.avif)
Businesses aren't waiting for security to catch up. Every quarter, employees adopt new collaboration tools, AI assistants, finance platforms, and productivity apps without IT review or approval. We've seen environments where 78% of SaaS were shadow apps — not because security teams failed, but because it’s hard for any team to move at the speed of user-led adoption.
The average enterprise today deploys hundreds of third-party applications. Each one requires monitoring and controls. One unsecured app is all it takes to expose the business. That’s why Obsidian has expanded our coverage to include 200+ enterprise applications. Each new connector deepens our customers' security coverage. That growth isn't incidental. It reflects a conviction foundational to how we think about enterprise security: breadth is a cornerstone of comprehensive protection.
Most security teams anchor their programs on the applications holding the most critical data — Salesforce, Microsoft 365, Workday. That instinct is understandable. But over the last six months, a meaningful shift has occurred. Those apps are still targets. They're just no longer where attackers start.
In April 2026, Vercel disclosed unauthorized access to internal systems and customer data. The breach didn't start at Vercel, it started with Context AI, a third-party tool a Vercel employee had connected to their corporate Google account without IT awareness. Attackers inherited a valid OAuth token and walked out with customer API keys and proprietary source code. No password was cracked. No vulnerability was exploited. The token was legitimate, and every downstream system treated it that way.
The Salesloft breach in August 2025 followed the same logic, ultimately affecting over 700 organizations through a single compromised SaaS integration. So did the Anodot breach, where dozens of organizations had data exfiltrated not because they were breached directly, but because a third-party analytics tool they trusted was compromised by attackers using stolen authentication tokens to move through connected Snowflake environments at scale.
The pattern is consistent. Attackers target third-party applications, then use OAuth connections to pivot into core systems — bypassing the controls protecting your most sensitive environments.
When an incident occurs, the first question is what happened and when. The second is what data was accessed and by whom. The answers depend entirely on how complete your telemetry is. Every application outside your purview is a gap in your evidentiary record. When an attacker moves through an uncovered app, that leg of the investigation simply doesn't exist. Incomplete logs mean incomplete answers — and for boards and auditors, that means governance and liability exposure on top of the incident itself.
Threats aside, without visibility across every application, IT teams also can't ensure departing users are fully disabled everywhere they have access. The reason is straightforward: SSO deprovisioning closes federated accounts. It doesn't close anything else.
Local accounts created directly in SaaS apps, OAuth tokens issued to third-party tools, API keys, and non-human identities aren't tracked by your IdP. They stay active — sometimes for months — meaning former employees can still silently access your systems long after they've left.
We've seen this firsthand. After customers connect their broader application environment to Obsidian, some have surfaced dormant admin accounts belonging to departed employees. In one case, an account had been active for months, invisible to every other tool in the stack.
Security gaps don't announce themselves. Every application outside your visibility is a liability that compounds quietly — more users, more tokens, more stale permissions accumulating without oversight. The Vercel, Anodot, and Salesloft breaches weren't novel attacks. They were the predictable result of a gap between the apps organizations use and the apps their security teams can see.
Obsidian now provides visibility and security posture rules across 200+ SaaS connectors, helping teams spot drift and close gaps before a breach. Expanding your connected application footprint is one of the highest-leverage security investments available today. Each connector added reduces risk immediately — not at the next review cycle, not after the next incident.
In the wake of the Salesloft breach, we’re offering a free risk assessment of your Salesforce environment to help identify potential exposure. Click here to request yours.
Take a breather! In under 6 minutes, our demo breaks down the risks AI agents bring to your SaaS environment and how you can get ahead of them.
We're offering a free AI agent risk assessment—check it out.
The biggest SaaS breach of 2025 started with a compromised third-party app. Attackers then exploited Salesloft-Drift OAuth tokens, which granted them access to hundreds of downstream environments. Obsidian researchers found the blast radius of this supply chain attack was 10x greater than previous incidents, where attackers infiltrated Salesforce directly.
Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.
.jpg)