Salt Security just reframed how we think about agentic AI security. Instead of treating LLM safety, MCP server governance, and API security as separate problems, their new Agentic Security Platform maps all three as a single interconnected attack surface — the Agentic Security Graph.
The platform, announced March 18, arrives three days before RSAC 2026 opens in San Francisco. The timing isn’t accidental. Salt is betting that the conference’s dominant conversation won’t be about models or prompts — it’ll be about what agents do.
The Brain-Hands-Buttons Model
Salt’s thesis is simple and correct: an AI agent is three things working together.
- LLMs are the brain — they reason, plan, and decide
- MCP servers are the hands — they connect the agent to tools, data sources, and APIs
- APIs are the buttons and levers — they execute real actions in real systems
Most agent security efforts focus on the brain: prompt injection, jailbreaking, output filtering. Salt argues this misses the actual risk. “The real enterprise risk is not just in what an agent can say,” said CEO Roey Eliyahu. “It is in what an agent can do through MCP servers and APIs.”
This maps directly to the attack patterns we’ve covered in the OpenClaw ecosystem. SOUL.md persistence attacks manipulate the brain. MCP server SSRF vulnerabilities exploit the hands. CodeWall’s McKinsey breach used API execution as the final step. Salt’s platform is the first to treat all three as a unified graph.
What the Platform Actually Does
Agentic Security Posture Management (AG-SPM)
Continuously discovers and maps:
- Which LLMs your agents use and how they’re connected
- Every MCP server in your environment and what it can access
- All API endpoints agents can reach, including inherited permissions
- The relationships between agents, tools, and data flows
This is posture management applied to agent infrastructure — think AvePoint AgentPulse but spanning the full stack from model to execution layer.
Agentic Detection and Response (AG-DR)
Real-time monitoring for:
- Agents taking actions outside their declared scope
- Anomalous patterns in LLM-to-MCP-to-API chains
- Unauthorized data access through multi-hop agent workflows
- Abuse of inherited permissions (the exact problem Netwrix highlighted)
The Agentic Security Graph
The differentiator. Rather than monitoring individual components, the graph maps how they enable each other. An LLM that can access a particular MCP server, which connects to an API with write permissions to a production database — that’s a risk path you can’t see by monitoring any single layer.
This is what the security industry has been missing. We wrote about one-third of MCP servers being vulnerable to SSRF — but the real question isn’t whether a single MCP server is secure. It’s whether the chain from model reasoning to MCP connection to API execution creates an exploitable path. That’s what the graph reveals.
Siemens Validates the Approach
Siemens CISO Shawn Griffin confirmed the platform addresses their scaling challenge: as they deploy more AI agents, API interactions become the core attack surface. “Visibility into how agents interact through APIs is essential for safe and scalable AI adoption.”
This from a company running agents across industrial IoT, manufacturing, and enterprise systems. If Siemens needs graph-level visibility into agent behavior, most enterprises probably do too.
The Competitive Landscape Just Got Clearer
With Salt’s launch, the agent security market is crystallizing into distinct layers:
| Layer | Vendor | Focus |
|---|---|---|
| Identity | Okta, SailPoint | Who is the agent? |
| Runtime | Singulr Agent Pulse, Simbian | What is the agent doing right now? |
| Posture | Salt Security, AvePoint AgentPulse | What can the agent do? |
| Policy | AWS Bedrock AgentCore, ConductorOne | What should the agent be allowed to do? |
| Graph | Salt Security (Agentic Security Graph) | How do all the pieces connect? |
Salt is the first to explicitly own the graph layer — mapping the full chain from reasoning to execution. Others monitor components; Salt maps the system.
What This Means for OpenClaw Users
For self-hosted OpenClaw deployments, Salt’s framework clarifies what you should be monitoring:
- Map your agent’s MCP connections — every tool server is a potential pivot point
- Audit API permissions — agents inherit whatever access their configured credentials provide
- Think in chains, not components — a secure LLM connected to an insecure MCP server connected to an overprivileged API is still a breach path
- Monitor execution, not just prompts — what the agent does matters more than what it says
The OWASP Top 10 for Agentic Applications already flagged excessive agency and insecure tool use as top risks. Salt’s platform is the first commercial product to operationalize that guidance across the full stack.
Salt is offering limited Agentic Security Graph Discovery Sessions at RSAC 2026 to map enterprise agent environments. Whether you’re running OpenClaw, building with Bedrock, or deploying custom agents — knowing what your agents can actually reach is step one.
The brain is interesting. The hands are dangerous. The buttons are where breaches happen.