Executive dashboard depth
Trending dashboards convey program-level risk, health, and compliance state. AppSec leaders report current and historical posture without exporting findings into a separate BI tool.
Saltworks • Application security
Saltworks SaltMiner
SaltMiner is the Application Security Posture Management (ASPM) and Unified Vulnerability Management platform that aggregates findings across SAST, SCA, DAST, IAST, and manual pentest tools, deduplicates duplicates across scanners, and produces unified backlogs plus executive trending dashboards. Penetration testing management is built into the platform alongside scanner aggregation.
Merito sells Saltworks SaltMiner and operates the scanner integration, normalization rule authoring, executive dashboard configuration, and pentest workflow that turn ASPM into a working program.
- Best for
- AppSec leaders managing multi-vendor scanner inventories, Security executives who need program-level visibility through dashboards, Compliance leaders requiring audit-evidence consolidation
- Hosting
- SaaS / On-prem
- Time to value
- First scanner integration live in two to three weeks. Compliance dashboard configured in four to six weeks. Enterprise rollout across multi-vendor AppSec stack typically two to four months.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-27
What it is
Saltworks SaltMiner in the enterprise stack
SaltMiner is Saltworks's single product and the only thing the vendor sells. The platform consumes findings from disparate AppSec scanners and the manual pentest workstream, correlates and deduplicates results across them, and produces a unified vulnerability backlog plus executive trending dashboards. Programs running multi-vendor AppSec stacks use SaltMiner as the consolidation surface where findings normalize and prioritize.
Aggregation across scanners is the core capability. SaltMiner integrates with the major AppSec analysis tools (SAST, SCA, DAST, IAST) and consumes manual pentest findings into the same backlog. REST API integration synchronizes results across the customer's organization regardless of testing methodology. Correlation rules deduplicate same-issue findings so a vulnerability detected by multiple scanners appears once with multiple sources.
Executive dashboards are the practical asset for AppSec leaders who need to convey program-level risk, health, and compliance state to security executives. The trending dashboards make it possible to report current and historical AppSec posture without exporting findings into a separate BI tool. Penetration testing management is built into the platform alongside scanner aggregation, which differentiates SaltMiner from ASPM tools that treat manual pentest as an afterthought.
ASPM is operationally heavy. Programs adopting SaltMiner underestimate the integration maintenance and rule-authoring work the platform requires. Merito treats SaltMiner as a multi-month build with the integration inventory, normalization rules, executive dashboard configuration, and triage operating model designed up front rather than retrofitted later.
Ideal use cases
- Multi-vendor AppSec scanner consolidation across SAST, SCA, DAST, and IAST
- Executive AppSec reporting alongside the developer-facing technical backlog
- Penetration testing management workflow integration
- Same-issue deduplication across overlapping scanners
- Compliance evidence consolidation for HIPAA, PCI-DSS, SOC 2, and other frameworks
What it is best at
Where Saltworks SaltMiner earns its seat
Built-in penetration testing management
Pentest workflow consolidates with scanner aggregation in one platform. Most ASPM tools treat manual pentest as an afterthought; SaltMiner treats it as a peer to scanner output.
REST API integration breadth
Findings flow into SaltMiner from any tool with a REST API. The integration breadth means custom or niche scanners that lack prebuilt connectors can still feed the consolidated backlog.
Single-product focus
Saltworks builds one product. The vendor's engineering and customer support attention concentrates on SaltMiner depth rather than spreading across a broader catalog.
Core capabilities
Saltworks SaltMiner capabilities, grouped by outcome
Scanner aggregation
How SaltMiner actually consumes findings from across the AppSec stack.
SAST tool integration
Coverity, SonarQube, Checkmarx, Veracode, Fortify, Semgrep, and the long tail of static analysis scanners.
SCA tool integration
Black Duck SCA, Snyk Open Source, Sonatype Lifecycle, OpenText SCA, Mend, and other Software Composition Analysis tools.
DAST and IAST tool integration
Continuous Dynamic, OpenText DAST, AppScan, Burp Suite Enterprise, Seeker Interactive, Contrast Security, and others.
Manual pentest import
Pentest findings consolidate alongside scanner output. SaltMiner treats manual results as a peer to automated scanner findings.
Custom REST integration
Findings flow from any tool with a REST API. Custom or niche scanners feed the consolidated backlog without prebuilt connectors.
Correlation and deduplication
How SaltMiner turns multi-tool output into a single backlog.
Same-issue deduplication
Findings from multiple scanners that describe the same vulnerability consolidate into one issue with multiple sources.
Severity normalization
Severity scoring normalizes across tools so the consolidated backlog ranks by consistent risk.
Risk-based prioritization
Findings filter against business-criticality data so the backlog reflects what is operationally important.
Executive reporting
Where SaltMiner produces the program-level visibility executives need.
Trending dashboards
Time-series program metrics for risk, health, and compliance posture. AppSec leaders track program trajectory without exporting to BI tools.
Executive risk view
Dashboard view tailored for security executives that conveys current state and trend without overwhelming detail.
Compliance reporting
Findings tagged against compliance frameworks produce evidence packages for HIPAA, PCI-DSS, SOC 2, and audit cycles.
Penetration testing management
Manual pentest workflow inside the same platform.
Pentest scoping and tracking
Pentest engagement scope, schedule, and finding intake managed inside SaltMiner.
Pentest finding consolidation
Manual findings flow into the same correlation surface as scanner output. Same-issue deduplication applies.
Pentest history
Per-application pentest history persists for trend analysis and remediation tracking across engagements.
Where it fits in the stack
How Saltworks SaltMiner connects to the rest of your landscape
AppSec scanners (certified)
Certified- Coverity Static, SonarQube, Checkmarx, Veracode, Fortify, SemgrepSAST tool integrations producing findings into the consolidated backlog.
- Black Duck SCA, Snyk Open Source, Sonatype Lifecycle, OpenText SCA, MendSCA tool integrations for open-source dependency findings.
- Continuous Dynamic, OpenText DAST, AppScan, Burp Suite EnterpriseDAST tool integrations for runtime application findings.
- Seeker Interactive, Contrast SecurityIAST tool integrations for runtime-instrumented findings.
Workflow systems (certified)
Certified- Jira, ServiceNow, Azure BoardsFindings flow into developer ticketing and case management with bi-directional status sync.
- Splunk, QRadar, Microsoft SentinelSIEM forwarding for cross-tool detection engineering.
- Microsoft Teams, SlackChannel notifications for high-severity consolidated findings.
Custom integrations
Custom- Custom scanner integrations (REST API)Findings flow from any tool with a REST API. Custom or niche scanners consolidate without prebuilt connectors.
- Internal compliance reportingCustomer-specific evidence packages for industry-specific or proprietary compliance frameworks.
- Internal pentest workflowsCustom pentest engagement workflows tied to the customer's internal scoping and approval processes.
Deployment and implementation
How it rolls out
- Hosting
- SaaS / On-prem (Customer-controlled (on-prem), Saltworks SaaS)
- Implementation complexity
- Moderate
- Typical time to value
- First scanner integration live in two to three weeks. Compliance dashboard configured in four to six weeks. Enterprise rollout across multi-vendor AppSec stack typically two to four months.
- Prerequisites
- Scanner inventory documented
- Compliance frameworks in scope identified
- Reporting cadence and dashboard requirements agreed
- Triage operating model owner named
- REST API access to scanners (where prebuilt connectors are unavailable)
- What Merito usually handles
- SaltMiner deploys as SaaS or on-prem. Most enterprise customers deploy on-prem behind their security perimeter. Merito handles installation, scanner integration onboarding, normalization rule authoring, executive dashboard configuration, and the triage operating model that consumes the consolidated backlog.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- SaltMiner is licensed by application count and integrated tool count. SaaS and on-prem deployment shapes are sold separately. Pricing scales with the breadth of the integrated scanner inventory and the application surface in scope. Merito sells the license and scopes installation, scanner integration, normalization rule authoring, executive dashboard configuration, and pentest workflow as separately priced services.
- Editions and modules
SaltMiner (SaaS)
SaaS-hosted ASPM platform with continuous Saltworks-managed updates.
Best for: Programs preferring SaaS operations and lower operational overhead.
SaltMiner (on-prem)
Customer-hosted ASPM platform with full data-residency control.
Best for: Programs with regulatory or operational requirements that mandate on-prem deployment.
- Common expansion areas
- Add additional scanner integrations as the AppSec inventory grows
- Add compliance frameworks as regulatory scope expands
- Extend pentest workflow integration into customer-specific scoping processes
- Add custom REST integrations for niche or proprietary scanners
Merito services
How Merito helps you win with Saltworks SaltMiner
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
SaltMiner Implementation
Deployment, scanner integration onboarding across the customer's existing inventory, normalization rule authoring, and executive dashboard configuration.
Explore service02MAPS Assessment
AppSec program scoping for ASPM adoption alongside Black Duck Software Risk Manager, Apiiro, Cycode, OX Security, and other ASPM platforms.
Explore service03DevOps Consulting
SaltMiner integration into Jira, ServiceNow, Azure Boards, and CI/CD scanner orchestration.
Explore service04Premium Support
Named engineer, priority SLAs, and release-window coverage for SaltMiner in production.
Explore service05Managed Services
Long-term run support including ongoing scanner integration maintenance, normalization rule tuning, executive dashboard updates, and pentest management.
Explore service06Training and Enablement
Role-based training for AppSec architects, security executives, and compliance leaders using SaltMiner output.
Explore serviceSaltMiner licensing
Buy SaltMiner from the partner that authors the rules and runs the dashboards.
ASPM consolidation is integration breadth, normalization rules, and executive reporting. Buy SaltMiner through Merito and get the rules, the integrations, and the dashboards together.
Merito point of view
ASPM is the right answer for multi-vendor stacks. SaltMiner competes on focus and reporting depth.
Programs running three or more analysis vendors need an ASPM consolidation surface. SaltMiner is one of two ASPM platforms Merito recommends regularly (the other being Black Duck Software Risk Manager). The right answer depends on whether the customer values executive reporting depth and pentest management or breadth of integrations and compliance-framework coverage.
SaltMiner's executive dashboard depth is the practical reason customers stick with it. AppSec leaders who report up to a CISO or board find the trending dashboards reduce the lift of producing program-level visibility. Programs that treat SaltMiner as a triage-only tool without authoring the executive dashboards leave the most visible benefit on the table.
Single-product focus is a real differentiator. Saltworks's engineering attention concentrates on SaltMiner rather than across a broader catalog, which shows up in customer support depth and the platform's evolution. Customers comparing SaltMiner against larger-vendor ASPM platforms should weight the focused-vendor advantage during evaluation.
What buyers usually underestimate
- Adopting ASPM on single-vendor AppSec programs that do not yet have the consolidation problem
- Underestimating integration maintenance work as the scanner inventory changes
- Treating SaltMiner as a triage-only tool without authoring the executive dashboards
- Skipping the pentest management workflow on programs with significant manual pentest activity
- Not staffing the triage operating model that consumes the consolidated backlog
Related from Merito
Continue exploring Saltworks SaltMiner on Merito
Related solutions
Related services
Related products
Frequently Asked Questions
Saltworks SaltMiner FAQs
Consultation request
Talk to Merito about SaltMiner
Share your scanner inventory, executive reporting cadence, and pentest workflow. A Merito SaltMiner specialist follows up within one business day.
Executive depth
Trending dashboards alongside the technical backlog
AppSec leaders report current and historical posture without exporting findings into a separate BI tool.
Pentest management
Manual pentest as a peer to scanner output
Pentest scoping, scheduling, and finding intake live inside SaltMiner alongside scanner aggregation.
Next step
Consolidate the multi-vendor AppSec backlog before the next executive review.
A SaltMiner engagement with Merito starts with the scanner inventory, then normalization rules, then executive dashboards. Programs running three or more analysis vendors get the most value.