Salesforce Sales & Service Cloud
IAM Audit
The Salesforce core org is the single source of truth for your customer data—and its IAM configuration directly determines who can read, modify, or export it. Our audit systematically maps your Profile hierarchy, Permission Sets, sharing model, and Shield configuration to produce an actionable risk register for your security and compliance teams.
Did your team cover these critical blindspots?
The most commonly overlooked attack vectors in Salesforce environments—validated through hundreds of enterprise engagements.
Permission Set Accumulation
Have your Salesforce Profiles and Permission Sets been reviewed for "Modify All Data" or equivalent rights held by users whose roles don't require them? Privilege accumulation over time is the most common IAM finding in mature Salesforce orgs.
Sharing Model Over-Exposure
Are your Org-Wide Defaults, sharing rules, and public groups configured to expose customer records, cases, or financial data more broadly than your data governance policies require?
Connected App & API Governance
Do you have a current inventory of all Connected Apps, their OAuth scopes, and their IP restrictions? Legacy integrations using deprecated Username+Password OAuth flows represent persistent, unmonitored access paths.
What We Test
Security Checklist
33 automated + manual checks organized across 6 security domains. Every item is evaluated and reported with evidence.
Profile & Permission Set Governance
- Enumerate all Profiles and Permission Sets with System Admin equivalent rights
- Audit "Modify All Data" and "View All Data" assignment across user base
- Review Permission Set Groups for over-scoped combinations
- Identify inactive users retaining active Profiles with sensitive permissions
- Map Permission inheritance across Profile and Permission Set hierarchy
- Review delegated administration assignments and scope boundaries
Field-Level Security (FLS)
- Enumerate sensitive fields (PII, financial, health) with broad FLS access
- Test FLS bypass via Apex controllers without enforced CRUD/FLS checks
- Audit Visualforce page controllers for FLS enforcement
- Review Lightning Component field exposure vs. FLS configuration
- Test API-level field access circumvention (Tooling API, Metadata API)
Sharing Model & Record Visibility
- Review Org-Wide Default (OWD) settings for all key objects
- Audit sharing rules (criteria-based, owner-based) for over-sharing
- Test manual share creation permissions and scope limitations
- Review Apex-Managed Sharing implementations for logic flaws
- Enumerate public groups and their member composition
- Validate territory management configuration for data segregation
Connected Apps & API Integrations
- Audit all Connected App OAuth policies and IP restrictions
- Review Guest User API access and Named Credentials scope
- Enumerate external integrations using deprecated Username+Password OAuth
- Test API session policies for token lifetime and refresh handling
- Identify Connected Apps not enforcing admin approval before access
Audit, Logging & Shield
- Review Salesforce Shield Event Monitoring configuration and log coverage
- Audit Field Audit Trail setup for sensitive object changes
- Test Login Forensics and Transaction Security Policy activation
- Review Login History retention and monitoring procedures
- Validate API usage monitoring for anomaly detection coverage
- Assess Real-Time Event Monitoring policy completeness
Compliance Mapping
- Map findings to CIS Controls v8 (Controls 5, 6, 13, 16)
- Align to SOC2 CC6.1–CC6.8 (Logical Access Controls)
- Generate MITRE ATT&CK mapping (T1078, T1136, T1098, T1539)
- Produce access control evidence for SOC2 audit readiness
- Validate separation of duties controls for financial data objects
Main Assessment Coverage
- Profile & Permission Set Governance Review
- Field-Level Security (FLS) Assessment
- Sharing Model & Record Visibility Audit
- Connected Apps & API Integration Review
- Audit, Logging & Shield Validation
- Compliance Posture Mapping (CIS, SOC2)
Flexible Network Execution
Core org assessments use read-only Connected App credentials and execute via Salesforce API. No admin console access required during assessment execution.
Route assessment engines through your designated corporate IPs to simplify allowlisting, avoid WAF alarms, and maintain a clean audit trail satisfying internal security policies.
Transparent Licensing
One-time execution license. No subscriptions. No hidden fees.
Complete Assessment
/ one-time license
- Full Automated + Manual Assessment Engine
- Executive PDF Report with Risk Scoring
- Permission & Sharing Model Visualization
- Customer IP Sourcing Available
- 30-Day Platform Access
- Compliance Matrix (CIS, SOC2)
- Prioritized Remediation Roadmap