The explosion of SaaS applications has transformed how businesses operate, but SaaS security remains an underappreciated risk. To get to the heart of the issue, I sat down with Adam Burt, Vorlon's Head of Research.
Adam has spent over two decades in cybersecurity, tackling everything from malware reverse engineering to security architecture at companies like Symantec, NTT, CGI, and Palo Alto Networks. Now, he leads research at Vorlon, focusing on helping enterprises secure the data flowing across their extended SaaS ecosystem.
Our conversation revealed why security teams struggle to monitor SaaS environments, from API misattribution to the lack of real-time logs, and how Vorlon helps close the gap.
Now you can be a fly on the wall, and listen in to what Adam had to say.
Adam Burt: The fundamental issue is visibility, or rather, the lack of it. Security teams assume that SaaS applications provide rich audit logs, but many vendors don’t log API activity at all.
This is a huge problem because SaaS applications are increasingly accessed via APIs, not just by humans clicking around in a UI. If security teams can’t see API activity in logs, they can’t detect data exfiltration, malicious automation, or unauthorized integrations.
And even when logs do exist, they might be locked behind paywalls, incomplete, or painfully slow to access. I recently read Maya Kaczorowski’s article in TLDRsec on what CISOs are complaining about, and the struggle to get useful SaaS logs came up repeatedly. One security leader had to wait two days for Notion to email them logs related to a security incident. Another had to manually log into Stripe’s web portal to get transaction logs. That’s just not sustainable for security operations.
See also: SaaS API Visibility. This page emphasizes the importance of continuous visibility into SaaS API communications, highlighting how Vorlon monitors API usage and detects unusual patterns to safeguard sensitive data.
Adam: You’d think bigger vendors would have better logging practices, but that’s not always the case. While enterprise SaaS platforms like Salesforce provide rich API audit logs, some don’t always contain the information security teams need.
For example, let’s say an API request is made to export customer data from Salesforce. The logs might not tell you who initiated the request. Instead, they log a session ID—but that session ID alone is meaningless.
At Vorlon, we correlate that session ID with other API activity, matching it to an IP address, timestamp, and authentication method. That’s how we turn fragmented logs into actionable security insights.
Adam: Exactly. Many SaaS platforms attribute API activity to a user, even when a non-human identity (like a script or an integration) made the request.
This creates a misattribution problem. Imagine an OAuth token is stolen and used to access sensitive data. If the logs only show a user’s name, security teams might falsely assume that person is responsible.
Vorlon helps separate human and machine-based API activity so security teams get real attribution instead of guesswork.
Adam: The silent threat is token sprawl. Companies have no idea how many tokens are active, which applications are using them, or how long they’ve been sitting around with access to sensitive data.
OAuth is great for security, when implemented properly. It allows SaaS applications to grant limited access to third-party tools without sharing passwords. But OAuth tokens don’t always expire like passwords do. They can remain valid until revoked manually, meaning a stolen OAuth token can grant long-term access to sensitive data, without triggering traditional security alerts.
One of Vorlon’s key capabilities is monitoring OAuth (and other) tokens in real time. We can detect risky tokens, see where they’re being used, and revoke them automatically if something looks off.
Adam: Traditional security tools were never designed to monitor SaaS environments.
SIEMs, EDRs, and network-based security solutions operate under the assumption that most threats originate at the endpoint or network layer. But in SaaS environments, most security events happen outside of the traditional perimeter.
The data flowing across an enterprise SaaS ecosystem creates a whole new attack surface that legacy tools can’t see.
Adam: That would be great, if SaaS logs were always useful. The problem is that many SaaS platforms don’t provide structured logs, and when they do, they might not contain what’s actually needed.
Let’s say you collect Salesforce logs in your SIEM. You might see that an API request was made, but only who made it and not which OAuth token was used. That level of correlation requires additional API calls, which SIEMs aren’t built to do. The problem becomes even more challenging when you need to correlate the data being generated from the dozens of applications integrated with Salesforce.
At Vorlon, we don’t just collect logs—we enrich them. We cross-reference API data with authentication events, user sessions, and permissions structures to provide real attribution.
Adam: At a minimum, security teams should be asking prospective SaaS vendors four questions.
Check out The API Security Checklist: What to Review Before Integrating a Third-Party API. This comprehensive checklist guides developers and security teams through the essential steps to evaluate the security of third-party APIs before integration, ensuring robust protection against potential vulnerabilities.
To understand the state of SaaS logging, we analyzed 70 popular SaaS vendors across multiple industries. The findings were alarming:
This means that in more than half of all SaaS platforms, security teams are missing critical forensic data, making it impossible to detect, investigate, or respond to API-based threats.
The impact: Delayed response, missed breaches, and greater risk
As an industry, we need to do better.
Adam: The key message is this: If you’re only looking at traditional security logs, you’re missing most of the attack surface. SaaS applications run on APIs, and if you’re not monitoring the API activity, you’re operating blind.
Security teams need detection and response capabilities across their SaaS ecosystem, not just more logs. That’s what we do at Vorlon. We help security teams see the invisible threats hiding in enterprise SaaS environments and respond to them.
Learn more about Vorlon's SaaS ecosystem security platform:
Adam Burt
Head of Research at Vorlon
Adam Burt is the Head of Research at Vorlon, bringing over 24 years of experience in cybersecurity across malware analysis, digital forensics, reverse engineering, programming, and security architecture. Before joining Vorlon, he led a team of Solution Architects at Palo Alto Networks, focusing on security and automation.
Throughout his career, Adam has held technical and leadership roles at companies like Symantec, Fidelis Cybersecurity, and NTT, working across industries to help organizations strengthen their security posture. He holds multiple certifications, including CISSP, GCFE, CSTP, and CCSK, and has contributed to research on network vulnerabilities, malware obfuscation, and threat detection.
At Vorlon, Adam leads research into SaaS ecosystem security, focusing on API-based threats, identity risks, and improving security visibility. He lives in South Central UK with his wife and two children.
Elias Terman
VP of Marketing at Vorlon