By Kevin Hanes, CEO of Reveal Security
A few weeks ago, I shared a thought that sparked a lot of discussion: SaaS is not a black box we can ignore. It’s a rich, dynamic attack surface – and one that attackers are increasingly targeting. That urgency was echoed powerfully in JPMorgan CISO Patrick Opet’s open letter to SaaS vendors.
That letter stuck with me. It was direct, overdue, and – perhaps most importantly – public. So I want to return to this topic, because we’re still not talking about it enough. And we need to.
SaaS Is the New Enterprise Perimeter
We’ve long known our software supply chains carry risk. But something has shifted. SaaS apps – from email to collaboration platforms to CRM tools – have become deeply embedded in enterprise workflows. They’re where your customers are served, where your data lives, where your employees and contractors operate every day.
That also makes them fertile ground for adversaries.
We’ve seen this in many high-profile breaches: where the damage happened not on the network but in a third-party SaaS app. These are scenarios where the attacker has credentials — maybe stolen, maybe exploited — and proceeds to move laterally, conduct recon, and then manipulate workflows or exfiltrate data. The threat is real and it’s growing. We’ve seen reports in the last couple of weeks on this pattern described as an ‘insider threat’. Among these are the North Korean IT workers hacks into U.S. companies using stolen identities and the attack against Coinbase, in which threat actors recruited and bribed support agents to steal customer data from the company’s customer support systems.
No One Gets to Hide Behind the Shared Responsibility Model Anymore
Patrick Opet emphasized the need for a shift in how we approach SaaS security:
“Software providers must prioritize security over rushing features. Comprehensive security should be built in or enabled by default.”
“We must modernize security architecture to optimize SaaS integration and minimize risk.”
This hits a nerve. The shared responsibility model — especially in SaaS — has too often become a shield vendors use to deflect accountability. But the reality is: shared responsibility can’t mean shared blindness.
Let me be clear: it’s not just about the provider. It’s about how we as defenders secure access and then monitor what happens after authentication.
SaaS providers rarely give you the telemetry to know when something unusual is happening inside your tenant. Traditional SIEM and endpoint tools don’t cut it here. And many organizations have no visibility at all into how identities are behaving across their ecosystem (dare I say “network”?) of SaaS applications.
That’s exactly the blind spot attackers are counting on.
So What Do We Do About It?
We start by acknowledging the risk. SaaS isn’t “someone else’s problem.” It’s part of your infrastructure — and it deserves the same rigor as anything behind your firewall.
Mandiant also stresses the importance of this in a recent investigations report noting the rise of adversaries targeting SaaS applications:
“SaaS applications pose an interesting dilemma for organizations as there is a gray area of where and who should conduct monitoring to identify issues. For the applications where proprietary or guarded information exists, Mandiant recommends that an organization ensures they have a robust logging capability that their security teams can review for signs of malicious intent.”
Second, we push for better from our vendors. I applaud Pat’s leadership in doing that. It takes courage to challenge an ecosystem that’s historically under-incentivized to prioritize enterprise-grade security.
Finally, we invest in visibility, detection and response capabilities purpose-built for SaaS. That’s what we’re doing at Reveal Security: helping enterprises detect abnormal and malicious identity behavior inside and across cloud and SaaS applications — not through static rules or anomaly scores, but by understanding the typical behavior of each identity and flagging deviations that matter.
We do this for all workforce identities — human, non-human, AI, or bot.
Because let’s face it: adversaries don’t care about the shared responsibility model. They care about taking what’s yours. And if you don’t know what’s happening inside your apps, they already have the upper hand.
Let’s keep this conversation going — openly, urgently, and with the shared understanding that cloud and SaaS security is enterprise security. The more we treat it that way, the better prepared we’ll be.
– Kevin
