013, CP016, CP018]

3.2 Capability models: runtime depth, posture, and shift-left trade-offs

Salt’s public differentiation is not simply “API security,” but the specific combination of discovery, posture governance, and behavioral threat analysis that can plug into an existing security stack. That makes it distinct from the two sharpest specialist counterpositions. Wallarm and Cequence attack the category from the inline-blocking side, arguing that discovery and detection are insufficient unless the platform can natively block abuse, account takeover, and OWASP API attacks in real time. 42Crunch pushes from the contract-first side: its micro-firewall and audit workflow are strongest when teams already manage mature OpenAPI definitions and want policy enforcement tied directly to API contracts and CI/CD gates. The broader platform vendors compete differently. Prisma Cloud combines discovery, risk profiling, bot and DoS controls, and both inline and out-of-band deployment inside a CNAPP and WAAS frame. Cloudflare and Fastly bring API security into edge-native traffic, abuse, and DDoS workflows. Kong is a weaker direct replacement for Salt because it depends on plugins, gateway controls, and developer-owned policies rather than dedicated API-discovery and behavior analytics; however, it remains a meaningful substitute for buyers who want “good enough” gateway security before buying a specialist platform. The practical read-through is that Salt wins when buyers value deep API-specific context without re-platforming their WAF, CDN, or gateway estate, but loses narrative advantage whenever a rival can collapse that functionality into inline enforcement or a preexisting platform budget.[CP001, CP002, CP003, CP013, CP014, CP015]

3.3 Distribution power, platform leverage, and partner overlap

Competitive power in this market increasingly comes from distribution and adjacency, not only from product checklists. Akamai’s Noname deal gives it a direct API-security asset inside a much broader application and edge-security business. Cloudflare and Fastly benefit from already sitting in the traffic path. Prisma Cloud benefits from existing CNAPP, cloud, and compliance buying motions. Those vendors do not need to win on API security alone; they can package it with broader platform renewal, cloud posture, WAAP, bot management, or enterprise-support commitments. Salt’s answer is partnership-led expansion. The CrowdStrike and Wiz integrations strengthen Salt’s route to market by putting API risk context inside XDR and CNAPP workflows that many enterprises already operate. The CrowdStrike integration is particularly important because it lowers discovery friction through Falcon agents and offers automated response hooks, while the Wiz integration connects API posture and threat data to cloud attack-path analysis. Yet those same integrations reveal a strategic tension: if API security becomes a feature inside the dominant XDR and cloud-security consoles, the platform owner gains distribution leverage and can eventually compress the specialist’s bargaining power. Public pricing evidence compounds this issue. Cloudflare and Kong expose more packaging structure than the specialist set, but the retained evidence still does not provide true apples-to-apples delivered cost, making live proposals and win-loss data more important than website pricing for underwriting.[CP003, CP004, CP005, CP006, CP023, CP024]

3.4 Moat durability and underwriting takeaway

Salt’s moat is real, but narrower than a category-creator narrative might imply. The company still has a coherent specialist story around discovery, posture governance, behavioral analysis, and partner-friendly deployment into existing stacks. That depth should remain valuable in environments where generic WAAP checklists miss business-logic abuse, contract drift, or workflow integration needs. The presence of direct specialists such as Cequence, Wallarm, and 42Crunch also suggests the market has not fully commoditized into a single WAAP feature bucket. The harder underwriting issue is whether Salt can preserve premium positioning as more buyers default to platform consolidation. Inline-capable specialists can turn the conversation into a “detect versus block” objection. WAAP and CNAPP vendors can turn it into a “why buy another point product?” objection. Hybrid or regulated buyers can favor vendors with explicit traffic-path control or hybrid deployment language. Meanwhile, public sources still do not reveal comparative win rates or delivered economics. That means the right conclusion for later risk and valuation work is not that Salt lacks differentiation, but that its durability depends on proving three things with private evidence: first, that behavioral analytics and posture governance translate into measurable customer outcomes; second, that partner-led distribution expands pipeline faster than platforms internalize the feature set; and third, that Salt can defend margin and renewal quality even as API security becomes a standard evaluation criterion inside broader app-security platforms.[CP002, CP007, CP016, CP021, CP022, CP030]

3.5 Exhibits

4.1 Revenue model and pricing structure

Salt Security's revenue model is a pure-play enterprise SaaS subscription, sold as annual contracts priced primarily on API call volume. The company does not publish a public pricing page; the clearest list-price signal comes from the AWS Marketplace listing, which sets $100,000 per year for up to 100 million API calls per month as a published baseline for standard enterprise deployment. The Vendr procurement database and third-party pricing aggregators confirm an estimated average contract value (ACV) range of approximately $70,000 to $210,000 annually for enterprise customers, with variance driven by call volume, feature set, and negotiated deployment scope. Beyond base subscription, the model includes overage charges when monthly API call volume exceeds contracted thresholds. Enterprise buyers can layer in additional capabilities such as the posture governance module, advanced remediation, and the CrowdStrike Falcon integration add-on. Salt Security is available through direct sales and through cloud marketplaces (AWS Marketplace, CrowdStrike Marketplace), enabling customers to draw down cloud committed-spend agreements against Salt purchases. Revenue is almost entirely subscription-based; professional services (integration, proof- of-concept delivery) appear to be a minority of total revenue based on business model description and company communications. A partner in the AWS Marketplace review channel described the pricing as "affordable" and "annual subscription fee," while noting integration support is organizational rather than software-based. This confirms the software-only revenue recognition model with no significant embedded services margin dilution. Revenue recognition follows standard SaaS ratable-over-subscription-term accounting, meaning ARR is recognized monthly over the contract period and multi-year prepayments would create deferred revenue.[CI001, CI002, CI003, CI004, CI005, CI006]

4.2 GTM motion and sales efficiency proxies

Salt Security uses an enterprise direct-sales motion supplemented by a channel program. The direct-sales team, led by CRO Matt Quarles (hired in 2023), focuses on CISO and application-security buyers at Fortune 500 and Global 500 accounts. The company has expanded into Europe and Latin America since 2021, reflecting a two-tier geographic GTM: the core North American enterprise market and international expansion markets. Channel economics are anchored by the STEP (Salt Technical Ecosystem Partner) program launched in August 2023 and the CrowdStrike Marketplace listing, which gives Salt access to CrowdStrike's installed base. The CrowdStrike Falcon Fund strategic investment and co-sell arrangement (September 2022) is a material GTM event: CrowdStrike's Falcon Next- Gen SIEM integration (late 2024) expands the channel TAM by allowing Salt to reach customers already running CrowdStrike. AWS Marketplace availability also lets customers apply reserved-capacity spend toward Salt contracts, reducing procurement friction for cloud-native buyers. Public unit-economics data are sparse. The only disclosed sales efficiency proxy is the company's own claim of 90%+ gross margins (2020), which implies high software gross profit but does not reveal CAC or LTV. Enterprise API security deals typically run 3-9 month sales cycles in the initial year; renewal cycles are faster. Proof-of-concept (PoC) periods are a critical friction point — competitor comparison sources note extended PoC timelines as a customer complaint, which affects CAC payback. No NRR or cohort retention data has been publicly disclosed. The company targets customer satisfaction and employee retention as its primary success metrics (per Series D commentary), which are lagging rather than leading revenue-efficiency indicators.[CI007, CI008, CI009, CI010, CI011, CI012]

4.3 Cost structure and gross margin signals

Salt Security is a cloud-delivered SaaS company with the cost structure typical of high- growth enterprise security platforms: high gross margins on software, heavy R&D and S&M investment, and limited physical capital requirements. The 2020 TechCrunch report is the only public gross margin data point: gross margins had "significantly improved to over 90%" as of June 2020. This is consistent with pure-play SaaS security companies of similar scale, where hosted big-data infrastructure (the core Salt differentiator) is the main COGS driver. Salt's API Protection Platform relies on a cloud-scale big-data processing engine that must ingest and analyze API traffic at large enterprise volumes. The stated architecture uses time-series ML/AI at cloud scale, implying meaningful infrastructure costs in cloud compute, storage, and data egress for enterprise deployments. As ARR has grown from approximately $5 million (2021) to approximately $75 million (2025), COGS likely increased proportionally, but the 90%+ margin baseline suggests infrastructure costs are well-managed relative to subscription revenue. Industry SaaS benchmarks place subscription gross margins at 75-85% median and 80-90% for top-quartile security SaaS companies (Benchmarkit 2025), making Salt's 2020 figure aggressive even by top-quartile standards; current margin is unknown and may have compressed as infrastructure scale grew. Operating expenses are dominated by R&D and sales & marketing. The Series D ($140M, Feb 2022) was explicitly directed at increasing R&D investment and expanding sales and marketing. The company tripled its workforce between 2021 and 2022 (roughly 65 to 192 employees), indicating substantial S&M headcount investment at that period. Headcount has since plateaued near 200 employees (2022–2025), suggesting operating expense growth moderated after the initial Series D deployment. Capital expenditures are minimal for a cloud-hosted SaaS company; no manufacturing, inventory, or significant hardware capex is implied by the business model.[CI014, CI015, CI016, CI017, CI018, CI019]

4.4 Public traction metrics and private-data gaps

The available public financial picture for Salt Security is narrow relative to investment underwriting requirements. Confirmed or well-sourced metrics include: ARR approximately $48.5 million (November 2024) and approximately $75 million (June 2025) per Latka; total equity raised approximately $271 million (last confirmed Feb 2022 via SEC Form D); last round valuation $1.4 billion (Feb 2022). These are the only numeric revenue-related data points with meaningful sourcing. Company-claimed traction from the February 2022 Series D press release includes 500% revenue growth, 300% customer base growth, and 900% growth in signed Fortune 500/Global 500 customers in the preceding 12 months. If the 2022 growth numbers are directionally accurate, and the 2020 ARR was approximately $5 million (implied by Latka's 2021 figure of $4.9 million), then the 2022 ARR trajectory would have placed Salt at approximately $20-30 million post-Series D. The Latka $48.5 million figure for late 2024 implies slower growth in 2022-2024 than the hyperscale 2020-2022 period. This is consistent with the broader API security market maturing and with Salt plateauing its headcount at ~200 employees (suggesting deliberate expense management or a period of investment digestion). Materially absent from public disclosure: absolute customer count, customer concentration (top-5 ARR share), net revenue retention rate, gross dollar churn, average contract value (ACV) distribution, deferred revenue, cash and cash equivalents, net income/loss, and burn rate. These are standard underwriting inputs for a SaaS company that cannot be reconstructed from public sources. The company's disclosure posture is private-undisclosed.[CI020, CI021, CI022, CI023, CI024, CI025]

4.5 Capital adequacy, financing dependency, and financial verdict

Salt Security's last primary equity event was the $140 million Series D in February 2022, confirmed by SEC Form D (File No. 021-434118). With ARR growing from approximately $48.5 million (late 2024) to approximately $75 million (mid-2025), and assuming the company manages toward cash-flow break-even at scale consistent with the 90%+ gross margin baseline, the Series D capital should theoretically support operations through at least 2025-2026 depending on burn rate. However, burn rate is not disclosed: a 200-person enterprise security company with heavy R&D and S&M investment typical of the API security sector could plausibly run at $3-8 million per month in operating expenses, implying remaining runway of 12-36 months from the Series D deployment window. These are estimates only. No Series E or subsequent debt/credit facility has been publicly announced as of the June 2026 run date. Secondary-market observations from Forge Global and notice.co suggest shares trade at potential discounts to the $1.4 billion 2022 primary-round valuation. The combination of four-plus years without a primary round, plateaued headcount, and improving ARR (if the Latka figures are directional) could indicate either: (a) strong organic cash generation approaching break-even, making a new round unnecessary; or (b) difficulty accessing capital at the $1.4 billion reference valuation, leading to runway management. Without audited financials, both scenarios are consistent with public evidence. Financial verdict: Salt Security has a high-quality SaaS revenue model (annual subscriptions, enterprise ACV, 90%+ gross margin baseline), strong ARR growth signals (~54% YoY), and adequate historical capital. The primary financial diligence blockers are the absence of audited financials, unknown burn and runway, unknown NRR and CAC payback, and the unresolved capital structure question (no post-2022 primary round). Revenue quality is assessed as medium-high given the enterprise subscription model and named Fortune 500 logos, but cannot be underwritten without management financial access.[CI027, CI028, CI029, CI030, CI031, CI032]

4.6 Exhibits

5.1 Platform definition and architecture

Salt Security markets its core product as Salt Illuminate, a SaaS-delivered API security platform that operates agentlessly by mirroring API traffic through cloud connectors (Salt Connect) to an off-path cloud data lake. No inline agent is inserted into the request path, so application latency is unaffected. The platform then applies behavioral machine learning to establish per-API traffic baselines—modelling hundreds of attributes such as parameter consistency, request frequency, response volume, and device or address patterns—and flags deviations as attacker reconnaissance before credentials are compromised or data is exfiltrated. The company describes this engine as patented. The three top-level platform capabilities are API Discovery & Visibility (finding shadow, zombie, internal, partner, and public APIs), API Posture & Compliance (mapping APIs against ~100 pre-loaded security rules covering PCI DSS, HIPAA, GDPR, SOC 2, NIST, CMMC, and FedRAMP), and API Threat Detection & Protection (behavioral anomaly detection and early blocking). In March 2026 Salt launched the Agentic Security Platform, expanding coverage to LLMs, MCP servers, and AI agent traffic under the umbrella of the Agentic Security Graph—a contextual risk layer mapping relationships between reasoning, execution, and action layers of modern AI stacks. Salt frames this as securing the full agentic lifecycle from code (GitHub Connect, November 2025) to runtime (AG-DR). The platform is available as SaaS or on-premises, integrates with AWS, Azure, GCP, and major API gateways, and claims deployment within minutes for the initial cloud-connect step.[CE001, CE002, CE003, CE004, CE005, CE006]

5.2 Core modules — discovery, posture, and threat protection

API Discovery is delivered through three complementary data paths: Salt Connect (agentless connectors pulling metadata from AWS, Azure, GCP, Kong, Apigee, MuleSoft, NGINX, and Istio via traffic mirroring), Salt Surface (external attack-surface scanner that maps public-facing APIs from an adversary's perspective), and GitHub Connect (code-repository scanner launched November 2025 that identifies APIs and MCP server configurations in source before deployment). Together these three paths address the industry limitation Salt's own research identified: CDN-based single-source discovery misses an estimated 30.7% of APIs. The Posture Management engine, centered on the Policy Hub, ships with approximately 100 pre-loaded rules and allows custom rule authoring. Salt's 2025 State of API Security Report found only 10% of enterprises have deployed an API posture governance strategy, which frames the Policy Hub as an early-mover advantage. The Threat Detection engine uses behavioral ML baselines to detect BOLA/IDOR, credential stuffing, account takeover, data exfiltration, session manipulation, API abuse, and injection attacks—categories Salt's research shows make up roughly 80% of attacks mapped to the OWASP API Security Top 10. Attack remediation surfaces actionable developer guidance through SIEM and ticketing integrations (Splunk, Microsoft Sentinel, Jira). Sensitive-data tracking maps PII, PHI, and payment-card data flowing through APIs in motion, feeding both posture reports and compliance exports.[CE010, CE011, CE012, CE013, CE014, CE015]

5.3 Agentic security capabilities and AI-native features

At CrowdStrike Fal.Con in September 2025 Salt introduced MCP Protect and Agentic AI Governance—the industry's first claimed solution to secure AI agent actions across APIs and Model Context Protocol (MCP) servers at runtime. GitHub Connect (November 2025) extended discovery into source-code repositories for pre-deployment MCP risk scoring. In March 2026 these capabilities were unified as the Salt Agentic Security Platform, which adds two new security product categories: Agentic Security Posture Management (AG-SPM, continuous discovery and governance of LLM connectivity, agent inventories, MCP servers, and their relationships) and Agentic Detection and Response (AG-DR, real-time detection of abuse, misuse, and anomalous behavior across agent-driven API calls and MCP interactions). The platform also ships Ask Pepper AI, a conversational assistant announced December 2025 that allows security analysts to query the platform in natural language and investigate threats without learning bespoke query syntax. Salt Code, announced June 2026, aims to carry security policy into AI coding-assistant outputs. The underlying concept is the Agentic Security Graph—a security context layer mapping LLMs (reasoning), MCP servers (execution), and APIs (action) as interconnected pillars, so risk can be prioritized by the actual blast radius of each agent rather than treating all agents as equivalent. Salt's 1H 2026 research (327 security professionals surveyed) found 92% of organizations lack advanced security maturity for agentic environments and 99% of attack attempts analyzed originate from authenticated sources, validating the focus on behavioral runtime protection rather than perimeter blocking.[CE020, CE021, CE022, CE023, CE024, CE025]

5.4 Deployment model, integrations, and reliability

Salt deploys agentlessly via traffic mirroring: the platform receives a copy of API traffic and sends only metadata to its cloud-based API data lake. This architecture ensures zero impact on application request latency and requires no code changes or architectural modifications. The onboarding wizard for Salt Illuminate claims full initial deployment in minutes for cloud-connect sources. Salt's own infrastructure runs on AWS and processes several million messages per minute across hundreds of backend instances, as documented in the AllCloud/Datadog case study. The platform uses Kafka as its message queue and Kubernetes for container orchestration, with Datadog for observability and cost optimization. Integration ecosystem covers API gateways (Kong, Apigee, MuleSoft, NGINX, Istio), cloud platforms (AWS, Azure, GCP, Akamai, Cloudflare, F5, Kubernetes), SIEM/SOAR and observability (Splunk, CrowdStrike Falcon, Microsoft Sentinel, Jira, Slack), and CI/CD tooling (GitHub, Docker). The CrowdStrike integration deepened in April 2025 to provide closed-loop API intelligence in the Falcon platform. Salt entered a 3-year AWS Enterprise Discount Program (EDP) commitment, signaling long-term cloud-infrastructure dependency on AWS. No public status page, uptime SLA, or incident history is currently accessible from the Salt Security website, which is a diligence gap for enterprise buyers requiring contractual reliability assurances.[CE028, CE029, CE030, CE031, CE032, CE033]

5.5 Trust, security, and compliance

Salt's Policy Hub ships with approximately 100 pre-loaded posture rules aligned to PCI DSS, HIPAA, GDPR, SOC 2, NIST, CMMC, and FedRAMP. These are framework mappings for customer APIs, not certifications of Salt's own platform. The cloudsecurity.org technical assessment maps the platform to ISO 27001 controls for incident management (5.24–5.28) and access control (5.15–5.18), noting Salt supports continuous API traffic monitoring, anomaly detection, SIEM integration, and enforcement commands to block unauthorized access. UpGuard's June 2026 security rating assigned Salt Security a "B" grade based on externally verifiable posture checks, noting a flagged content-security-policy (CSP) concern but no major breach history. The CrowdStrike marketplace brief notes that Salt connects Salt API intelligence into the CrowdStrike security ecosystem for closed-loop protection, integrating with AWS WAF for enforcement at the edge (announced December 2025). Salt has not publicly disclosed SOC 2 Type II, ISO 27001, or FedRAMP certifications for its own SaaS platform. The data-processing model—in which Salt receives metadata copied from customer API traffic—creates a shared-responsibility boundary: Salt processes API metadata in its cloud data lake, which requires customers to trust Salt's own security controls for potentially sensitive API behavioral data. This trust boundary is a standard diligence ask for enterprise security buyers but is not publicly addressed in Salt's current trust surface.[CE035, CE036, CE037, CE038, CE039, CE040]

5.6 Roadmap, releases, and development velocity

Salt's public 2025 release cadence, documented in its "12 Months of Innovation" press release, shows one major product launch per month across discovery, posture, runtime protection, MCP/agentic AI security, and conversational investigation features. Key 2025 releases: Salt Illuminate (June 2025, unified platform brand), Salt Surface (July 2025, external attack-surface scanner), AI Agent API Security at CrowdStrike Fal.Con (September 2025), GitHub Connect and MCP Finder (November 2025), and Ask Pepper AI plus AWS WAF MCP protection (December 2025). In March 2026 Salt launched the Agentic Security Platform with AG-SPM and AG-DR, its largest architectural expansion to date. Salt Code (AI coding assistant security) was announced June 2026. The GitHub org (SECful) shows active commits through May 2026 across open-source tools including Peekaboo (visual API discovery scanner, Python), api_extractor (REST API extraction from source code), apk-processor (Android APK API extraction, Go), url_learning_v2 (high-performance path-template trie, Java, 1.2M lookups/sec), deployment_ai_advisor (AI-powered infrastructure recommendations), and terraform-ibm-salt-cloud-connect (Terraform module for IBM Cloud, updated May 2026). Competitive mindshare concern: one market research source reports Salt's API security buyer mindshare fell from 13% in 2025 to 7% in 2026, indicating competitive erosion despite rapid product innovation. gRPC support has not been confirmed in any reviewed source and remains an evidence gap; the platform clearly supports REST and GraphQL and is documented for WebSocket traffic mirroring.[CE041, CE042, CE043, CE044, CE045, CE046]

5.7 Exhibits

6.1 Customer base segmentation and vertical focus

Salt Security's official marketing and the CrowdStrike Executive Brief identify FinTech, Financial Services, Technology SaaS, and Pharmaceutical as the company's primary target verticals. The AppSec Santa 2026 review and company customer page corroborate this with a broader named-customer list spanning retail e-commerce (DeinDeal, Switzerland), automotive/manufacturing (Hyundai), medical devices (Stryker), financial technology (SoFi), hardware/technology (Kingston Technology), banking (Standard Bank Group, South Africa), manufacturing/software (Siemens), and aviation (Alaska Airlines). These names are drawn from company-authored materials and the AppSec Santa independent review; they have not been individually confirmed via independent third-party case studies except for DeinDeal (2021 PR Newswire announcement) and Siemens (2026 CISO quote at Agentic Platform launch). The buyer profile is consistently enterprise: the G2 review base skews to Enterprise (>1,000 employees) and Mid-Market buyers. Salt's own 2025 State of API Security Report surveyed 206 professionals, and the 1H 2026 report surveyed 327 security leaders—these respondent pools are consistent with enterprise security spending. No customer count (total active accounts) is publicly disclosed. The CrowdStrike brief states Salt "protects some of the largest enterprises in the world." No breakdown by geography, industry vertical share, or account size band is publicly available.[CU001, CU002, CU003, CU004, CU005, CU006]

6.2 Adoption trajectory and deployment indicators

Salt does not publicly disclose customer count, ARR, or pipeline metrics. Adoption-trajectory signals available from public sources are indirect. The AllCloud/Datadog case study states that "over the past year, Salt Security has grown its customer base significantly," with the infrastructure scaled to process several million messages per minute across hundreds of backend instances. The 2025 "12 Months of Innovation" press release states "the market response has been tremendous" for 2025 releases, and the company completed a 3-year AWS Enterprise Discount Program commitment—a forward signal of expected traffic growth. Salt's own market research (1H 2026, 327 respondents) found 66% of organizations report API growth of over 50% in the past year, and only 37% of organizations using agentic AI have dedicated API security—both metrics frame a large unmet demand that Salt's new Agentic Platform addresses. The Microsoft Azure Marketplace and CrowdStrike marketplace listings indicate multi-cloud distribution partnership coverage. G2 review count (12 total, last review May 2026) is low for a company claiming global enterprise reach, and the platform has not received a new G2 review in approximately two months as of run date. The FeaturedCustomers profile for Salt shows 20 total customer references, with reference rating 4.8/5. No publicly available cohort data, renewal rates, or account expansion metrics are disclosed.[CU009, CU010, CU011, CU012, CU013, CU014]

6.3 Named customer proof and deployment quality

The strongest independent proof of production deployment is DeinDeal, a Swiss e-commerce retailer. The deployment was publicly announced via PR Newswire in April 2021 with a named executive quote (Alexandre Branquart, CTO) confirming production use of automated API discovery, PII protection, behavioral anomaly detection, and blocking in the company's mobile and web applications. The case study cites processing thousands of transactions daily, discovery of all APIs across build/deploy/runtime, and context for blocking attackers. DeinDeal processed high volumes of PII; the deployment context (rapid pandemic growth, food delivery expansion) gives this reference strong qualitative depth. The Siemens case provides 2026 production validation: CISO Shawn Griffin (listed as CISO, CFIUS Security Officer & Cybersecurity Officer) gave a named quote at the Agentic Platform launch (March 2026), stating that Salt gave Siemens "improved visibility and protection that we need to confidently scale AI across the Siemens Software business." This is agentic-platform early-adoption evidence from a global manufacturing enterprise. The SoFi deployment is mentioned in Salt's YouTube and marketing materials as a case involving API security for a fintech platform; no independent case study is available. Alaska Airlines, Hyundai, Stryker, Kingston Technology, and Standard Bank are listed as customers in the AppSec Santa 2026 review (an independent technical analysis) and on the Salt customers page, but without outcome evidence or public confirmation beyond logo/mention level. The TFiR article independently covered the DeinDeal deployment announcement, providing third-party editorial confirmation of that reference. G2 reviews (12 total) include multiple Enterprise and Senior InfoSec titles reporting production use, anomaly detection in live environments, and API visibility benefits—qualitatively consistent with claimed deployment depth.[CU016, CU017, CU018, CU019, CU020, CU021]

6.4 Retention, durability, and satisfaction signals

No NRR, GRR, gross retention rate, or cohort-level churn data is publicly disclosed by Salt Security. G2 shows an aggregate score of 4.7/5 across 12 reviews, with consistent themes of strong product capability and highly responsive support team. One G2 enterprise reviewer (2023) rated the platform 5/5 and stated it is "the creme de la creme of API security tools." A Senior Manager Security reviewer (2023) noted the product was "instrumental in helping us resolve attacks and better understanding vulnerabilities" with "great responsiveness from Salt team," and cited a desire for better root-cause findings as the only criticism. Earlier G2 reviews (2021–2022) note a newer, maturing product with some missing integrations (native SIEM action logging gaps), which is consistent with the product's 2021–2022 stage rather than current maturity. The PeerSpot profile notes that Salt "improves security posture" and cites real-time monitoring and automated threat detection as valued features. The DeinDeal case study (2021) does not disclose renewal terms, but the ongoing presence of DeinDeal on the Salt customers page (as of the 2026 customers page fetch) suggests continued relationship. The Gartner Peer Insights URL was fetched but returned a 403 paywall block; the content was not accessible. No enterprise churned customer, public contract cancellation, or critical adverse review was found in any retained source. The adverse signal is indirect: a reported mindshare drop from 13% to 7% (2026) may indicate competitive customer erosion, but this is a single-source, non-attributed claim from PeerSpot and cannot be independently validated.[CU025, CU026, CU027, CU028, CU029, CU030]

6.5 Expansion, concentration, and channel dependence

Salt's go-to-market leverages the CrowdStrike Falcon platform (integration deepened April 2025) and the Microsoft Azure Marketplace and CrowdStrike Marketplace as distribution channels. The 3-year AWS EDP commitment adds AWS as a structural partnership. Salt also partners with AllCloud (AWS managed services), suggesting a VAR/SI channel for complex deployments. These partnerships create both distribution reach and dependency: Salt's ability to reach CrowdStrike's installed base (enterprise security teams) is a growth lever, but also means a portion of pipeline health is linked to CrowdStrike's sales motion. No revenue concentration data (top 10 customer share of ARR) is publicly disclosed. Salt targets the world's largest enterprises, which means individual deals are likely large and account concentration could be material; this is a diligence ask. The land-and-expand model is structurally enabled: Salt's platform discovers more APIs over time and can expand coverage as customers add new cloud environments, gateways, and AI agents—each new capability (AG-SPM, AG-DR, GitHub Connect) is a new upsell surface. However, no NRR or expansion ARR data is disclosed to validate whether this model is working in practice. The 1H 2026 survey found 47% of organizations have delayed production AI releases due to API security concerns, creating a procurement tailwind but also a potential objection to fast adoption of the newer Agentic Platform modules.[CU031, CU032, CU033, CU034, CU035, CU036]

6.6 Exhibits

7.1 Competitive Pressure and Market Commoditization

Salt Security operates in a rapidly consolidating API security market where hyperscalers and CDN platforms now offer native API protection features that compete directly with Salt's standalone offering. Cloudflare launched API Abuse Detection in 2021, AWS API Gateway provides throttling, authorization, and request validation natively, and Akamai completed the acquisition of Noname Security—Salt's primary purpose-built competitor—in 2024 for approximately $450 million. Akamai in 2026 announced its intent to acquire LayerX for AI usage control, signaling continued platform expansion. These moves represent aggressive platform consolidation that compresses the addressable premium market for standalone API security vendors and creates long-term margin pressure. An independent competitor comparison by Escape.tech (2025) states that frustration among security professionals with Salt Security has been mounting due to proof-of-concept cycles that take months and findings described as not actionable. G2 reviews (12 total, average 4.7 stars) note that the product is "still relatively new and missing quite a few bells and whistles" and that SIEM logging integrations lack native action logging. The enterprise sales cycle for Salt Security's platform is inherently long; if hyperscalers continue improving native API security capabilities, buyers may opt for good-enough bundled offerings rather than best-in-class point solutions. Wallarm, Akto, Imperva, F5, and Escape represent additional competitive vectors from specialized or bundled players. The Noname/Akamai exit at approximately $450 million against an estimated prior private mark of $1 billion-plus signals that the API security market has not attracted the premium acquisition multiples anticipated at the 2022 venture peak. This is the most directly comparable public datapoint for valuing Salt Security's standalone API security business. [CR001, CR002, CR003, CR004, CR005, CR006]

7.2 Regulatory, Legal, and Privacy Obligations

Salt Security's core business requires monitoring and analyzing live API traffic, which inevitably processes personally identifiable information transmitted in API payloads. This creates ongoing GDPR, CCPA, and other privacy-law compliance obligations. Salt Security's Privacy Policy (updated March 2024) acknowledges collection and processing of customer API traffic data that may contain personal data, and commits to GDPR Article 28 data processing agreements with enterprise customers operating in the EU. GDPR violations can result in fines of up to 4% of total worldwide annual turnover or €20 million, whichever is greater, creating material financial exposure. The California Consumer Privacy Act imposes opt-out and deletion obligations and allows civil fines of up to $7,500 per intentional violation. The SEC's 2023 cybersecurity disclosure rules (effective December 2023, Release 33-11216) require public company customers to report material cybersecurity incidents within four business days and disclose risk management governance annually, creating downstream compliance documentation demands on Salt Security as a security vendor of record. The FTC enforces data security standards broadly under Section 5, and NIST Cybersecurity Framework 2.0 (released 2024) has become the de facto US enterprise security standard that enterprise customers and Salt's platform must align with. IP litigation risk is present: the API security space has seen patent assertions across the WAAP and API monitoring landscape, and Salt's proprietary machine-learning methods for behavioral analysis could attract patent challenges from larger incumbents with broader portfolios. [CR007, CR008, CR009, CR010, CR011, CR012]

7.3 Israeli-Origin, Geopolitical, and Platform Dependency Risks

Salt Security was originally incorporated as Secful, Inc. before the company’s public 2016 launch by Israeli Defense Forces veterans Roey Eliyahu (CEO) and Michael Nicosia (COO), and it still maintains active R&D operations in Israel. The conflict in the Middle East that escalated in October 2023 introduces business continuity risk to Salt's Israeli engineering team, potential workforce disruption, and sensitivity in US federal government and defense-adjacent sales channels. US government agencies and contractors may face scrutiny deploying security products from Israeli-origin vendors given Export Administration Regulations (EAR) and the broader geopolitical context. Some US government procurement vehicles impose origin and supply-chain verification requirements that Israeli-origin software must navigate. Platform dependency risk is material: Salt Security's platform relies on out-of-band traffic mirroring from third-party API gateways including Apigee, Kong, MuleSoft, and NGINX. If these gateway vendors invest in native security analytics—which AWS API Gateway is already doing—Salt loses its data ingestion advantage. Kong's API security best practices documentation now covers the same threat categories Salt addresses, indicating gateway vendors are positioning as security-capable. Cloud infrastructure concentration adds operational risk: Salt's SaaS platform depends on AWS or Azure for hosting, creating availability and cost dependency on hyperscalers who also compete directly through native API security features. Customers who migrate API gateway platforms must re-integrate Salt Security, creating churn risk during migrations. [CR013, CR014, CR015, CR016, CR017, CR018]

7.4 Financial, Funding, and Execution Risks

Salt Security raised $140 million in its Series D round in January 2022 at a $1.4 billion valuation—near the peak of private technology valuations. Total funding stands at approximately $271 million across four rounds (SEC Form D filings). Since 2022, SaaS ARR multiples for private cybersecurity companies have compressed significantly. No Series E or subsequent financing has been publicly announced between the Series D and the June 2026 run date, suggesting the company is operating within Series D runway, has reached profitability, or has been unable to raise at acceptable terms. Any new funding round in the current environment could require accepting a down round or a below-2022 valuation. The company's cumulative liquidation preference stack at $271 million raised means a below-$400 million exit would likely leave common shareholders with minimal or zero proceeds. The June 2026 launch of "Salt Code" in early access for the first 100 organizations represents a significant strategic pivot to "Agentic Security"—securing AI agents, MCP servers, and APIs. This pivot requires new product development investment, retooled go-to-market, and customer re-education. Agentic AI security is a nascent market with unclear buyer definitions and pricing norms; competing frameworks from LLM security vendors (CrowdStrike, Palo Alto Networks, Wiz) also claim the agentic security space. If the pivot does not succeed, Salt remains exposed to a contracting pure-play API security market where hyperscalers are eroding premium ASPs. [CR019, CR020, CR021, CR022, CR023, CR024]

7.5 Mitigations, Kill Criteria, and Monitoring Indicators

Salt Security's primary mitigations for competitive risk include its agentic security pivot repositioning it in the high-growth AI security space ahead of larger incumbents, and its eight-year API traffic behavioral dataset that provides a data moat hyperscalers cannot quickly replicate. The Noname/Akamai acquisition validates the strategic M&A exit path even if at a discount to 2022 marks. For regulatory and privacy risk, Salt's March 2024 privacy policy update and stated GDPR data processing agreement commitment are partial structural mitigations. Sequoia Capital's involvement (Carl Eschenbach on the board since Series B) provides governance quality and network access that reduces the risk of adverse capital events. Key thesis-break triggers include: ARR growth falling below 15% year-on-year; evidence of an Israeli R&D workforce disruption exceeding three months; any GDPR or FTC enforcement action against Salt; failure of Salt Code to demonstrate material external adoption within 12 months of general availability; a new financing round at below $800 million pre-money valuation; or loss of a marquee enterprise customer to a hyperscaler bundled alternative. An M&A exit at or above $600 million would represent a partial thesis recovery from the 2022 mark; an exit below $300 million would constitute a thesis break for Series D investors. [CR025, CR026, CR027, CR029, CR030, CR036]

7.6 Exhibits

8.1 Investment Thesis and Anti-Thesis

The investment thesis for Salt Security rests on four pillars: (1) a large and growing API and agentic security market ($5-10 billion total addressable market by 2030), (2) an eight-year behavioral dataset and ML models that hyperscalers cannot quickly replicate, (3) a well-timed pivot to Agentic Security ahead of the incumbent security platforms, and (4) Sequoia Capital sponsorship and a board that includes Carl Eschenbach (Alphabet) providing governance quality and enterprise network access. The Noname/Akamai acquisition at approximately $450 million validates M&A interest in API security platforms from CDN and cloud players. The anti-thesis is equally material: (1) Salt Security's $1.4 billion 2022 valuation was set at peak venture market conditions and now faces a 40-60% implied discount based on the Noname comparable; (2) ARR is undisclosed, making it impossible to verify whether the company's financial trajectory supports the 2022 mark; (3) hyperscalers (Cloudflare, AWS, Akamai) are bundling API security at zero marginal cost to existing customers, compressing Salt's available ASP and TAM; and (4) the Agentic Security pivot is early-access with no external adoption metrics, creating a simultaneous cannibalization risk to the existing API security base and execution risk in the new category. Customer proof-of-concept cycles reportedly take months, and G2 reviews highlight product gaps in SIEM integration. On balance, the thesis is not broken but requires substantially more evidence before a confident positive decision is supportable. The investment thesis depends critically on (a) demonstrating ARR growth above 15% per year despite competitive pressure, (b) the Agentic Security pivot achieving a paying customer base within 12-18 months, and (c) business continuity robustness for the Israeli R&D team. [CV001, CV002, CV003, CV004, CV005, CV006]

8.2 Financing Context and Valuation Evidence

Salt Security has raised approximately $271 million in four SEC Form D-documented rounds: an early round (~$11M, 2018), Series B ($30M led by Sequoia, 2020), Series C (~$68M, 2021), and Series D ($124M closed at $1.4B post-money, January 2022). No Series E or public secondary transaction has been identified as of the June 2026 run date. The company is incorporated in Delaware (as Salt Security, Inc., formerly Secful Inc.) and is headquartered in Palo Alto, California. The preference overhang from $271M raised at progressive liquidation terms means a below-$400 million exit could result in zero or minimal common stockholder proceeds under typical full-ratchet or participating preferred terms. Public evidence on Salt Security's current financial health is limited. The company has not disclosed ARR, revenue run rate, or burn rate. No data breach, public complaint, or enforcement action has been identified. Agentic Security is the current product positioning (as of June 2026), with Salt Code launched in early access for the first 100 enterprise organizations. The company's blog is active (most recent post June 2026). The absence of an ARR milestone announcement in 2024-2025 raises questions about growth trajectory. Against this opacity, the Noname/Akamai acquisition at approximately $450M in 2024 is the most relevant public datapoint. Noname raised approximately $220 million and was last privately valued at over $1 billion; the acquisition price represented a 40-60% haircut to its private mark. If Salt Security faces a similar discount path, the implied fair value range would be $560-840 million (a 40-60% discount from the $1.4B mark). A full-cycle M&A premium to Noname's price would imply $600M-$900M, still below the 2022 mark. [CV009, CV010, CV013, CV014, CV015, CV016]

8.3 Bull, Base, and Bear Scenario Analysis

The bull case assumes Salt Security achieves $80-100M ARR by 2027-2028, successfully transitions a meaningful portion of its customer base to Agentic Security with premium pricing, and attracts an M&A offer from a hyperscaler or enterprise security platform at 7-8x forward ARR. At $80M ARR and a 7x multiple, the implied enterprise value is $560 million; at $100M ARR and an 8x multiple, it is $800 million. A bull case exit would represent a 40-57% recovery from the 2022 $1.4B mark and would yield neutral to positive returns for Series C investors (who paid approximately $1 per share on $68M of capital) but likely negative returns for Series D investors (who paid approximately $1.4B per share equivalent). The bull case requires: Agentic Security achieving material paid ARR within 12-18 months, no major enterprise customer churn to hyperscalers, and Israeli R&D continuity. The base case assumes ARR grows modestly (10-15% per year) to $60-70M by 2027, the Agentic Security pivot achieves early adoption but not breakout growth, and Salt Security exits via M&A to a CDN or enterprise security acquirer at 5x ARR, yielding approximately $300-350M. Under this scenario, Series D investors (who paid approximately $1.4B) would face a 75-80% loss on the enterprise value, with common shareholders receiving minimal proceeds after preference liquidation. The bear case assumes API security commoditization accelerates, the Agentic Security pivot fails to achieve product-market fit, ARR growth stalls below 10%, and Salt Security is forced into a distressed M&A at 3x ARR ($150-200M) or a down round that further dilutes common holders. A bear case exit at $150-200M would likely yield zero proceeds to common shareholders and partial recovery for Series B/C investors. [CV017, CV018, CV019, CV020, CV023, CV024]

8.4 Comparable Valuation Set and Market Context

The private API security M&A comp set is thin but anchored by the Noname/Akamai transaction. Public security SaaS companies provide secondary benchmarks, though most are larger, more diversified, or at different stages of profitability than Salt Security. The key insight from the comp set is that standalone API security platforms do not command premium acquisition multiples unless they have achieved substantial scale ($150M+ ARR) or are acquired for their patent portfolio or customer base by a strategic acquirer. Salt Security at an estimated $50-80M ARR range would fall well below the scale threshold that drives premium M&A pricing. Private SaaS cybersecurity companies that raised at 2022 peak valuations have generally faced 40-60% valuation compression in the 2023-2026 private market. Cross-stage comparisons suggest cybersecurity SaaS companies at $50-80M ARR with 20-30% growth are trading at 5-8x ARR in 2025-2026 secondary markets. At Salt Security's estimated ARR range of $50-80M, a 5-7x ARR multiple implies an enterprise value of $250-560M, which brackets the Noname comp ($450M) and suggests the 2022 $1.4B mark requires 10-14x ARR to be realized—a multiple not currently supported by the comparable set. The Agentic Security pivot, if successful, could unlock a platform premium, but the market has not yet priced agentic AI security separately from API security. [CV021, CV022, CV023, CV027, CV028, CV029]

8.5 Exit Readiness, Diligence Asks, and Thesis-Break Triggers

Salt Security's exit readiness is moderate. M&A exit to a CDN, cloud, or enterprise security acquirer is the most likely path, with Akamai, Cloudflare, CrowdStrike, Palo Alto Networks, and Google as potential strategic acquirers. The Noname/Akamai transaction establishes that CDN players are willing to acquire API security assets. IPO readiness is low: ARR scale, profitability path, and the agentic pivot's unproven nature make public market readiness a 3-5 year timeline at best. Secondary market liquidity is an option for existing investors but at unknown prices, likely below the 2022 mark. Final diligence must address: (1) actual ARR, ARR growth rate, and NRR to size the business and validate the 5-7x multiple range; (2) Israeli team headcount and business continuity documentation; (3) copies of key GDPR Article 28 data processing agreements and SOC2 Type II certification; (4) cap table and preference waterfall modeling at $300M, $450M, and $600M exit prices; (5) evidence of Agentic Security paying customers or signed pilot agreements. The thesis-break triggers for Salt Security are: ARR declining or growing below 10% YoY; a major customer publicly citing a hyperscaler for API security replacement; failure to announce any paying Agentic Security customer within 12 months of Salt Code GA; Israeli R&D disruption of more than three months; any regulatory enforcement action; or a new financing round at below $600M pre-money valuation. [CV031, CV032, CV033, CV034, CV035, CV036]

8.6 Exhibits