As holiday lights go up and inboxes fill with year-in-review emails, it’s tempting to look back on 2025 as “the year of AI.”
But for security teams, it was something more specific – the year APIs, AI agents, and MCP servers collided across the API fabric, expanding the attack surface faster than most organizations could keep up.
At Salt Security, we spent 2025 focused on one thing: defending the API action layer where AI, applications, and data intersect. And we did it with a steady drumbeat of innovation, a new “gift” for security teams almost every month.
So in the spirit of the season, here’s a look back at Salt’s 12 Months of Innovation – a year-long series of product launches, partnerships, and research milestones designed to help organizations stay ahead of fast-moving threats.
We kicked off the year by shining a harsh light on what many teams already suspected:
Early 2025 research and thought leadership from Salt Labs showed just how dangerous it is to run modern AI and automation on top of APIs you don’t fully understand or control.
Takeaway: January set the tone – defending tomorrow’s API fabric with yesterday’s tools is no longer an option.
In February, we went from “we think we have a problem” to “here are the numbers.”
With the latest State of API Security Report and key industry recognitions such as inclusion in top security lists, Salt brought hard data to boardroom and CISO conversations.
The message was clear:
Takeaway: API security is no longer a niche concern. It’s a business risk that demands strategy, budget, and board-level attention.
March blended validation and urgency.
On one side, industry bodies recognized Salt’s leadership with awards like a Gold Globee, underscoring the maturity and impact of our platform.
On the other, new blogs and research highlighted reality on the ground:
Takeaway: Excellence in API security isn’t just about winning awards, it’s about staying ahead of adversaries who are constantly adapting.
In April, collaboration took center stage.
We deepened integrations with leading platforms such as CrowdStrike and expanded support for modern ecosystems, including MCP server-driven architectures.
By weaving Salt API intelligence into tools security teams already rely on, we helped customers:
Takeaway: API and AI security are team sports. Partnerships and integrations turn siloed tools into a cohesive defense fabric.
By May, the conversation had shifted from “we’re moving to the cloud” to “our entire business depends on it.”
Salt expanded coverage and governance capabilities for leading cloud environments and partners, helping customers:
Takeaway: You can’t protect what you can’t see. Illuminate gave teams the visibility foundation they’ve been missing.
In July, the stakes became very real.
High-profile AI mishaps, including incidents like the McDonald’s chatbot breach, made one thing painfully obvious: conversational AI and digital experiences are only as safe as the APIs behind them.
Salt responded with:
Takeaway: 2025 was the year CISOs started asking not just “What APIs do we have?” but “Which of these are exposed, exploitable, and business-critical?”
By August, “autonomous” wasn’t just a buzzword, it was a roadmap theme.
Organizations leaned hard into:
Salt’s innovation in this space emphasized a key reality: AI, autonomy, and APIs are inseparable.
We advanced protections for autonomous threat hunting and AI-driven security use cases, reinforcing that if APIs are compromised, autonomous systems are too.
Takeaway: You can’t secure autonomous operations if you’re not securing the API action layer that powers them.
September was a turning point.
Salt introduced the industry’s first solution to secure AI agent actions across APIs and MCP servers, bringing real controls to a problem that had mostly been theoretical.
This meant:
Takeaway: The AI agent revolution doesn’t have to be a security nightmare — if you secure the actions, not just the model.
In October, new data from Salt and customer environments revealed how deep the AI + API blind spots really go.
We broke down:
Through detailed analysis and practical guidance, we helped teams turn confusion into a roadmap for modernizing their security posture.
Takeaway: Education is as important as technology. You can’t fix what you don’t fully understand.
November brought a massive step forward in shifting API security left and right at the same time.
We launched:
Combined with runtime intelligence from the Salt platform, customers could now connect:
Takeaway: Real API security covers the full lifecycle, from design and code to production traffic and AI-agent actions.
We closed the year with a new kind of experience: Ask Pepper AI.
Ask Pepper AI turns Salt’s platform into a conversational partner, letting users:
Alongside MCP protection for AWS WAF, December marked the next stage in our vision: API security that’s not just powerful, but accessible and intuitive.
Takeaway: When security teams can simply ask questions and get meaningful, contextual answers, they move faster, and so does the business.
If 2025 was the year APIs fully merged with AI agents, automation, and MCP servers, 2026 will be the year organizations either embrace the API action layer or fall behind those that do.
At Salt Security, our focus remains the same:
The 12 Months of Innovation were just the beginning. The threats are evolving, and so are we.
If you want to learn more about Salt and how we can help you, please contact us, schedule a demo, or visit our website. You can also get a free API Attack Surface Assessment from Salt Security’s research team and learn what attackers already know.
*** This is a Security Bloggers Network syndicated blog from Salt Security blog authored by Eric Schwake. Read the original post at: https://salt.security/blog/the-12-months-of-innovation-how-salt-security-helped-rewrite-api-ai-security-in-2025
Read more on Security Boulevard
