# Salt Security MCP

> Salt Security gives your AI client real-time defense for your APIs. It lets you check API inventories, find hidden or 'shadow' endpoints, monitor live attacks, and automatically block malicious actors—all through conversation. Use it to audit security posture and manage governance rules without logging into a dashboard.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** api-security, threat-detection, behavioral-analytics, shadow-api, posture-management, real-time-remediation

## Description

Your agent connects directly to Salt Security, giving it eyes on your entire Application Programming Interface environment. You stop guessing about what APIs are running or if they're secure. Instead, you ask questions like, "What endpoints haven't been formally documented?" and get an immediate list of potential vulnerabilities or shadow APIs.

It monitors for active attacks as they happen, listing malicious events and even profiling the attackers involved. When a threat is identified, you can immediately trigger remediation commands to block that attacker at your WAF level. This capability means you don't have to switch between monitoring dashboards and incident response tools; everything flows through your AI client. By connecting this MCP via Vinkius, you give your agent access to an entire catalog of security tools, making API defense as simple as a chat prompt.

## Tools

### block_attacker
Issues a command to block a specific attacker profile from accessing your APIs.

### get_attackers
Lists profiles of known threat actors identified by Salt Security.

### get_attacks
Retrieves a list of detected malicious API attack events.

### get_endpoint
Gets detailed information for a specific, named API endpoint.

### get_governance_policies
Lists all currently active governance rules governing your APIs.

### get_inventory
Retrieves the complete, auto-discovered list of every API endpoint in your environment.

### get_posture_vulnerabilities
Identifies and lists design flaws or vulnerabilities found during pre-production testing.

### get_system_health
Checks the operational status of your traffic mirror ingestion service.

### list_oas_specs
Lists all OpenAPI (OAS) specifications that you have uploaded for governance.

### upload_oas_spec
Uploads a new OAS/Swagger specification to register it with your security policies.

## Prompt Examples

**Prompt:** 
```
List all auto-discovered APIs including shadow and zombie APIs in our infrastructure.
```

**Response:** 
```
I successfully queried your API inventory. There are currently 32 distinct APIs. Among these, exactly 4 are classified structurally as 'zombie' missing formal documentations.
```

**Prompt:** 
```
Are we facing any recent attacks aimed at business logic?
```

**Response:** 
```
Reviewing your active threat ledger, you have exactly 12 malicious attack events attempting account takeovers targeting primary user authentication web modules currently.
```

**Prompt:** 
```
Block attacker 'ATT-992' immediately.
```

**Response:** 
```
The remediation command was actively passed to your Salt Security console. The threat actor profile 'ATT-992' has been assigned an internal blockade rule via integrated gateways.
```

## Capabilities

### Map API Inventory
The tool retrieves a complete list of all auto-discovered APIs, including hidden or 'shadow' endpoints in your network.

### Review Endpoint Details
You can get specific details about any single API endpoint to check for exposed sensitive data or structural issues.

### Analyze Live Attacks and Threat Actors
The system lists current malicious API attacks, helping you understand the attack patterns and profiling known threat actors.

### Remediate Threats Instantly
You issue a command to block an attacker immediately, passing instructions directly to your integrated WAFs.

### Audit Security Design Flaws
The MCP identifies vulnerabilities and design flaws before they ever hit the live production environment.

### Verify Governance Rules
You check which API governance rules are currently active and manage uploaded OpenAPI specifications.

## Use Cases

### Investigating a Breach
A SOC analyst detects unusual traffic. Instead of checking logs for hours, they ask the agent about recent attacks. The agent runs `get_attacks` and finds 12 malicious attempts targeting authentication modules, immediately directing the team to the point of failure.

### Onboarding a New Service
A DevSecOps engineer finishes building an API but isn't sure if it has vulnerabilities. They run `get_posture_vulnerabilities` via the MCP, which flags several structural issues that must be fixed before deployment.

### Discovery Audit
A Compliance Officer needs proof of full API coverage. They ask to list all APIs using `get_inventory`, finding four 'zombie' endpoints that were forgotten and require immediate documentation or removal.

### Policy Update
The team updates their API structure. Instead of manually updating the security rules, they use `upload_oas_spec` to feed the new OpenAPI spec into Salt Security, instantly updating governance policies.

## Benefits

- Stop worrying about forgotten endpoints. Use `get_inventory` to automatically discover all APIs, including unknown or 'shadow' resources that could be exposed.
- React instantly during an attack. Instead of manually creating firewall rules, just ask your agent to block the threat using `block_attacker` and pass the command straight to your WAFs.
- Go beyond basic monitoring. Use `get_attackers` to profile known malicious actors so you understand their methods, not just the attacks itself.
- Audit before deployment. Run `get_posture_vulnerabilities` to catch design flaws and weaknesses in APIs that haven't even reached a testing environment yet.
- Ensure compliance easily. Use `list_oas_specs` or `upload_oas_spec` to manage your API documentation, making sure governance rules are always current.

## How It Works

The bottom line is you get real-time visibility and active control over API security without leaving your chat interface.

1. Enable the Salt Security integration in your workspace.
2. Generate an API Token within the Salt Security console and paste it into the configuration fields provided by Vinkius.
3. Ask your AI client a direct question, like asking if there are known threat actors exploiting your APIs right now.

## Frequently Asked Questions

**How do I find unapproved API endpoints using Salt Security?**
Use `get_inventory` to pull the entire list of discovered APIs. This tool automatically flags any endpoint that isn't formally documented or governed, helping you identify shadow resources.

**Does Salt Security MCP help with compliance reporting?**
Yes. You can use `get_governance_policies` to list active rules and then verify specific APIs against those policies using `get_endpoint`, ensuring your system meets compliance standards.

**What if I need to block an attacker right now? How do I use the Salt Security MCP?**
You simply prompt your agent with a command like "Block threat 'XYZ'", and it executes the `block_attacker` tool, passing the rule directly to your WAFs for immediate enforcement.

**Can I use Salt Security MCP to see what attacks are happening right now?**
Absolutely. Use the `get_attacks` tool to list all detected malicious API attack events, giving you a clear record of current threats and how they attempt account takeovers.

**Does this MCP cover pre-production vulnerabilities?**
Yes, before your code hits live, use `get_posture_vulnerabilities`. This tool retrieves identified design flaws that need fixing in development, preventing issues later on.