Q&A with Adam Burt Part 1: Why SaaS Breach Investigations Are So Hard

The explosion of SaaS applications has transformed how businesses operate, but SaaS security remains an underappreciated risk. To get to the heart of the issue, I sat down with Adam Burt, Vorlon's Head of Research.

Adam has spent over two decades in cybersecurity, tackling everything from malware reverse engineering to security architecture at companies like Symantec, NTT, CGI, and Palo Alto Networks. Now, he leads research at Vorlon, focusing on helping enterprises secure the data flowing across their extended SaaS ecosystem.

Our conversation revealed why security teams struggle to monitor SaaS environments, from API misattribution to the lack of real-time logs, and how Vorlon helps close the gap.

Now you can be a fly on the wall, and listen in to what Adam had to say. 

Elias Terman: Adam, when security teams investigate a SaaS security incident, what’s their biggest challenge?

Adam Burt: The fundamental issue is visibility, or rather, the lack of it. Security teams assume that SaaS applications provide rich audit logs, but many vendors don’t log API activity at all. 

This is a huge problem because SaaS applications are increasingly accessed via APIs, not just by humans clicking around in a UI. If security teams can’t see API activity in logs, they can’t detect data exfiltration, malicious automation, or unauthorized integrations.

And even when logs do exist, they might be locked behind paywalls, incomplete, or painfully slow to access. I recently read Maya Kaczorowski’s article in TLDRsec on what CISOs are complaining about, and the struggle to get useful SaaS logs came up repeatedly. One security leader had to wait two days for Notion to email them logs related to a security incident. Another had to manually log into Stripe’s web portal to get transaction logs. That’s just not sustainable for security operations.

See also: SaaS API Visibility. This page emphasizes the importance of continuous visibility into SaaS API communications, highlighting how Vorlon monitors API usage and detects unusual patterns to safeguard sensitive data. 

Elias: Is there a correlation between the size of a SaaS vendor and how well they handle logging?

Adam: You’d think bigger vendors would have better logging practices, but that’s not always the case. While enterprise SaaS platforms like Salesforce provide rich API audit logs, some don’t always contain the information security teams need.

For example, let’s say an API request is made to export customer data from Salesforce. The logs might not tell you who initiated the request. Instead, they log a session ID—but that session ID alone is meaningless.

At Vorlon, we correlate that session ID with other API activity, matching it to an IP address, timestamp, and authentication method. That’s how we turn fragmented logs into actionable security insights.

Elias: So, API logs aren’t just incomplete—they’re sometimes misleading?

Adam: Exactly. Many SaaS platforms attribute API activity to a user, even when a non-human identity (like a script or an integration) made the request.

This creates a misattribution problem. Imagine an OAuth token is stolen and used to access sensitive data. If the logs only show a user’s name, security teams might falsely assume that person is responsible.

Vorlon helps separate human and machine-based API activity so security teams get real attribution instead of guesswork.

Elias: What’s the most overlooked SaaS security risk?

Adam: The silent threat is token sprawl. Companies have no idea how many tokens are active, which applications are using them, or how long they’ve been sitting around with access to sensitive data.

OAuth is great for security, when implemented properly. It allows SaaS applications to grant limited access to third-party tools without sharing passwords. But OAuth tokens don’t always expire like passwords do. They can remain valid until revoked manually, meaning a stolen OAuth token can grant long-term access to sensitive data, without triggering traditional security alerts.

One of Vorlon’s key capabilities is monitoring OAuth (and other) tokens in real time. We can detect risky tokens, see where they’re being used, and revoke them automatically if something looks off.

Elias: Why don’t traditional security tools solve this problem?

Adam: Traditional security tools were never designed to monitor SaaS environments. 

SIEMs, EDRs, and network-based security solutions operate under the assumption that most threats originate at the endpoint or network layer. But in SaaS environments, most security events happen outside of the traditional perimeter.

The data flowing across an enterprise SaaS ecosystem creates a whole new attack surface that legacy tools can’t see.

Elias: A lot of security teams rely on SIEMs. Can’t they just send SaaS logs to their SIEM?

Adam: That would be great, if SaaS logs were always useful.  The problem is that many SaaS platforms don’t provide structured logs, and when they do, they might not contain what’s actually needed.

Let’s say you collect Salesforce logs in your SIEM. You might see that an API request was made, but only who made it and not which OAuth token was used. That level of correlation requires additional API calls, which SIEMs aren’t built to do. The problem becomes even more challenging when you need to correlate the data being generated from the dozens of applications integrated with Salesforce.

At Vorlon, we don’t just collect logs—we enrich them. We cross-reference API data with authentication events, user sessions, and permissions structures to provide real attribution.

Elias: What should security teams be asking their SaaS vendors about their API logs and how they handle tokens?

Adam: At a minimum, security teams should be asking prospective SaaS vendors four questions.

1. Do you log all API requests, including read operations?
2. Are API logs available through the API, or do they require a support request?
3. Do logs distinguish between human users and machine-to-machine integrations?
4. Can I monitor OAuth / API token usage and revoke tokens if needed?
   
   

Check out The API Security Checklist: What to Review Before Integrating a Third-Party API. This comprehensive checklist guides developers and security teams through the essential steps to evaluate the security of third-party APIs before integration, ensuring robust protection against potential vulnerabilities. ​

The data confirms SaaS vendors are failing at logging

To understand the state of SaaS logging, we analyzed 70 popular SaaS vendors across multiple industries. The findings were alarming:

• Only 45% of vendors met all four of the logging requirements above.
• 30% lacked full API logging, meaning security teams would have no record of certain API-based activity.
• 40% failed to distinguish between human and machine-based activity, creating a major attribution challenge for security teams.
• Nearly 50% required additional licensing or manual support requests to access security logs.

This means that in more than half of all SaaS platforms, security teams are missing critical forensic data, making it impossible to detect, investigate, or respond to API-based threats.

The impact: Delayed response, missed breaches, and greater risk

As an industry, we need to do better.

Elias: Let’s wrap this up for now and pick up the conversation in part two. What’s the big takeaway for security teams trying to get a handle on SaaS security?

Adam: The key message is this: If you’re only looking at traditional security logs, you’re missing most of the attack surface. SaaS applications run on APIs, and if you’re not monitoring the API activity, you’re operating blind.

Security teams need detection and response capabilities across their SaaS ecosystem, not just more logs. That’s what we do at Vorlon. We help security teams see the invisible threats hiding in enterprise SaaS environments and respond to them.

Coming Up in Part 2

1.  Why “intent-based” logging is a security nightmare
2.  How attackers exploit API keys and what security teams can do about it
3.  The hidden dangers of third-party integrations
4.  What the future of SaaS security looks like
   
   

Learn more about Vorlon's SaaS ecosystem security platform: 

About Adam Burt

Adam Burt

Head of Research at Vorlon

Adam Burt is the Head of Research at Vorlon, bringing over 24 years of experience in cybersecurity across malware analysis, digital forensics, reverse engineering, programming, and security architecture. Before joining Vorlon, he led a team of Solution Architects at Palo Alto Networks, focusing on security and automation.

Throughout his career, Adam has held technical and leadership roles at companies like Symantec, Fidelis Cybersecurity, and NTT, working across industries to help organizations strengthen their security posture. He holds multiple certifications, including CISSP, GCFE, CSTP, and CCSK, and has contributed to research on network vulnerabilities, malware obfuscation, and threat detection.

At Vorlon, Adam leads research into SaaS ecosystem security, focusing on API-based threats, identity risks, and improving security visibility. He lives in South Central UK with his wife and two children.

About the author

Elias Terman 
VP of Marketing at Vorlon