Secure Salesforce and Your SaaS Supply Chain in 2026

Executive Summary

Ecosystem-wide attacks, not just attacks on individual vendors, defined SaaS security in 2025. Three breaches—ShinyHunters (May), Salesloft/Drift (August), and Gainsight (November)—used ever-more-sophisticated OAuth abuse to leap from one trusted application into hundreds of customer Salesforce orgs.

The common weakness was a lack of ecosystem-wide behavioral monitoring with data-layer context. None of the victim organizations could see an out-of-profile OAuth app silently pulling records across multiple SaaS systems; they saw normal API calls on one platform rather than an abnormal pattern across many.

Enterprises now average 473 SaaS applications¹, and third-party breaches have climbed 68% YoY². Automated, data-layer behavioral analytics are now mandatory to cut dwell time from the industry’s 204-day³ average to hours.

Throughout Dreamforce 2025, we listened for discussions about ShinyHunters and Salesloft/Drift. Although these incidents weren’t named, feature announcements, warnings, and demonstrations addressed the exact attack vectors these breaches exploited. Then, just weeks after the conference ended, the Gainsight breach validated every concern raised on stage.

This white paper translates those breaches—and the guidance shared at Dreamforce 2025—into a 90-day plan for achieving the data-layer visibility and automated response required to keep Salesforce and every connected application secure in 2026.

Importantly, effective Salesforce security doesn't require a massive upfront investment. Whether you're using Salesforce's free security tools or have invested in Shield, the combination with Vorlon’s ecosystem-wide security creates defense-in-depth that neither solution provides on its own.

Chapter 1: SaaS Supply-Chain Attack Patterns

The attack patterns: what we learned

• Initial compromise: vishing (ShinyHunters), vendor token theft (Salesloft / Drift), ISV tenant takeover (Gainsight)
• OAuth weaponized for persistent access
• Lateral movement through connected apps
• Data exfiltration before detection

During Dreamforce, Tim Siepker, Sr. Success Architect at Salesforce, announced an important change: "Last month in early September, we made changes to restrict access by default for all users that are trying to self-authorize a connected app." Despite those controls, Gainsight hit in November.

Timeline

May → August → November. The next pivot is unknown but inevitable unless continuous data-layer behavioral monitoring across the entire SaaS and AI ecosystem detects it within 24 hours or less.

The lesson

Assume SaaS supply-chain penetration and focus on rapid detection across your SaaS and AI ecosystem.

ShinyHunters Vishing (May 2025)

The elegant simplicity of social engineering

In May 2025, the ShinyHunters crew, also tracked as UNC6040, began cold-calling employees at large enterprises. The caller said:

"This is IT support. We're upgrading Salesforce security. Your account will be locked if you don't update your DataLoader authorization now."

Victims clicked a link, saw a familiar-looking “Salesforce Data Loader” app, and pressed Approve. Because the attackers reused the real client_id, nothing looked suspicious. One click delivered a persistent OAuth refresh token to the attackers.

Why it worked

• Self-authorization was allowed before Salesforce’s September 2025 control.
• The fake app reused a legitimate client_id, bypassing domain allow lists.
• No admin approval workflow and no behavioral monitoring.
• Refresh tokens did not expire.

The damage

Google, Chanel, Qantas, Allianz, LVMH, Cisco, Pandora, and more than 100 other enterprises lost customer records, employee PII, financial data, and embedded secrets such as AWS keys.

What attackers hunted for

They searched record bodies for strings such as “AKIA,” “secret,” “password,” and “snowflake,” then pivoted to cloud infrastructure.

Key lesson

Salesforce security free-tier EventLogFiles recorded the rogue OAuth grant, but only for 24 hours. External log capture with continuous, ecosystem-wide monitoring would have flagged the anomaly regardless of license tier.

The Salesloft / Drift OAuth Hijack (August 2025)

One vendor’s token became 700 customers’ breach

On 8 August 2025, UNC6395, also known as GRUB1, made its first API call using Drift OAuth tokens that were stolen from a public Salesloft GitHub repository. No phishing and no credential loss, just SaaS supply-chain exposure. The tokens were real, unexpired, and carried broad scopes.

Why it worked

• Drift OAuth scopes granted full access to Salesforce, Google Workspace, and Zscaler.
• API calls originated from Drift infrastructure, so the logs looked normal.
• No single tool saw the simultaneous multi-platform data pull. Only cross-app correlation could.

The damage

More than 700 organisations were probed or accessed in ten days, while security teams saw what appeared to be routine Drift traffic.

Key lesson

Legitimate tokens fool authentication and SIEM alerts. Only behavioral baselines, along with data-layer context across SaaS apps, reveal an integration that is normal in one platform but abnormal across many.

Gainsight Supply-Chain Compromise (Nov 2025)

Attackers iterated faster than platform patches

Five weeks after Dreamforce and just two months after Salesforce blocked self-authorization by default, attackers found a new angle. They breached Gainsight’s Salesforce tenant, registered rogue connected apps, and used Gainsight’s legitimacy to access customer orgs.

Traffic was cloaked behind common cloud IPs 35.226.109.204 and 34.96.88.231 and benign user agents “facebookexternalhit/1.1” and “WhatsApp.”

Why it worked

• September’s control stopped new self-auth apps, but Gainsight already held high-scope tokens.
• Customers had whitelisted Gainsight activity, so platform logs looked clean.
• No behavioral monitoring asked why Gainsight suddenly requested full object exports every hour.

The damage

Two hundred eighty-five customer orgs faced potential data exposure before Salesforce revoked tokens and delisted rogue apps from AppExchange within hours.

Key lesson

Every ISV can become a pivot. Controls inside a single platform can be sidestepped by moving upstream to a vendor tenant. Only ecosystem-wide behavioral analytics with data-layer context surfaces the first abnormal move and stops the breach before records leave the building.

The common thread: OAuth trust exploitation

All three campaigns demonstrated that OAuth tokens have become a primary attack vector. Salesforce's September 2025 enhancements and Dreamforce's security focus reflect the industry's collective response to these evolving threats.

Chapter 2: What Salesforce shared at Dreamforce

Vorlon Research analyzed three Salesforce security-focused sessions. While specific incidents weren't explicitly referenced, every topic addressed ShinyHunters vishing and SalesLoft / Drift attack tactics documented by the FBI.

Session 1: "Advanced Security Methods for Admins"

Nitin Mathur, Sr. Director of Customer Success, and Tim Siepker, Sr. Success Architect, covered MFA enforcement, Connected Apps governance, and session management. Every recommendation addressed ShinyHunters’ tactics.

Tim's emphasis on MFA: "Even if your password is compromised, MFA makes that credential almost worthless." This directly counters the initial compromise vector ShinyHunters used before moving to vishing.

Nitin's four-step Connected App review process is essentially a ShinyHunters prevention checklist:

1. Review OAuth Usage (find malicious apps)
2. Validate Business Need (identify suspicious apps)
3. Verify App Legitimacy (detect DataLoader impersonators)
4. Install or Block (prevent future attacks)

His directive: "If you fail any of those checks, if you don't know why your users are connecting to an app, if you don't know who the provider was, block the app."

Session 2: "Shield Deep Dive: Data Detect and Platform Encryption"

Divya Chandrasekharan, Product Management Director, opened with the question that matters: "How can you protect sensitive data if you don't even know where it lives?"

This addresses the critical lesson from both breaches: organizations didn't know what data was exposed because they didn't know where sensitive data resided.

ShinyHunters specifically hunted for credentials embedded in Salesforce records. Salesforce Data Detect finds these patterns before attackers do.

Dave Hacker, Sr. Director of Product Management - Shield Platform Encryption, announced database encryption. His performance claim — 0.5% impact versus traditional 5-15% overhead — represents a significant technical achievement.

Session 3: "Security Mesh"

Director of Product Management Mark Wigham’s introduction addressed a critical need: modern enterprises require unified visibility across their highly interconnected ecosystem. We would posit that this approach needs to extend beyond the Salesforce ecosystem.

"We want to bring together those siloed alerts and siloed information into one place to give you the full picture."

The Okta partnership is particularly revealing. Orr Dermer, Product Acceleration Specialist for Okta’s Identity Security Posture Management solution, highlighted exactly how Drift persisted:

"We often see that in cases where people have a secondary account or maybe the API token, where their main account has been deleted, but this residual access remains."

Orphaned OAuth tokens that remain active after user offboarding. This is how supply chain attacks succeed.

In today's landscape, where attackers are increasingly sophisticated, the key is to have behavioral monitoring with data-layer context and rapid response capabilities in place to detect and contain attacks quickly.

Chapter 3: Economics and Security Architecture

The scalability problem with platform-specific tools

As you add SaaS applications (and you will—average growth is 15-20% annually), your security complexity grows exponentially:

• 250 apps today → 300 apps in 2026 → 360 apps in 2027
• Each app requires a separate security configuration
• Each app generates separate logs
• Each app needs separate monitoring
• Each app requires a separate incident response

Cost scales linearly (or worse) with each app added. Complexity scales exponentially as the number of app integrations multiplies. Your security team doesn't scale at all.

The scalability advantage of unified, ecosystem-wide SaaS and AI security

Vorlon's architecture scales differently:

• Add new SaaS app → automatically discovered and baselined
• New integration created → automatically mapped and monitored
• New AI agent deployed → automatically identified and governed
• New OAuth token issued → automatically tracked across all platforms

Vorlon helps you lower costs, reduce complexity, and increase team productivity:

• Cost scales sublinearly: adding apps increases value without a proportional increase in cost.
• Complexity is abstracted: Vorlon handles integration complexity, providing unified visibility.
• Your team's effectiveness multiplies: One console, all platforms.

The integration reality: How Vorlon works with what you already have

Organizations often ask: "We already have a SIEM, we already have Shield, we already have endpoint protection. Where does Vorlon fit?"

The answer: We make everything you already have more effective.

The integration principle: We're not replacing your security stack. We're connecting it. Your existing tools provide platform-specific depth. Vorlon provides ecosystem-wide breadth and correlation.

With your SIEM:

• We send enriched, correlated events (not raw logs)
• We provide SaaS-specific context that your SIEM lacks
• We reduce alert fatigue by pre-filtering false positives
• We enable SaaS-specific playbooks that your SOAR can execute

With Salesforce free and Shield security tiers:

• We consume Salesforce logs
• We add cross-platform context to Salesforce events
• We enable response beyond Salesforce's boundaries

With your identity provider (Okta, Azure AD, PingOne, etc.):

• We correlate authentication events with SaaS activity
• We identify orphaned accounts and tokens
• We track non-human identities that your IdP doesn't see
• We close the gap between authentication and authorization

Combining Salesforce free and Shield security tiers with Vorlon

Salesforce offers security capabilities at every tier, from free standard logging to advanced Shield features. The critical insight from 2025's breaches: no single layer provides complete protection. Whether you're using Salesforce's free security tools or have invested in Shield, the combination with Vorlon's ecosystem-wide visibility delivers defense-in-depth that neither solution provides on its own.

The 2025 breaches revealed a critical truth: attackers succeeded not because organizations lacked Shield, but because they lacked behavioral monitoring with data-layer context across their ecosystem. The ShinyHunters OAuth compromise was visible in free-tier logs for 24 hours. Organizations with automated log collection would have caught it, regardless of their Salesforce license.

This section explores how to maximize your existing Salesforce security investment at any level while extending protection across your entire SaaS and AI ecosystem.

The hidden value in free Salesforce security

Every Salesforce instance includes powerful security capabilities at no additional cost. Yet most organizations extract less than 20% of their value due to three critical challenges:

The 24-hour window problem

Salesforce's free tier provides security event data, but only retains it for 24 hours. Miss that window, and the evidence vanishes forever. For security teams managing multiple platforms, manually checking Salesforce logs daily isn't realistic, especially when attacks often go undetected for weeks.

The context gap

Free Salesforce logs show what happened within Salesforce, but attacks rarely stop there. When an attacker compromises a Salesforce OAuth token, they don't just access your CRM data. They pivot across connected apps, spreading across your entire SaaS and AI ecosystem. Without cross-platform visibility, you're seeing one piece of a much larger attack.

The analysis burden

Raw security logs require expertise to interpret. Knowing that someone accessed 10,000 records is less useful than understanding whether that access pattern matches normal behavior or indicates data theft. Free tools provide data; they don't provide answers.

How Vorlon amplifies Salesforce’s free security tier

Vorlon transforms Salesforce's free security features from reactive logs into proactive defense:

Continuous capture

Vorlon automatically collects and stores Salesforce security events before the 24-hour window expires, creating a permanent security record. This means you can investigate incidents weeks or months later, critical given that the average breach discovery time is 204 days.

Cross-platform correlation

When Vorlon detects unusual Salesforce activity, it immediately checks related behavior across your entire SaaS and AI ecosystem. That suspicious API call from Salesforce to Box? Vorlon tracks whether the same identity then accessed Slack, GitHub, or your AI tools, revealing the full attack path.

Behavioral monitoring

Vorlon learns normal access patterns across your organization. When a sales rep suddenly downloads your entire customer database at 3 AM, Vorlon alerts you not because of a rule, but because it violates established behavioral patterns. This intelligence layer turns raw logs into actionable security insights.

Real-world example: stopping attacks with free tier + Vorlon

Consider the ShinyHunters attack pattern:

1. Attacker compromises employee credentials via vishing
2. Creates a rogue OAuth connection in Salesforce
3. Slowly exfiltrates data to avoid detection
4. Pivots to connected cloud storage for broader access

With the Salesforce free tier alone, you might notice the OAuth creation if you check within 24 hours. With Vorlon + Salesforce free tier:

• Hour 1: Vorlon detects an unusual login location and flags the session
• Hour 2: New OAuth app creation triggers an immediate alert with a high risk score
• Hour 6: Abnormal data access pattern initiates automated response
• Hour 7: Connected app permissions automatically restricted pending review
• Week 2: Full forensic timeline available for analysis and further response

The attack that typically takes weeks or months to discover is contained in hours.

The economics of smart security

Salesforce Free Tier + Vorlon:

• Cost: Vorlon subscription only
• Coverage: Full Salesforce monitoring + entire SaaS and AI ecosystem
• Capability: Attack surface hardening, real-time detection, behavioral monitoring, automated response
• Best for: Organizations wanting comprehensive security without Shield investment

Shield + Vorlon:

• Cost: Shield + Vorlon subscriptions
• Coverage: Deep Salesforce forensics + ecosystem-wide protection
• Capability: Advanced Salesforce features + Vorlon's correlation engine
• Best for: Enterprises requiring maximum visibility and compliance

The key insight: Vorlon makes every Salesforce security tier more effective by adding the context, automation, and ecosystem-wide visibility that native tools lack. For organizations ready to invest further in Salesforce-native security, Shield provides additional capabilities. However, as the following section explains, even Shield requires ecosystem-wide visibility to address modern threats.

Salesforce Shield: Enhanced capabilities for deep investigation

While Vorlon provides comprehensive security with Salesforce's free tier, organizations with specific compliance requirements or forensic needs may benefit from Shield's additional capabilities.

For organizations that have invested in Salesforce Shield, additional powerful capabilities become available. Shield provides transaction security policies, field audit trails, and extended event monitoring that enhance enterprise security.

Maximizing your shield investment with Vorlon

For organizations with Shield, adding Vorlon creates comprehensive protection:

• Shield provides: Deep Salesforce-specific forensics and compliance tools
• Vorlon adds: Ecosystem-wide visibility, behavioral monitoring, and automated cross-platform response
• Together: Complete kill chain visibility from initial compromise through lateral movement

Architectural considerations

Modern SaaS architectures require security that matches their distributed nature. Whether using Shield or Salesforce's free tier, your security architecture should address:

Data layer security

Salesforce stores your CRM data, which then flows to marketing automation, support systems, and AI tools. Security must follow the data, not just protect individual platforms.

Identity layer protection

• Both human and non-human identities access Salesforce. Shield monitors Salesforce-specific access; Vorlon tracks those same identities across your entire ecosystem.

Integration layer visibility

• OAuth tokens, API keys, and service accounts create pathways between Salesforce and other systems. These integration points require continuous, cross-platform monitoring.
• Important note: While Shield enhances Salesforce-native capabilities, Vorlon provides substantial security value regardless of your Salesforce tier. Organizations using Salesforce's free security features gain immediate threat detection and response capabilities when adding Vorlon. The architecture that makes sense is one that leverages your existing Salesforce security investment while extending protection across your entire SaaS and AI ecosystem.

The gaps Salesforce can't close

What Security Mesh doesn't solve

Security Mesh promises unified visibility within the Salesforce ecosystem. It's an important step. It's also Salesforce-centric.

Gap 1: cross-SaaS data flows

Your Salesforce data doesn't stay in Salesforce. According to MuleSoft's 2025 Connectivity Benchmark:

• Enterprises average 1,000+ integration points
• Data replicated across 8-10 platforms
• 40% synchronized in near real-time

Security Mesh sees Salesforce → Slack. It doesn't see Slack → Google Drive → Attacker.

Gap 2: SaaS supply chain visibility

Salesloft/Drift proved once again that SaaS vendors will get compromised and cause massive damage. Security Mesh can't tell you:

• When a vendor's GitHub is breached
• When legitimate OAuth tokens turn malicious
• When third-party apps start behaving abnormally

You need behavioral monitoring of every connected app, not just visibility into Salesforce.

Gap 3: The non-human identity explosion

For a typical enterprise with 3,000 employees:

• Human users: 3,000
• Service accounts: 900
• API keys: 1,800
• AI agents: 1,200
• OAuth tokens: 6,000+
• Total identities: 12,900

Security Mesh tracks human identities, but 77% of your identities aren't human, and they're multiplying rapidly. Also, AI agents have broad permissions, move data autonomously, and operate 24/7 without oversight. For non-human identities, traditional MFA doesn't apply.

Gap 4: real-time cross-SaaS/platform response

When Drift was compromised, organizations needed to revoke OAuth tokens across Salesforce, Google, and Zscaler simultaneously. They needed to freeze sessions in multiple platforms, block data exfiltration mid-stream, and preserve forensic evidence everywhere.

Security Mesh helps with Salesforce. What about the other SaaS platforms?

How Vorlon’s unified SaaS and AI security platform prevents SaaS supply chain breaches

August 8, 2025, 2:47 AM: Drift token makes first API call from new IP (Tor exit node). Behavioral baseline detects an anomaly. Alert sent.

3:15 AM: Security team reviews alert. Sees Drift accessing Salesforce, Google Workspace, and Zscaler. Confirms abnormal behavior.

3:18 AM: Security team revokes Drift OAuth tokens across all platforms in just a few clicks. Active sessions terminated. Forensic logs preserved.

Result: Breach contained in 31 minutes, not 10 days. Data exfiltration prevented.

This is what ecosystem-wide security delivers. Vorlon would have immediately seen the behavioral change, correlated activity across platforms, and enabled instant response everywhere simultaneously.

Chapter 4: Your Strategic Roadmap for Leveling Up Your SaaS and AI Security

Three SaaS supply-chain breaches in 2025, capped by the Gainsight incident, point to one strategy: behavioral monitoring with data-layer context across the entire SaaS and AI ecosystem.

The 90-Day transformation

Phase 1: Foundation (Weeks 1-4)

Week 1: Enable Salesforce free fundamentals

• Force MFA universally (no exceptions)
• Verify September 2025 Connected Apps restrictions are active
• Verify Salesforce security logging is enabled (free tier or Shield); if using free tier, ensure automated collection before 24-hour expiration
• Run Security Health Check (target: 90%+ score)
• Audit all ISV and AppExchange apps for Gainsight-style rogue OAuth patterns
• Log and review access from new cloud-provider IP ranges used in the Gainsight attack
• Restrict IP ranges to corporate networks as appropriate

Week 2: OAuth audit

• Export all Connected Apps
• Document the business owner and the justification for each
• Revoke apps that have been inactive for 90+ days, have no clear owner, or have excessive permissions
• Create a quarterly review schedule

Week 3: Data classification

• Identify the top-20 sensitive objects
• Use the free Object Manager classification
• Document where sensitive data flows
• Plan Shield deployment if needed

Week 4: Incident response prep

• Document OAuth token revocation procedures
• Test session freeze capabilities
• Create communication templates
• Establish out-of-band communication channels

Outcome: Free security controls deployed, current risks documented, team aligned.

Phase 2: Enhanced security (Weeks 5-8)

Week 5: Configure event types, establish behavioral baselines, and, if applicable, integrate with the existing security and ITSM stack.

Week 6: Evaluate SaaS and AI ecosystem security platform. Review Vorlon capabilities, customer references, and ROI calculation. Get budget approval.

Week 7: Deploy Vorlon. Discover all critical SaaS and AI applications and integrations. Connect Shield Event Monitoring, if necessary. Establish behavioral baselines.

Week 8: Integration and testing. Verify Shield events flowing to Vorlon. Test cross-SaaS correlation. Test OAuth token revocation across SaaS platforms. Update incident response playbooks.

Outcome: Comprehensive visibility across the entire SaaS and AI ecosystem, detection capabilities operational, and response procedures tested.

Phase 3: Optimization (Weeks 9-12)

Week 9: Detection optimization. Review alerts, adjust thresholds, identify coverage gaps, and refine baselines.

Week 10: Response automation. Automate playbooks (suspicious OAuth app, mass data export). Test automated response. Monitor effectiveness.

Week 11: Governance establishment. Document policies, define review schedules, assign ownership, and map controls to compliance requirements.

Week 12: Continuous improvement. Conduct retrospective, analyze metrics (MTTD, MTTR), and plan Security Mesh evaluation (viable for enterprises with large Salesforce security budgets).

Outcome: Optimized detection and response, governance established, and a continuous improvement framework in place.

Phase 4: Accelerating AI agent proliferation

AI agents multiply faster than human users. They have broad permissions, operate autonomously, and don't fall under traditional security controls.

What you need

• Non-human identity discovery (know what you have)
• Behavioral monitoring (know what's normal)
• Automated governance (enforce least privilege)
• Real-time response (stop rogue agents fast)

This is where unified SaaS and AI ecosystem security provides value that Salesforce can't. Vorlon sees AI agents across all your critical apps and integrations, not just Salesforce.

The 90-day transformation isn't about perfection. It's about momentum. Week 1 gives immediate risk reduction. Week 8 gives comprehensive visibility. Week 12 and forward provide continuous improvement.

Conclusion: The Choice is Clear

ShinyHunters, Salesloft/Drift, and Gainsight taught us that SaaS supply-chain attacks are the new normal and OAuth tokens are the new passwords. Individual SaaS-specific security isn't enough. Attackers exploited security gaps between SaaS apps, the trust in OAuth tokens, and the lack of behavioral monitoring with data-layer context.

Salesforce responded with the September 2025 Connected Apps change and Security Mesh. Important steps. They address part of the problem.

But only part.

The stakes for 2026 are unmistakable. Three breaches occurred in six months. The next will arrive sooner. Ecosystem-wide visibility, behavioral analytics with data-layer context, and automated response are no longer optional—they are the minimum required to keep Salesforce and every connected application secure.

The question isn't whether you need ecosystem-wide SaaS and AI security. The question is whether you'll implement it before attackers find the gaps you've left open.

See how Vorlon complements your Salesforce security investments.

We'll show you your current OAuth exposure across all platforms, hidden non-human identities in your environment, how we would have detected ShinyHunters, Salesloft/Drift, and Gainsight in your org, and rapid containment capabilities.

Schedule Demo

About the authors

Adam Burt, Head of Research

Adam Burt is the Head of Research at Vorlon, a cybersecurity company that helps enterprises secure sensitive data across their SaaS and AI ecosystem. Adam brings over 24 years of experience in cybersecurity across malware analysis, digital forensics, reverse engineering, and security architecture. Before joining Vorlon, he led a team of Solution Architects at Palo Alto Networks, focusing on security and automation. Adam has held technical and leadership roles at companies like Symantec, Fidelis Cybersecurity, and NTT, working across industries to help organizations strengthen their security posture. He holds multiple certifications, including CISSP, GCFE, CSTP, and CCSK, and has contributed to research on network vulnerabilities, malware obfuscation, and threat detection associated with some of the largest data breaches.

Elias Terman, VP of Marketing

Elias Terman is VP of Marketing at Vorlon, a cybersecurity company that helps enterprises secure sensitive data across their SaaS and AI ecosystem. Elias has fifteen years of experience leading marketing teams at cybersecurity startups. Before Vorlon, he was CMO-in-Residence at YL Ventures, helping the firm’s portfolio companies accelerate revenue growth. As CMO at Uptycs, he drove the company’s market transition from an endpoint detection and response company to a hybrid cloud security vendor. He was Orca Security’s first marketing hire, leading the company’s marketing efforts from its seed stage through its emergence as a unicorn cloud security leader. Before Orca, Elias ran marketing at Integris Software, a data discovery and privacy automation firm acquired by OneTrust. At Distil Networks, he drove the creation of the Bot Mitigation category, which led to its acquisition by Imperva. He also built out the marketing and business development teams at OneLogin, an Identity and Access Management pioneer.

About Vorlon

Vorlon secures the converged SaaS and AI ecosystem, giving enterprises visibility and control over the data, identities, and integrations that power modern business. Built on patent-pending DataMatrix™ technology, Vorlon’s unified SaaS and AI security platform creates a live model of every app, agent, and connected service, along with their interdependent data flows, non-human identities, and users. It delivers continuous, agentless visibility without disrupting operations.

Organizations can see data in motion, uncover risky integrations and unsanctioned AI tools, detect unusual behavior, and automate remediation in real time. Backed by Accel and trusted by Fortune 500 leaders and fast-moving innovators, Vorlon helps security teams safeguard sensitive data and innovate with confidence in the era of AI-driven transformation.

Learn more at vorlon.io