Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

APIs run the show today. Whether it’s a mobile app fetching user data, a SaaS platform integrating with Stripe, or a microservice coordinating with ten others, APIs are the glue and the backbone. This is something that attackers are notoriously aware of. The challenge? Most security tooling still operates on a page-view and form-based model. It can’t view the business logic of API calls, like knowing who is supposed to do what on what object and in what context.

In this article Chief information security officers (CISOs) are continually tasked with understanding and deploying innovative solutions that reduce risk while increasing operational efficiency. As organizations expand their reliance on digital data and cloud-based infrastructures, the volume and complexity of security questionnaires have grown exponentially. In this environment, modernizing and streamlining these questionnaires is not simply about efficiency; it is a strategic imperative.

Your API attack surface is larger and more exposed than you realize. In today's complex, cloud-native environment, APIs are deployed at an astonishing rate. While this rapid pace fuels innovation, it also creates a significant visibility gap. The APIs you are aware of and manage are only the tip of the iceberg. Your actual risk exists beneath the surface, in the undocumented, unmanaged, and forgotten APIs that traditional security tools completely overlook.

Imagine an online retailer running a promotion: “Spend $100 this month, get a $25 gift card.” It sounds simple encourage loyal shoppers to spend more. But due to a flaw in the app’s logic, a clever user discovers a loophole. They place enough orders to reach the $100 threshold and receive the gift card. Then, they cancel a small order to drop below the threshold only to make a new one that pushes their total back over $100.

I’ve spent my career building solutions to protect the API fabric that powers modern businesses. I founded Salt because I saw that traditional security tools such as WAFs, gateways, and CDNs weren’t designed to see or secure APIs. That gap led to breaches, blind spots, and billions in risk. Today, we’re facing a new wave of risk that’s even bigger than the last. The rise of Agentic AI has brought us to a true inflection point. Agentic AI isn’t just another software layer.

We’ve all heard the myth: goldfish have a memory span of just a few seconds. While that’s debatable in marine biology circles, it’s useful as a metaphor in tech, especially when talking about memory, risk, and AI. The problem is, large language models (LLMs) are not goldfish. In fact, they have incredible memory. And increasingly, that memory isn’t just session-based. It’s persistent, long-term, and system-connected. That changes everything.

On July 19, 2025, a critical remote code execution (RCE) vulnerability (CVE-2025-53770, also referred to as ToolShell) was publicly disclosed, impacting on-premises Microsoft SharePoint Server installations. This vulnerability allows unauthenticated attackers to execute arbitrary code remotely by leveraging insecure deserialization techniques.