Cloud security has evolved rapidly over the past decade. Most enterprises today have deep, continuous visibility into their cloud environments, including workloads, identities, configurations, and attack paths.
Platforms like Wiz have played a critical role in this shift, helping security teams understand and prioritize cloud-native risk with speed and clarity.
Yet despite increasingly mature cloud security programs, SaaS breaches continue to rise.
This creates an important, and often misunderstood, question: If our cloud is secure, where is the risk actually coming from?
In most modern incidents, the answer doesn't lie in cloud infrastructure. It lies in an enterprise's SaaS ecosystem that operates beyond CNAPP visibility.
What Wiz does extremely well
Wiz is purpose-built to secure cloud-native environments at scale. Its core strengths include:
- Cloud workload visibility
- Identity and access risk mapping
- Misconfiguration detection
- Vulnerability exposure analysis
- End-to-end attack path visualization (within the cloud boundary; SaaS-to-SaaS paths are out of scope)
For organizations running complex AWS, Azure, GCP, or Kubernetes environments, these capabilities are valuable. Wiz helps teams answer questions such as:
- Where could an attacker move laterally inside the cloud?
- Which identities are over-privileged?
- How could a vulnerability be exploited in practice?
- Which risks matter most right now?
Within the cloud boundary, Wiz delivers industry-leading clarity and prioritization.
The assumption CNAPP platforms are built on
CNAPP platforms, by design, are built on a foundational assumption that risk originates inside the cloud environment. This assumption made sense when:
- Most applications were custom-built
- Data primarily lived in cloud-hosted systems
- Integrations were limited and tightly controlled
Modern enterprise environments no longer fit this model.
The shift: From cloud-centric to SaaS-centric risk
Today's enterprises operate:
- Hundreds of SaaS applications
- Thousands of OAuth-based integrations
- Automated workflows spanning vendors
- AI agents operating continuously
Business-critical data increasingly:
- Leaves the cloud
- Moves directly between SaaS tools
- Is accessed by non-human identities
- Is processed outside traditional infrastructure boundaries
These patterns create risks that cloud security tools were never designed to observe.
Does Wiz protect SaaS integrations?
This is one of the most common questions security teams ask.
Wiz focuses on cloud infrastructure, workloads, and cloud identities. SaaS-to-SaaS integrations, OAuth token behavior, and cross-application data movement typically require ecosystem-level visibility beyond cloud-native security platforms.
This represents a significant difference in scope.
Why SaaS breaches happen in cloud-secure environments
Many modern SaaS incidents share the same characteristics:
- No cloud workload is compromised
- No cloud vulnerability is exploited
- No cloud IAM identity is breached
Instead, attackers leverage:
- Legitimate OAuth access
- Over-permissioned SaaS integrations
- Dormant third-party applications
- Non-human identities with persistent access
From a cloud security perspective, everything looks normal. From a SaaS ecosystem perspective, access is being abused quietly and continuously, and sensitive data is moving from cloud-connected systems into SaaS tools without any oversight.
CNAPP vs. SaaS security: An architectural boundary
CNAPP platforms like Wiz are optimized for:
- Infrastructure runtime signals
- Network exposure
- Cloud identity relationships
- Data at rest in cloud environments
SaaS security operates at a fundamentally different layer:
- OAuth tokens instead of IAM roles
- API calls instead of network traffic
- Vendor-managed execution environments
- Cross-tenant and cross-app data movement
This makes the CNAPP vs. SaaS security discussion less about overlap and more about architectural boundaries.
The shared responsibility model is different for SaaS
In cloud environments, the shared responsibility model is relatively well understood: the cloud provider secures the underlying infrastructure, and the customer is responsible for what runs on top of it. CNAPP platforms like Wiz are purpose-built to address the customer's side of that equation.
SaaS operates under a meaningfully different model. The SaaS vendor is responsible for securing the application itself, but the enterprise retains responsibility for what accesses that application, what integrations are granted, and how data moves between platforms. This third layer, the integration and identity layer, sits entirely outside what either the cloud provider or the SaaS vendor monitors. It is the enterprise's responsibility, and it is the layer that cloud security tools were not designed to see.
OAuth: The primary SaaS attack path CNAPP can't see
OAuth facilitates SaaS connectivity, and is one of the most abused mechanisms in modern environments. Common OAuth-related risks include:
- Excessive permissions granted at approval
- Tokens that never expire or rotate
- Integrations approved once and forgotten
- Limited insight into real-world usage behavior
Cloud security platforms may detect the existence of access, but often cannot determine:
- How frequently data is accessed
- Whether behavior deviates from historical norms
- How much data is being moved
- Where that data travels after access
This creates a coverage gap at exactly the point where token-based attacks begin. For a full breakdown of how these risks manifest, see Vorlon's OAuth and API security overview.
SaaS supply chain and non-human identity risk
SaaS ecosystems introduce layered dependencies:
- Primary SaaS platforms
- Third-party integrations
- Fourth-party services embedded indirectly
Add AI agents to this mix, and the challenge compounds. AI agents:
- Operate as non-human identities
- Chain actions across SaaS tools
- Act continuously without human intervention
- Are difficult to audit using traditional IAM models
Industry analysis consistently highlights this convergence of AI, SaaS, and ecosystem risk as a growing concern for enterprise security teams.
Extending visibility beyond the cloud layer
This is where SaaS ecosystem security platforms come into play. Rather than replacing CNAPP tools, ecosystem-focused platforms such as Vorlon extend visibility into:
- SaaS-to-SaaS data movement
- OAuth token behavior
- Third- and fourth-party access paths
- Abnormal integration activity
- Non-human and AI identity behavior
From an architectural perspective, this enables defense-in-depth:
- Wiz secures the cloud
- SaaS ecosystem security secures what connects to it
Frequently asked questions
Does Wiz protect SaaS applications?
Wiz focuses on securing cloud infrastructure, workloads, and cloud identities. SaaS application behavior, integrations, and OAuth usage typically require additional ecosystem-level visibility.
What is Wiz's SaaS security coverage?
Wiz has recently announced coverage for Microsoft Office 365, representing a step toward SaaS visibility. Ecosystem-wide monitoring across all SaaS integrations and OAuth access paths remains outside the scope of CNAPP platforms.
Why do SaaS breaches happen despite strong cloud security?
Many SaaS breaches rely on legitimate OAuth access, third-party integrations, or non-human identities rather than cloud vulnerabilities.
What is the difference between CNAPP and SaaS security?
CNAPP platforms secure cloud-native infrastructure, while SaaS security focuses on integrations, access behavior, and data movement across SaaS ecosystems.
How do SaaS attacks bypass cloud security tools?
By abusing legitimate access paths, such as OAuth tokens and trusted integrations, that operate outside infrastructure-level monitoring.
