In Part 1 of our conversation, we explored why SaaS API logging is unreliable and impedes security teams from detecting and responding to SaaS security incidents.
In Part 2, we examined how intent-based logging prevents security teams from fully understanding what happens in SaaS environments. We also discussed how attackers exploit API keys and how third-party integrations create risks that often go unnoticed. These challenges make it clear that traditional security tools, such as SIEMs and EDRs, struggle to provide the visibility and detection capabilities needed for modern SaaS security.
Now, in Part 3, we’ll break down the blind spots in existing security solutions, why posture management alone isn’t enough, and how security teams can shift from a reactive approach to real-time detection and response.
TL;DR: If your security team relies solely on SSPM, non-human identity security, or SIEMs, you only see part of the picture, and attackers know it.
Let’s hear Adam’s point of view.
Elias Terman: What’s missing from NHI security?
Adam Burt: NHI security vendors do a good job identifying machine-to-machine access risks, but they focus almost entirely on identity and access controls.
The problem is that identity alone doesn’t tell the whole story.
Take an OAuth token, for example. Just knowing who or what the token belongs to isn’t enough. What security teams actually need to know is:
- What data is this identity accessing?
- Is this access normal?
- What’s the intent behind the API call?
- Is this identity interacting with other SaaS apps in unexpected ways?
NHI security vendors don’t typically monitor data flows across SaaS environments or correlate SaaS API logs with real user and machine behavior. That leaves security teams with an incomplete picture. They know an identity exists, but they don’t know what it’s doing, where it’s been, or what data it’s touching.
That’s where SaaS API visibility comes in. Vorlon helps security teams monitor real-time API activity across SaaS applications, correlate behavior across identities, and catch risky patterns early.
That’s the missing piece in SaaS security.
Elias: What about SSPM? Does that provide the missing context security teams require?
Adam: SSPM is excellent for configuration management. It tells you how your SaaS environment is set up and governs employee access. NHI security gives you a sense of who (or what) is accessing your SaaS applications. But neither tells you what’s actually happening.
To truly secure a SaaS environment, security teams need:
- SSPM insights – You need to understand your SaaS misconfigurations, but that’s just table stakes.
- NHI security: You need to manage and monitor non-human identities. However, pure-play NHI security vendors often fail to correlate machine identities with SaaS events and data flow visibility.
- Deep SaaS API log analysis – You need visibility into what’s actually being accessed, changed, or exfiltrated.
- SaaS data flow visibility – You must understand how data moves between SaaS applications, third-party integrations, and external entities.
Elias: Let’s go deeper into SaaS data flow visibility. Why is that so important?
Adam: Imagine you’re a security analyst investigating a potential SaaS breach. You check your logs, and all you see is “User A accessed Salesforce.”
That’s not useful. What you actually need to know is: What did they access? Did they export data? If so, where did it go? Was the data then moved to another SaaS app? A personal Dropbox account? A third-party integration?
SaaS doesn’t operate in a vacuum. These apps are deeply interconnected. And attackers know how to exploit those connections to exfiltrate data without triggering alerts.
Most security teams can’t track how data moves across SaaS applications. Attackers exploit this.
Vorlon helps security teams map and monitor SaaS data flows in near real-time to detect when sensitive data is moving in unexpected or undesirable ways.
Elias: So we’ve covered why logging is incomplete, identity monitoring isn’t enough, and why security teams need to monitor SaaS data flows. What’s the final takeaway?
Adam: The takeaway is this: SaaS security requires context. If you examine SSPM (configuration), NHI (identity), or SIEMs (logs) in isolation, you're missing critical pieces of the puzzle.
To truly secure a SaaS ecosystem, you need to:
- Understand your configurations (SSPM)
- Monitor your identities (NHI)
- Analyze real-time SaaS API activity (Log correlation)
- Track data flows across SaaS applications (Vorlon’s sweet spot)
Your security posture is incomplete if all four elements don't work together. SaaS security requires a unified approach that combines configuration, identity, logs, and data flow visibility. If your SSPM vendor says misconfigurations are your biggest risk, they’re missing the bigger picture. If your NHI security vendor says identity is the problem, they’re only telling half the story. To truly secure a SaaS environment, you need full security context—and that’s exactly what Vorlon provides.
What's next? SaaS ecosystem security
SaaS security is at a turning point. For years, security teams have focused on who has access to SaaS applications. Now, they need to focus on what those applications—and their integrations—are actually doing.
The shift from security posture to detection and response is already happening in cloud security, endpoint security, and identity security. It’s time for SaaS security to catch up.
At Vorlon, we believe that security teams should have the same level of visibility and control over their SaaS ecosystem as they do over their endpoints and cloud infrastructure. That’s why we built Vorlon.
If you’re ready to go beyond posture management or NHI security alone, let’s talk. Book a demo and see how Vorlon helps teams detect and respond to SaaS threats before it’s too late.
About Adam Burt
Adam Burt
Head of Research at Vorlon
Adam Burt is the Head of Research at Vorlon, bringing over 24 years of experience in cybersecurity across malware analysis, digital forensics, reverse engineering, programming, and security architecture. Before joining Vorlon, he led a team of Solution Architects at Palo Alto Networks, focusing on security and automation.
Throughout his career, Adam has held technical and leadership roles at companies like Symantec, Fidelis Cybersecurity, and NTT, working across industries to help organizations strengthen their security posture. He holds multiple certifications, including CISSP, GCFE, CSTP, and CCSK, and has contributed to research on network vulnerabilities, malware obfuscation, and threat detection.
At Vorlon, Adam leads research into SaaS ecosystem security, focusing on API-based threats, identity risks, and improving security visibility. He lives in South Central UK with his wife and two children.
About the author
Elias Terman
VP of Marketing at Vorlon