Helsinki, Finland – January 2026 — WithSecure™, widely respected as a global leader in Salesforce security, today announced the launch of its Federal Risk and Authorization Management Program (FedRAMP®) preparation initiative for WithSecure Cloud Protection for Salesforce. This effort is supported by federal compliance advisory firm 38North.
This move signals WithSecure’s strategic commitment to bringing its Salesforce-native, real-time threat protection to U.S. federal agencies and preparing to meet the government’s rigorous cloud security standards.
“Beginning our FedRAMP preparation underscores our long-term commitment to serving U.S. federal entities and strengthening the security of their Salesforce environments,” said Juhana Autio, General Manager of WithSecure Cloud Protection for Salesforce. “Our goal is to make enterprise-grade, in-platform solution easily available to federal agencies so they can safeguard the workloads and mission-critical services they run in Salesforce.”
FedRAMP provides a standardized, government-wide security framework for cloud products used by federal agencies, based on NIST SP 800-53 security controls. Completing the preparation phase positions WithSecure to pursue the formal FedRAMP authorization process, which would enable government-wide reuse under the program’s “do once, use many times” model.As a leader in guiding global technology companies through the most demanding compliance landscapes—particularly within the U.S. public sector—we’re thrilled to support WithSecure on their FedRAMP journey,” said Matthew Earley, President and Founder of 38North Security. “38North has consistently delivered secure, resilient cloud environments for organizations across the United States, Europe, and the Asia-Pacific region. As we continue expanding our presence in the European Union, this partnership represents a natural alignment of strengths and opens new opportunities for both companies on both sides of the Atlantic. WithSecure’s platform is exceptionally well-positioned to meet the needs of federal agencies relying on Salesforce for mission-critical operations.”
WithSecure Cloud Protection for Salesforce delivers enterprise-grade, real-time threat detection through deep inspection and advanced threat intelligence, protecting against malware, zero-day file threats, phishing links, malicious URLs, QR-based attacks, and identity risks such as compromised Salesforce user credentials. These capabilities are already trusted by highly regulated industries and public sector organizations globally to defend against complex attack chains that target users, content, and automations inside Salesforce.
About WithSecure™
WithSecure™ is Europe’s cyber security partner of choice. Trusted by IT service providers, MSSPs, and businesses worldwide, we deliver outcome-based cyber security solutions that protect mid-market companies. Committed to the European Way of data protection, WithSecure prioritizes privacy, data sovereignty, and regulatory compliance.
Boasting more than 35 years of industry experience, WithSecure™ has designed its portfolio to navigate the paradigm shift from reactive to proactive cyber security. In alignment with its commitment to collaborative growth, WithSecure™ offers partners flexible commercial models, ensuring mutual success across the dynamic cyber security landscape.
Central to WithSecure’s™ cutting-edge offering is Elements Cloud, which seamlessly integrates AI-powered technologies, human expertise, and co-security services. Further, it empowers mid-market customers with modular capabilities spanning endpoint and cloud protection, threat detection and response, and exposure management.
WithSecure Cloud Protection for Salesforce provides Salesforce-native protection against malware, phishing, and identity-based threats, securing Salesforce users and agentic AI workflows in real time.
38North Security is one of the industry’s premier cloud security and compliance consultancies, trusted by leading SaaS providers and global enterprises looking to break into—or expand within—the U.S. public sector. From FedRAMP and DoD IL4/IL5 to CMMC, IRAP, DORA, and ISMAP, 38North helps organizations accelerate market entry, reduce authorization friction, and build resilient, scalable cloud environments that stand up to the world’s toughest regulatory standards.
Backed by a world-class team and our flagship LaunchPad ATO-acceleration platform, 38North delivers the strategy, engineering expertise, and hands-on support needed to turn complex compliance challenges into competitive advantage. Our clients span Fortune 500 companies, high-growth SaaS innovators, and mission-critical technology providers across North America, Europe, APAC, and beyond.
At 38North, we believe compliance should be a catalyst for growth—not a barrier. We empower customers to enter new markets with confidence, speed, and a secure-by-design foundation that scales.
Smarter visibility. Easier administration. More control inside Salesforce.
Apollo 3.1 brings improvements that help teams investigate faster, automate user administration, meet expanding data residency needs, and stay resilient during peak Salesforce workloads. This release focuses on strengthening the everyday experience of managing security inside Salesforce. It’s built on real customer feedback and aligned with how enterprises operate at scale.
Visual filters for clarified security visibility
Security teams need to see what matters without sifting through noise. Apollo 3.1 introduces visual filters across Alerts, File Events, URL Events, Identity Events, and Identities, making investigations smoother and significantly faster.
You can now filter by fields such as date/time, severity, action, verdict, direction, risk level, and profile. Filters persist while moving between analytics views, so you can pivot between Alerts, URL Events, or File Events without losing your context.
This directly supports our broader vision for security visibility in Salesforce: enabling teams to see every user action, file, and link in one place, and investigate issues without freezing workflows.
Organizations increasingly require control over where their Salesforce security data is processed. Apollo 3.1 adds Canada as a new processing region, expanding our footprint across: EU (Ireland), US, Japan, Australia, Singapore, and now Canada.
This aligns with our published guidance on Salesforce data residency, where choosing data location is a critical part of meeting compliance requirements and regional regulations.
WithSecure Cloud Protection customers can now select Canada during activation to meet local requirements or improve regional latency.
Faster Summary Dashboard with Lightning Web Components
The Summary Dashboard has been migrated from Visualforce to Lightning Web Components (LWC) and the latest SLDS v2 design system.
This brings:
Faster load times
More responsive interactions
Consistent UI with modern Salesforce experiences
This is part of an ongoing modernization effort to improve usability across all CPSF components.
More reliable URL scanning under Salesforce governor limits
Many Salesforce customers send high volumes of emails, tasks, or batch operations at once – sometimes hitting platform governor limits. When those limits were reached, URL scans could previously fail.
Apollo 3.1 introduces new advanced settings that allow CPSF to automatically defer and retry URL scans when Salesforce limits are temporarily exhausted.
This makes URL protection far more resilient during peak workloads and high-volume automations.
Apollo 3.1 reinforces our focus on visibility, control, and operational resilience inside Salesforce. Every release builds stronger capabilities to detect threats, manage access, and control where data is processed – while keeping pace with modern cyber threats and the way Salesforce continues to evolve. Our goal is to ensure customers stay protected not only against today’s risks, but also those emerging tomorrow.
Explore recent product updates
WithSecure Partners with 38North Security to Begin FedRAMP Preparation for Cloud Protection for Salesforce
WithSecure™ announced today the launch of its Federal Risk and Authorization Management Program (FedRAMP®) preparation initiative for WithSecure Cloud Protection for Salesforce.
WithSecure unveils Identity Protection to close one of Salesforce’s biggest security blind spots
WithSecure has unveiled Identity Protection for Salesforce — the first solution to detect compromised partner and customer accounts before they can be used in attacks. Designed to close one of the platform’s biggest security blind spots, the new capability helps enterprises safeguard high-trust environments like partner portals from credential-based fraud.
What’s new in WithSecure™ Cloud Protection for Salesforce 2.9.1
QR codes in Salesforce look harmless. Until they aren’t. Today’s phishing attacks hide behind layers: a QR code inside a file, a shortened link inside the code. WithSecure Cloud Protection for Salesforce now detects them all, before users ever scan.
Helsinki, Finland – October 2025 — Attacks targeting Salesforce are on the rise as criminals exploit trusted access to slip past defenses. WithSecure™ Cloud Protection for Salesforce has launched Identity Protection, a new capability to the Salesforce threat protection solution, and the first of its kind to detect compromised partner and customer Salesforce accounts before they can be weaponized.
While enterprises invest heavily in identity security for employees, external users accessing Salesforce through partner, supplier, and customer portals often fall outside these protections. Security researchers consistently identify compromised credentials as a leading entry vector for data breaches.
In high-trust environments like Salesforce partner portals, external users can become the weakest link — a single compromised credential from a supplier or dealer can open the door to fraud worth tens of thousands of euros. That’s why identity threat detection and credential compromise visibility are now essential to keeping Salesforce secure.
Identity compromise: costly and hard to detect
These accounts can number in the tens of thousands per Salesforce customer — and when even one credential is stolen or reused across systems, attackers can gain access and remain undetected for months.
“The front door isn’t forced open anymore — it’s unlocked with stolen keys.” said Juhana Autio, General Manager, WithSecure Cloud Protection for Salesforce. “Even companies with million-dollar security stacks can’t defend against a trusted account that’s already been compromised. External users have long been a blind spot in Salesforce, and we’re closing it.”
Identity-based intrusions are among the most expensive to remediate — and often the slowest to detect and contain.
Security that fits Salesforce — not the other way around
WithSecure’s Identity Protection capability continuously monitors Salesforce user credentials against a live feed of exclusive breach intelligence — sourced from both public and dark web data — to detect when accounts have been exposed in third-party breaches.
The new capability is included with all user-based licenses of WithSecure Cloud Protection for Salesforce at the time of launch and is available now.
About WithSecure™ Cloud Protection for Salesforce WithSecure Cloud Protection for Salesforce safeguards your cloud environment against advanced cyber threats. You can run your digital business without disruption – free from ransomware, zero-day malware, phishing and compromised account risk. The bespoke solution is built and designed in close collaboration with Salesforce for Salesforce and Agentforce workflows and managed directly from your Salesforce portal.
The most expensive breaches don’t start with zero-day exploits — they start with trusted access
According to the IBM Cost of a Data Breach 2025 Report, breaches caused by stolen or compromised credentials are the most expensive of all, and taking the longest of all breach types to detect and contain.
In Salesforce, that silent risk amplifies. Community users, such as partner and contractor accounts, often sit outside corporate IAM controls, making them invisible to traditional defenses.
And when a password leaks, attackers don’t have to break in. Stolen credentials don’t trip alarms, they open doors.
Modern breaches don’t stop at the first login. Attackers move identity to identity: using one compromised account for impersonation and tricking others, authorize connected apps, or expand access through trusted automations. Detecting exposure early prevents this lateral movement before it reaches deeper systems.
Preventing the first compromised login is preventing the first step of a breach.
A new layer of protection for identities – inside Salesforce
We’re introducing Identity Protection in WithSecure Cloud Protection for Salesforce: first-of-its-kind capability that detects when your Salesforce users’ credentials appear in real-world data breaches, before attackers can exploit them.
The WithSecure Cloud Protection for Salesforce solution has already protected enterprise and government Salesforce environments from malware and phishing threats – now it also covers identity risks. The solution gives teams comprehensive visibility into who is at risk, what they access, what is the threat, how has it spread, how severe is the risk and when exposure occurs – all inside Salesforce.
Why it matters
Stolen credentials remain the top cause of breaches. In Salesforce, the problem is amplified by credential reuse and third-party user access. A leaked password from an unrelated breach can give an attacker direct, trusted access to your customer data and business workflows.
Credential compromise remains the top attack vector. It has been the leading cause of breaches for the past decade and remains so in 2025. It’s also the most costly and the slowest to detect.
Salesforce multiplies the blast radius. External users – partners, contractors, community members – often authenticate from outside SSO or MFA enforcement. In Salesforce, the problem is amplified by credential reuse across services. This is the first step of an identity chain. Once an attacker logs in as a trusted user, every connected system, user and workflow becomes a potential next move.
Traditional IAM tools can’t see inside Salesforce. Once a compromised user logs in, standard security stacks generate no alerts.
Layered defenses must live inside Salesforce. Identity Protection complements File Protection and URL Protection capabilities by defending against the most prevalent cyber threats directly inside Salesforce – where the business but also the risk happens.
Identity security in the rapidly scaling and evolving Salesforce environment can’t rely on traditional IAM tools alone, it needs real-time breach intelligence built directly into Salesforce.
When a user’s password is exposed in a breach, attackers don’t have to break in, they simply log in. This provides no alerts to standard tools, and gives the attackers plenty of time to cause damage silently.
Identity Protection in WithSecure Cloud Protection for Salesforce cuts the chain at its starting point, giving defenders visibility into exposed accounts before attackers can exfiltrate data or pivot laterally across users, workflows, or connected apps.
Identity Protection scans the email identities of active Salesforce users against a continuously updated breach-intelligence feed that includes both public and exclusive dark-web sources.
Detection: Identifies exposed credentials up to six months faster than open-source datasets.
Results: Each detection includes breach source, publish date, password format (plain text or hashed), severity level, and exposure history.
Scope: Up to 50 000 standard and community users per org. Integration and automation users excluded.
Cadence: Automated / scheduled weekly batch scans
Admin view: The Identity Protection dashboard shows all exposed users, ranked by severity and breach recency, with 12 month history of an user.
Integration: Requires Connected App integration, fully embedded within the Salesforce UI.
Identity Protection requires no separate add-ons, or external integration beyond the connected app integration type already available for the app. Please note that this capability is compatible with user-based licenses, and requires the version Apollo 3.0 to be installed. There is no additional cost for using the feature.
Example scenario: when a contractor account becomes the attack path
A partner’s login credentials surface in a new breach dataset. Identity Protection flags the user and reveals that the password was leaked in plain text from a known service.
Within minutes, administrators can reset the credentials, revoke sessions, and review related activity. They’re effectively preventing unauthorized access – and the first steps of a breach – before data exfiltration or fraud occurs.
Without detection, the attackers could have acquired the credentials from the dark-web forum, tested them against different services (most people reuse passwords across services, and across professional and personal accounts) until they got into one, for example a Salesforce environment. Depending on the environment and the user account in question, they could have exfiltrated data, manipulated business processes, or launched convincing impersonated phishing campaigns.
Detecting and revoking compromised credentials is the first step to stop a breach.
Identity Protection is included by default in all user-based WithSecure Cloud Protection for Salesforce licenses at no extra cost (volume-based licensing not currently supported).
Update manually from the Salesforce AppExchange to Apollo 3.0 and activate Identity Protection from Administration → Identity Protection to get started.
Together with File and URL Protection, Identity Protection broadens security coverage across Salesforce to protecting who logs in and what they bring in across workflows.
Attackers have increasingly turned to password-protected files to conceal malware and evade inspection. These files cannot be scanned by standard antivirus engines, creating a potential blind spot in even the most mature security programs.
With the Apollo 3.0 release, this capability now also covers Microsoft Office and PDF file formats, and evolves into a broader high risk content detection capability.
Customizable, granular protection for uploads and downloads
Administrators can now more granularly configure how WithSecure Cloud Protection for Salesforce handles password-protected or otherwise high-risk files at both upload and download events:
On upload: choose between Allow and Report or Remove
On download: choose between Allow and Report, Remove, or Block
A new High-Risk Content modal under File Protection Settings centralizes these options, letting administrators customize protection levels to business and compliance requirements.
When a file is removed, the solution automatically replaces it with a placeholder text file explaining the action taken and preserves user experience and audit transparency. All related alerts and events are logged in the Analytics section for review.
It is worth checking security configurations regularly. For File Protection feature, we recommend following these best practice settings.
Enhanced visibility and risk control
This enhancement enables organizations to:
Detect password-protected Office, PDF, and archive files during both upload and download
Prevent unscannable files from being stored or shared within Salesforce
Apply consistent, policy-based controls to high-risk content
Maintain full audit visibility for incident response and compliance
The feature requires both Advanced Threat Analysis and the Connected App to be enabled, ensuring detection accuracy and reporting integration across the app’s analytics and alerting framework.
Identity risks – as one of the top initial attack vectors – matter as much as malware or phishing threats.
With Identity Protection, WithSecure Cloud Protection for Salesforce evolves beyond content and phishing defense to protect the people and accounts operating inside Salesforce. It’s another protection layer in our mission to secure Salesforce in real time from modern cyber threats.
As Salesforce use is shifting to autonomous AI use cases, we’re extending real-time protection to Agentforce.
Looking ahead, our focus is clear:
Platform evolution: as Salesforce continues to connect users, agents, and data, we’ll extend protection in parallel.
Threat evolution: from phishing and QR codes to credential compromise and supply-chain abuse, our defenses will adapt to how attackers operate.
And our goal stays simple: Protect every interaction in Salesforce: every file, every link, every user, and every agent.
Explore recent product updates
WithSecure Partners with 38North Security to Begin FedRAMP Preparation for Cloud Protection for Salesforce
WithSecure™ announced today the launch of its Federal Risk and Authorization Management Program (FedRAMP®) preparation initiative for WithSecure Cloud Protection for Salesforce.
WithSecure unveils Identity Protection to close one of Salesforce’s biggest security blind spots
WithSecure has unveiled Identity Protection for Salesforce — the first solution to detect compromised partner and customer accounts before they can be used in attacks. Designed to close one of the platform’s biggest security blind spots, the new capability helps enterprises safeguard high-trust environments like partner portals from credential-based fraud.
What’s new in WithSecure™ Cloud Protection for Salesforce 2.9.1
QR codes in Salesforce look harmless. Until they aren’t. Today’s phishing attacks hide behind layers: a QR code inside a file, a shortened link inside the code. WithSecure Cloud Protection for Salesforce now detects them all, before users ever scan.
WithSecure Cloud Protection for Salesforce now covers both established workflows and emerging Agentforce use cases. You get Salesforce-native protection that’s ready for what’s next.
Salesforce is entering a new era with Agentforce. Autonomous agents are beginning to take on tasks, support teams, and act on behalf of your business. That speed and scale is powerful, but it also changes your risk posture.
WithSecure™ Cloud Protection for Salesforce evolves in step with this shift. WithSecure™ Cloud Protection for Agentforce 1.0 is the first and only security add-on built natively for Agentforce, delivering real-time protection that moves at the pace of your AI agents.
Why this matters now
Agentforce is new, but the security challenges around Salesforce aren’t. Over the past year, even some of the world’s best-protected companies have been breached through Salesforce workflows. Attackers are already looking for the next easy entry point.
That’s why security can’t be left until later. If you’re experimenting with agents, you need to make sure they aren’t opening new doors for attackers.
Not every Salesforce environment is pristine — and that’s okay. Companies are already proving they can get ROI from Agentforce without perfect data models. But what you can’t afford to overlook is security. Without it, every autonomous agent you add doesn’t just create value, it also adds risk.
Salesforce security is now a boardroom topic. Even leading enterprises have been breached through workflows.
Agentforce adoption is only beginning. Your data doesn’t have to be perfect to try it, but overlooking security will scale your risk dramatically.
Attackers move fast. What they exploited in workflows yesterday, they’ll target in agents tomorrow.
AI workflows create a new attack surface. Don’t let your AI projects be the weak link in your security.
What’s new in Agentforce extension 1.0:
Agentforce is built for speed. Security for it has to be just as fast. That’s the idea behind this extension: it’s the first to run natively within Agentforce workflows, scanning every link and action instantly in the background. There’s no slowdown, no break in the workflow. Just continuous protection that keeps up with your agents.
Real-time URL scanning: Detect malicious or obfuscated links surfaced in agent workflows before they can do harm.
Seamless integration: Part of the same Salesforce-native security app, no extra systems or risky connections.
Free for existing customers: Included in your WithSecure Cloud Protection for Salesforce license, requires Apollo 2.9.1 version of the core app.
Install WithSecure Cloud Protection for Agentforce
Companies want AI agents to handle tasks because they’re faster than humans. That only works if security is invisible, always on, never slowing things down. This extension gives you exactly that: real-time protection and the peace of mind that your agents aren’t creating new risks while they work.
Customer support: Agents share files and links in chat. Malicious ones are blocked before they ever reach staff or customers.
Autonomous operations: Agents surface data from internal and external systems autonomously. Malicious URLs and hidden redirects to phishing sites are unwrapped instantly.
Enterprise-wide agentic AI: As agent use grows, protection scales with it. Always on, always real time.
The result? Peace of mind knowing your AI agents are working for your business, not for the attackers.
And this is just the beginning. As Salesforce continues to evolve, so does WithSecure Cloud Protection. This extension isn’t just a one-time fix. It’s a foundation for the agent-powered workflows of today and the future.
The integration we’ve built into Salesforce is designed to grow with your needs. Whether your agents are handling messaging today or evolving into more complex tasks tomorrow, WithSecure Cloud Protection will be there, ensuring every action remains secure, fast, and seamless.
What you get today:
Real-time URL scanning in Agentforce workflows (with the Agentforce extension)
Real-time file scanning for Agentforce workflows (with the main WithSecure Cloud Protection for Salesforce app)
A future-ready foundation for securing your expanding Agentforce footprint
Note: The Agentforce extension requires the main solution to be updated to version 2.9.1 or later.
Already using WithSecure Cloud Protection for Salesforce? The Agentforce extension is available at no extra cost. → Upgrade to Apollo 2.9.1 and activate Agentforce protection
Install WithSecure Cloud Protection for Agentforce
Customer support AI agents respond instantly, sharing helpful links and content. WithSecure Cloud Protection for Agentforce scans it all in real time, blocking anything malicious – or otherwise unwanted – before it reaches staff or customers.
Autonomous operations Agents surface data from internal records or external systems. WithSecure Cloud Protection for Agentforce blocks malicious URLs that direct to phishing sites instantly.
Enterprise-wide automation As Agentforce drives new workflows across channels and use cases, WithSecure Cloud Protection for Agentforce provides real-time security natively, and without friction.
ICYMI: Apollo 2.9.1 brings defense in depth against QR code phishing
QR codes in Salesforce look harmless. Until they aren’t
While Agentforce is the new frontier, attackers are also innovating, and QR code phishing is one of the fastest-growing threats inside Salesforce. We’re seeing more and more obfuscated QR code phishing and evasive file threats.
Cybercriminals are increasingly turning to QR codes to deliver phishing links in a way that bypasses traditional security layers. Known as quishing, these attacks embed malicious links inside QR codes, which are then placed into everyday business documents like PDFs, invoices, or slide decks.
When scanned – often on unmanaged mobile devices – the user is silently redirected to a phishing site designed to steal credentials or install malware. Because the destination is hidden inside a code, traditional file and link scanners often miss it.
WithSecure™ Cloud Protection for Salesforce combats this with malicious QR code detection capabilities, now enhanced in Apollo 2.9.1 to eliminate even stealthier layered QR-based threats.
This protection works across both internal and external workflows, and helps reduce phishing success rates, especially in environments with bring-your-own-device (BYOD) policies.
What’s new in Apollo 2.9.1:
Detects malicious QR codes embedded in uploaded PDFs and Office files
Unwraps shortened URLs (bit.ly, tinyurl, etc.) hidden within QR codes
Our roadmap doesn’t just follow Salesforce. It tracks the threat environment around it.
Salesforce security has never been more visible. Recent breaches show that even the most advanced enterprises can be compromised through Salesforce workflows. Attackers look for the easy way in — and once they find it, they repeat it at scale.
Agentforce has the potential to transform how businesses operate. But if security is overlooked, it could also become the next door attackers walk through. That’s why our mission is clear: make sure the rise of agent-driven workflows doesn’t open new risks for the companies who rely on Salesforce every day.
Not every Salesforce environment is perfectly structured, and that’s fine. You can still build value with Agentforce even if your data model isn’t spotless. What you can’t afford is to bypass security. Real-time protection is non-negotiable, because agents work at speed and scale. A single overlooked vulnerability can spread risk across teams, customers, and connected systems.
WithSecure is the first to address this head-on. The Agentforce extension is the only truly Salesforce-native security solution available today, built to protect agent workflows from day one and evolve in lockstep with Salesforce’s roadmap. This is not an add-on. It’s the foundation for securing every action taken by Agentforce.
Looking forward, we’re continuing to invest on two fronts:
Platform evolution → as Agentforce expands into file handling and cross-object automation, we’ll extend protection in parallel.
Threat evolution → from phishing and QR codes to credential compromise and supply chain abuse, our defenses will adapt to how attackers operate, not just how Salesforce develops.
Our goal stays simple: protect every action in Salesforce – whether it’s taken by a person or by an agent.
Is this a separate product from WithSecure Cloud Protection for Salesforce?
WithSecure Cloud Protection for Agentforce is a free add-on for licensed customers of WithSecure Cloud Protection for Salesforce, available now on AppExchange.
What does the Agentforce extension actually add?
It extends real-time protection to URLs handled via agentic (AI-driven) workflows. This ensures threats can’t spread through agentic AI workflows, which external security tools can’t reach. All future Agentforce-native security features will be released through the extension.
Will this protection layer affect performance or automation speed?
No. The extension is built for speed like no other. It scans in real time without slowing down AI agent or human workflows.
Who is this designed for?
Enterprises using Agentforce or planning to adopt it; especially those in regulated industries where cyber security, AI monitoring, data hygiene and auditability are critical.
How is this different from other Salesforce security tools?
Most tools rely on perimeter protections – like email or endpoint security. Legacy CASBs have a latency too big for swift AI agents. Only WithSecure Cloud Protection for Salesforce scans unstructured data on Salesforce natively, in real time, at the exact moment content is submitted, clicked, or shared by AI agents. That’s the level of protection Agentforce requires, and no other solution matches this native + real-time + AI-aware combination.
Is the solution certified for compliance?
Yes. WithSecure Cloud Protection is ISAE 3000 Type 2 (SOC 2 Type 2) and ISO 27001 certified, and provides full visibility and traceability for audits, even across AI-powered Agentforce workflows.
Does WithSecure Cloud Protection for Agentforce alter my Salesforce environment?
No. WithSecure™ Cloud Protection for Agentforce does not alter your Salesforce environment. WithSecure Cloud Protection main app installs natively, without changing your existing workflows, data structures, or configurations. The extension simply adds real-time protection for agentic content, working seamlessly alongside your current setup — so you can secure autonomous AI without disruption.
How is the app hosted?
WithSecure Cloud Protection for Salesforce uses a cloud-based threat analysis service called WithSecure Security Cloud. The service is hosted on AWS. You don’t need to worry about hosting yourself, and there are zero hidden hosting costs. The cloud service is hosted on data centers located in Ireland, US, Japan, Singapore and Australia. You can choose your point of presence, in other words where your data is located, and effectively control your data’s geographical location.
How do we activate the Agentforce extension?
Just install the extension from AppExchange and configure it via the familiar WithSecure Cloud Protection app UI in your Salesforce. It’s a click-and-go process with no new portals needed. You can find the installation instructions in this support article.
WithSecure Cloud Protection for Salesforce evolves in step with both the threat landscape and the Salesforce platform. Apollo 2.9.1 strengthens defenses against advanced phishing attacks by detecting even obfuscated QR codes hidden in everyday business files — protecting users on both managed and unmanaged devices.
What’s new in Apollo 2.9.1:
Detect malicious QR codes in uploaded PDFs and Office files
Analyze shortened URLs (e.g. bit.ly, tinyurl) hidden inside QR codes
Block QR phishing threats even when scanned on unmanaged devices
Mitigates a Salesforce platform issue that can create unintended ContentDocumentLink (CDL) records when files are uploaded by Guest Users
Note for the future: Apollo 2.9 is required for activating upcoming Agentforce security extension
Defense against QR code and redirect-based phishing
QR codes in Salesforce look harmless. Until they aren’t.
Cybercriminals are increasingly turning to QR codes to deliver phishing links in a way that bypasses traditional security layers. Known as quishing, these attacks embed malicious links inside QR codes, which are then placed into everyday business documents like PDFs, invoices, or slide decks.
When scanned – often on unmanaged mobile devices – the user is silently redirected to a phishing site designed to steal credentials or install malware. Because the destination is hidden inside a code, traditional file and link scanners often miss it.
When one of our large customers faced a wave of QR-based phishing attempts in 2024, existing defenses weren’t catching them. Within months, we built the first Salesforce-native QR phishing detection engine.
Now, with Apollo 2.9.1, we’ve expanded it further to eliminate even more stealthy, layered QR-based threats. We’ve added the ability to detect malicious QR codes in PDF and Office files, and even malicious shortened URLs hidden inside QR codes.
This protection works across both internal and external workflows, and helps reduce phishing success rates, especially in environments with bring-your-own-device (BYOD) policies.
Salesforce recently introduced a platform change that impacts how files uploaded by Guest Users are handled. This can result in additional CDL records being created.
Apollo 2.9 includes updates to mitigate this behavior. For remediation, please contact your Customer Success Manager.
We strongly recommend all customers update to Apollo 2.9 — especially those leveraging Guest Users.
Upgrade timeline
Sandbox environments: starting September 17th, 2025
Production environments: starting October 1st, 2025
You can also update manually anytime via Salesforce AppExchange.
The way businesses use Salesforce is changing fast — and so are the threats targeting it.
With Agentforce, AI agents are beginning to take on customer interactions, surface data, and drive business decisions. As these capabilities expand into file handling and cross-object automations, the security requirements will grow with them.
That’s why we’re building protection in parallel with Salesforce’s roadmap. The upcoming Agentforce extension will provide native, real-time security for agent-driven workflows — starting with URL scanning, and expanding to cover agent behaviors, connected app actions, and layered file protection. This isn’t a static add-on, but a security foundation for everything your AI agents may do next.
At the same time, we know platform evolution is only one part of the equation.
The threat landscape is seeing escalating Salesforce breaches, and threats from credential compromise to QR code phishing to malicious files embedded in collaborative workflows. Our roadmap doesn’t just follow Salesforce; it tracks attacker behavior across the ecosystem.
That’s why we’re advancing real-time defenses that adapt as attackers do, and investing in identity protection to surface early signs of credential compromise before damage spreads. Our goal is simple: protect every action in Salesforce, whether taken by a human or an agent.
Important: The Agentforce extension will require Apollo 2.9.1 or later. Upgrading now ensures your environment is ready to activate Agentforce protection as soon as it becomes available.
We’re excited to introduce Orion 2.6, the latest version of WithSecure Cloud Protection for Salesforce. This update significantly bolsters your defenses against sophisticated cyber threats targeting files and URLs within Salesforce. Experience enhanced real-time protection with new capabilities that detect and neutralize malware hidden in password-protected archives and block newly registered, often malicious, domains.
Detect password-protected archives in real time to prevent hidden malware threats.
WithSecure™ Cloud Protection for Salesforce introduces the capability to scrutinize password-protected archives in Orion 2.6. As cybercriminals often disguise malware within encrypted archives – especially in highly targeted industries like finance – this feature is essential for mitigating carefully concealed threats on Salesforce.
Password-protected archive files are detected and removed upon upload and download based on feature settings. Alerts and events are generated to clearly indicate when a password-protected archive has been detected. By default, any removed archive is replaced with a placeholder text file, similar to other removed file-based threats.
This advanced feature covers all popular archive formats and requires both Advanced Threat Analysis and the Connected App to be enabled.
Analyze the the age of a domain and block newly created domains, which are often malicious
WithSecure™ Cloud Protection for Salesforce enhances your defenses against sophisticated cyberattack tactics by blocking access to newly registered domains. Cybercriminals frequently register new domains to bypass reputational URL checks; studies show that over 70% of domains less than 32 days old are deemed malicious or suspicious. This feature allows you to block domains based on their age, choosing from thresholds of 7, 14, 30, 60, or 90 days, to help filter out suspicious newly created sites.
Alerts, events, and email notifications will indicate when a domain has been blocked due to its age.
For new installations, the default setting is to block domains registered less than 30 days ago. For organizations updated to version 2.6, the default setting allows domains of all ages. We recommend administrators customize this setting according to their security needs as soon as possible to protect against new phishing URLs.
WithSecure™ Cloud Protection for Salesforce allows customers to select the geographic location for processing their Salesforce security data. Our new Japan data center joins existing locations in the EU, US, Australia, and Singapore, enhancing our Asia-Pacific footprint. This expansion supports compliance with regional data protection standards and improves operational efficiency. Opt for manual selection or let the system automatically determine the best processing location based on availability and proximity, ensuring robust, compliant data security.
New analytics page
We updated Analytics interface to the Lightning Web Components (LWC) framework, enhancing user experience with faster loading times and improved performance. This update begins with key sections such as Alerts, File Events, and URL Events, along with related modals like alert and event history. You will experience more responsive interactions and streamlined access to critical data.
Please note: The False Positive/False Negative pages within the Analytics section are temporarily unavailable as they transition to LWC, with a complete migration expected in upcoming releases. Future updates will also introduce features like actionable alerts and structured queries to further enhance the utility and efficiency of the Analytics function.
In case you missed it (ICYMI)
QR code scanning
WithSecure™ Cloud Protection for Salesforce now includes QR code scanning to effectively combat quishing attacks. This feature extends our malicious URL scanning capabilities beyond files to include QR codes, addressing the emerging threat where cybercriminals use QR codes to direct end-users to malicious sites. Quishing attacks deceive users into scanning QR codes with their mobile devices, potentially leading to theft of credentials or malware infections. To activate this protection, enable Advanced Threat Analysis and the Connected App, ensuring comprehensive security against these evasive threats and safeguarding both mobile and desktop end-users.
URL Protection across custom fields and objects
URL Protection now extends from Salesforce’s standard objects and fields to also cover your customized ones. This update has been highly requested by users.
You can extend your org’s data on Salesforce by defining custom objects, which are custom database tables that store information unique to your organization.
You can now build your custom workflows more securely than ever. In Orion 2.5, you can configure the scanning directly from the URL Protection Settings UI.
Detect and block shortened url threats
Shortened URLs, often used to mask risky content, can bypass traditional security controls. Our latest release now uncovers and blocks these threats, ensuring that every link is verified, whether shortened for convenience or masking something more sinister. This functionality is automatically enabled as part of the URL Protection feature.
Detect malicious URLs in files
Malicious links can lurk inside file attachments, waiting to be clicked. With our latest update, you can detect and block malicious URLs hidden within files uploaded to your Salesforce platform. Detected threats will appear in the File Events report for admins. This functionality is automatically enabled as part of the File Protection feature, covering file types such as Microsoft Office files and PDFs.
Tips from the team
Admin tip #1: Enable URL Protection across all text and URL fields to protect against malicious URLs and phishing links.
Admin tip #2: Protect all Salesforce objects and fields – both standard and custom – to safeguard against exploits.
Admin tip #3: After setting up URL protection for custom objects, ensure file scanning is also activated for them.
Admin tip #4: Activate automatic updates for the latest security features and stable protection.
Admin tip #5: Utilize the connected app feature of WithSecure Cloud Protection for Salesforce to access advanced security capabilities like advanced threat analysis, URL scanning inside files and QR code scanning.
As we continue our thrilling ride enhancing WithSecure™ Cloud Protection for Salesforce, can you guess the name of our next release series for 2025? Here’s a hint: While remaining true to our roots with rollercoaster theme, Orion took us on a stellar journey, and our next series promises to keep aiming for the stars. Stay tuned and keep elevating your Salesforce security with us.
WithSecure Cloud Protection for Salesforce Orion 2.5 introduces defenses against malicious QR codes, fortifying your Salesforce defenses against URL-based cyber threats. It also makes warding off URL-based cyber threats within Salesforce easier than ever by enhancing custom objects and fields scanning. Previously introduced in Orion 2.4, URL scanning in custom objects and fields is now simple to configure straight from the UI, eliminating the need for Apex code.
What’s new in Orion 2.5:
QR code scanning against quishing attacks
URL Protection across custom fields and objects now offers straightforward configurations from the UI
Enhanced digital fingerprinting of files sharpens detection accuracy without impacting performance
Revised Click-Time URL Protection settings are now easier to access
Stop quishing attacks with QR code protection
WithSecure™ Cloud Protection for Salesforce now includes QR code scanning to effectively combat quishing attacks across Salesforce. Sparked by a real-life attack targeting a Salesforce customer, this feature extends our malicious URL scanning capabilities to include QR codes, addressing the emerging threat where cyber criminals use QR codes to direct end-users to malicious sites. Quishing attacks trick users into scanning QR codes with their mobile devices, leading to potential theft of credentials, or malware infections.
To activate this protection, enable connected app and turn on Advanced Threat Analysis under File Protection settings. We also recommend reviewing your file type coverage under File Protection settings to include all image file types.
Want to learn more about malicious QR codes and quishing attacks on Salesforce? Check out our dedicated article with antiquishing tips.
Block malicious URLs across custom objects and fields – with easy settings
Expanding from standard to custom Salesforce objects, this update addresses a highly requested feature by our users. With Orion 2.5, defining and securing custom objects and fields has never been easier. This release allows you to:
Directly configure URL scanning settings within the UI
Seamlessly integrate robust security measures into your Salesforce custom workflows
Our upgraded file hashing technology not only improves the detection accuracy but also maintains system performance. The new hashing sets more complex defenses for files against crafty attackers.
Click-Time URL Protection configuration change
Previously included in WithSecure™ Cloud Protection, Click-Time URL Protection now features simplified settings adjustments. Now located under URL Protection -> General -> Configure Objects, this update ensures real-time protection by scanning URLs at the moment of access, safeguarding against any post-upload modifications by attackers.
We greatly bolstered URL scanning capabilities bolstered in the Orion 2.4 release earlier in 2024. If you missed it, here’s the recap:
Block shortened URL threats: Automatically identify and block malicious shortened URLs on Salesforce, ensuring comprehensive verification of every link’s true destination.
Detect malicious URLs in files: Enhanced scanning capabilities now detect and block harmful URLs hidden within Salesforce file uploads, such as Microsoft Office documents and PDFs, increasing your defense against indirect cyber attacks.
Admin tip #1: Enable URL Protection across all text and URL fields to protect against malicious links.
Admin tip #2: Protect all Salesforce objects and fields – both standard and custom – to safeguard against exploits.
Admin tip #3: After setting up URL protection for custom objects, ensure file scanning is also activated for them.
Admin tip #4: Activate automatic updates for the latest security features and stable protection.
Admin tip #5: Utilize the connected app feature of WithSecure Cloud Protection for Salesforce to access advanced security capabilities like advanced threat analysis, URL scanning inside files and QR code scanning.
Explore the latest developments in the global ransomware scene with our Ransomware Landscape H1 2024 report. This detailed analysis provides insights into active ransomware groups, their methodologies, how they are organized, and their impact across industries.
We’ve also compiled key cloud, Salesforce and other relevant threat landscape news into a snapshot post. With this, you’ll get your knowledge up-to-date in a matter of minutes.
Our tradition of naming Cloud Protection for Salesforce product releases after famous roller coasters continues with Orion. It illustrates the thrilling progress in our work – and in the lives of cyber defenders like yourself. The name Orion was chosen for the 2024 release series not just for its cool factor, but as a symbol of the limitless heights and broad scope we aim for with our Salesforce security solution. It represents a new chapter in refining and enhancing our product to support your Salesforce security needs, promising a steady ascent and an exciting journey.
Introducing WithSecure Cloud Protection for Salesforce Orion 2.4 which enhances your defenses against URL-based cyber threats within Salesforce. This release extends URL scanning to include files, highly requested custom objects and fields, and shortened URLs.
Read on to find out how we are relentlessly enhancing Salesforce security capabilities to protect some of the largest enterprises and critical public organizations in the world.
Detect malicious URLs in files
Files uploaded to your Salesforce platform present a cybersecurity risk, more than just them being malware. Malicious links can lurk in file attachments, waiting to be clicked.
Now, you can detect and block malicious URLs hidden inside files uploaded to your Salesforce platform. Detected threats will appear in the File Events report for admins. This functionality is automatically enabled as part of the File Protection feature when Adavanced Threat Analysis is turned on. You can find instructions on how to turn it on from our user guide.
Shortened URLs are often a mask for risky content and can bypass traditional security controls. Our latest release now uncovers and blocks these threats, ensuring that every link is verified, whether shortened for convenience or masking something more sinister. This functionality is automatically enabled as part of the URL Protection feature.
URL Protection is now expanded from Salesforce’s standard objects and fields to also cover your customized ones. The update has been much requested among users, and is unique. You can now freely build your custom workflows – more securely than ever.
In the version 2.4, we are releasing a tech preview version of the feature that requires scripting to set-up. Please contact our Customer Success team who will assist you with the configuration. Direct UI configuration will be released a bit later.
Admin tip #1: We strongly recommend turning automated updates on to keep your environment secured with the latest defense mechanisms, and to save time and effort. Please note that the version 2.0 is scheduled for End-of-Life (EOL) on May 24th 2024. By using the latest version you not only get the benefits of the latest features , but also the most stable protection for your Salesforce environment.
Admin tip #2: To get the best value from WithSecure Cloud Protection for Salesforce, we recommend you to enable the connected app, which gives you access to the advanced security capabilities such as Advanced Threat Analysis.
Admin tip #3: To scan URLs in files, make sure that you have connected app enabled, and Advanced Threat Analysis enabled in the File Protection feature.
Admin tip #4: You can find all updates from new enhancements to what pesky bugs have been fixed in the release notes.
Fun facts – greetings from the team
Kicking off our annual release series for 2024, we introduce ‘Orion’. Our tradition of naming releases after famous roller coasters continues, embodying the thrilling progress in our work – and in the lives of cyber defenders. The name Orion was chosen not just for its cool factor, but as a symbol of the limitless heights and broad scope we aim for with our Salesforce security solution. It represents a new chapter in refining and enhancing our product to support your Salesforce security needs, promising a steady ascent and an exciting journey with Orion.
In our product release of WithSecure Cloud Protection for Salesforce, Boulder 2.3, we provide you greater detection capabilities against disguised malicious files. We also enable you to report false positive and negative detections straight from the app. More details in the release notes.
Stay ahead of the curve with:
In-app reporting: False positives and missed detections can now be reported instantaneously within the app.
Intelligent File Type Recognition: Sophisticated analysis of a file’s content bolsters defenses against covertly dangerous files.
License model revision: The user licenses section now mirrors our updated licensing framework for streamlined access and comprehension.
Expansion of data centers: With new centers in Australia and Singapore, we bring improved performance and stricter data residency control.
Large file scanning: Our File Protection feature has been bolstered, scanning even larger files for potential threats.
Government Cloud support: Extending our protective measures to Government Cloud products, ensuring that even the most sensitive operations are secured.
Intelligent File Type Recognition
Hackers disguise malware by renaming dangerous files to appear harmless—like masking an executable (.exe) as an image (.jpeg).
Advanced threat protection counters this by examining a file’s actual content, not just its name, to uncover hidden dangers.
Intelligent File Type Recognition enhances detection in your Salesforce environment. It probes a file’s true behavior, not just its nominal type, identifying real threats that names alone can conceal.
The in-depth analysis is conducted automatically as part of the File Protection feature—no extra configuration required.
Learn more about file type spoofing attacks – and why you should not trust the file names
You can let us know right in the app if something safe is flagged or something malicious gets through.
New data centers available in Australia and Singapore
We have launched new Security Cloud regions in Singapore and Australia for WithSecure™ Cloud Protection for Salesforce. With the new data centers, we can offer you enhanced performance and more control of your data.
Local data processing: Optimize compliance and speed with data centers now in Australia and Singapore
Easy in-app configuration: Quickly choose your data processing location within the app
Automatic region selection: Set to ‘Automatic’ for the best performance based on your location
What are data residency and sovereignty and why you should care
WithSecure™ Cloud Protection for Salesforce now extends to Salesforce Government Cloud. This expansion ensures that government agencies and public sector organizations leveraging Salesforce’s Government Cloud can now benefit from the same real-time protection against cyber threats as any commercial organizations.
With our app, public sector agencies can confidently manage their operations and handle sensitive and classified information in Salesforce, while ensuring compliance with stringent government security standards and regulations.
Administration tip: automated updates save your time and effort
We strongly recommend turning automated updates on to keep your environment secured with the latest defense mechanisms, and to save time and effort.
Check out our simple instructions for automated updates
