Every security team knows the phrase defense in depth. It’s the oldest security mantra in the book, and one of the least adapted to how business actually runs today.
It sounds solid: layers of protection so one failure doesn’t take you down. Firewalls. Endpoint protection. MFA. All good. All necessary. But limited.
Too many organizations still treat Salesforce as “just a CRM,” not the operational backbone it has become. It’s the hub of data, operations, automation, and customer trust – yet its security is often handled as a checkbox audit exercise, split between teams that rarely talk. That mindset creates the perfect blind spot for attackers.
In 2025, attacks often begin inside the tools we trust most. Salesforce is one of them.
The illusion of layers
Salesforce runs sales, service, portals, and now AI agents. It’s business critical and trusted – and a prime target because of it.
That trust creates blind spots. Network security can’t see inside Salesforce. Endpoint tools can’t scan what’s shared there. Email security filters never touch the files or links users exchange across the platform once there – even if they originated through email.
So yes, the defense layers in the traditional model exist and are 100% valid – they just stop too early when looking at defending modern entry points like Salesforce. And that’s where attackers now operate.
If your data and workflows live inside Salesforce, your defenses should too.
Why external layers like endpoint or email protection aren’t enough for Salesforce
Most organizations still treat email as the front line. It’s where phishing and malware start, and the entire security stack evolved around it. But Salesforce isn’t an inbox. It’s where customer data, automation, and integrations meet, and once a file or link enters this environment, endpoint or email controls can no longer see it.
Threats that enter through legitimate business channels built on Salesforce – such as support case details, or community portal processes – bypass traditional layers entirely. From there, malicious content or compromised identities can propagate across the platform, users and integrated systems unnoticed.
Endpoint protection (EPP) or email security solutions weren’t built for this. They secure what enters or leaves the perimeter, not what happens inside Salesforce.
The same layered model that has shaped email security – combining identity protection, content inspection, phishing protection and anomaly detection – has not yet been applied to Salesforce, even though it’s now a business-critical environment for data, customer trust and operations.
That’s the visibility and control gap a modern defense-in-depth strategy for Salesforce must close.
The lesson from email security is clear: layered protection works, but only when it lives where the data and interactions actually occur.
Salesforce needs its own layers
Recent breaches prove it. The recent cascade of vishing and malicious Salesforce connected app breaches. Coinbase’s contractor compromise. The HELLCAT Jira attacks. Both began with valid credentials. Attackers didn’t break in; they logged in.
Traditional defense-in-depth models focus on protecting systems and data. Attackers don’t think in layers, they just move through them as fast and as far towards their objective as they can. In Salesforce, that movement happens for example through people, files, unstructured data, and connected apps. Defenses need to follow the same path: seeing how threats enter, spread, and act, not just stop at the edge.
Inside Salesforce, modern defense in depth has four connected layers: identity, content, governance, and automation. Each reinforces the others.
These layers mirror the traditional defense-in-depth structure, with the first line of defense at Salesforce’s entry points (identity and content), followed by governance ensuring integrity within, and automation forming the intelligent core of business operations.
This model reflects Salesforce’s shared responsibility for security. Platform configuration, governance and monitoring form the foundation; real-time threat protection complements them.
The identity layer – who’s logging in
The identity layer forms Salesforce’s first line of defense by controlling who reaches the environment before any data or process interaction can occur.
Its weaknesses are well known but still underestimated: stolen or reused credentials, hijacked OAuth tokens, and unmanaged community or integration accounts that operate outside corporate identity controls.
Many organizations see credential compromise as yesterday’s problem, but it remains the number one initial attack vector according to Verizon.
Attackers most often exploit access and misconfiguration rather than Salesforce platform zero-days. Once they log in legitimately, every API, connected app, and automation trusting that account becomes part of the attack surface.
The least controlled identities often pose the greatest risk. Community, partner, and external contractor accounts frequently operate outside corporate IAM controls yet hold broad access permissions. They should be treated as first-class identities: rotate credentials, restrict scopes, and continuously monitor for breach exposure.
Examples:
– An employee’s Salesforce credentials leak in a third-party breach. Attackers use them and export customer data unnoticed.
– A partner reuses an old password from another system – that has been breached. Attackers use it to log into Salesforce submit fake orders and pivot into connected systems.
– An external contractor user is left active after a project ends. The same credentials are on sale on the dark-web. Attackers use these credentials to access data programmatically.
Identity protection in Salesforce is about seeing what’s normally invisible: who’s authenticating, how credentials are used, and where risk hides.
Identity Protection in WithSecure Cloud Protection for Salesforce continuously monitors internal, partner, and community accounts against advanced breach-intelligence feeds. It detects exposed credentials before attackers reuse them – and much before any open source tools know of the breach details.
A living identity-defense layer that detects and reacts before incidents spread deeper into the environment relies on multiple mechanisms designed to prevent the bypasses attackers most often exploit. This includes phishing-resistant MFA for high-privilege users, SSO when possible, use refresh-token rotation and short token lifetimes, require admin approval for connected apps and implement third-party credential compromise monitoring to prevent credential stuffing risks.
The content layer – what moves through Salesforce
If identity is the gatekeeper, content protection is the guardrail. It inspects what enters Salesforce at the moment of upload, share, or click. This layer stops threats hidden in unstructured data before they spread and cause damage, for example data breaches or operational disruption.
Delivery often rides trusted workflows. Files, links, and QR codes move through Salesforce every day across chats, emails, records, cases, portals, and various workflows. That’s where malware and phishing hide.
- A PDF attachment hides a phishing link.
- A ZIP file in a workflow contains ransomware.
- A QR code in a record leads to a fake login page.
These threats bypass email and endpoint security because they never leave Salesforce. Just as email filters scan attachments before delivery, Salesforce needs native inspection at upload and interaction, because the attack surface targeting human users and human error has shifted from inboxes to platforms like Salesforce.
WithSecure telemetry shows a twenty-fold increase in malware and phishing detections between 2024 and 2025.
File Protection and URL Protection in WIthSecure Cloud Protection for Salesforce keep this layer clean by scanning every file and link in real time. It stops threats where they appear – inside the platform itself.
The platform & governance layer – how Salesforce is configured and controlled
Misconfigurations and excessive permissions can be as damaging as malware.
This layer defines Salesforce’s security foundation — the policies, controls, and visibility that shape how the environment operates and evolves.
Salesforce security isn’t a set of isolated parts.
Identity, content, and governance intersect constantly:
who acts (identity), what they act on (content), and under what rules (governance).
This layer unites those elements by keeping access, data handling, and automation consistent, visible, and accountable.
Effective governance rests on three principles:
Integrity: Harden configurations, enforce least privilege, and keep permissions and integrations within intended boundaries.
Visibility: Continuously monitor changes, API connections, and unusual activity that signal misuse or drift.
Accountability: Maintain a clear audit trail of who changed what, when, and why. This enables compliance and rapid incident response.
Native tools like Salesforce Security Center, Health Check, Shield, and Event Monitoring support these principles by exposing configuration and activity data inside Salesforce.
Ecosystem tools such as AppOmni extend that visibility across third-party integrations and cross-cloud access.
Once attackers gain entry, their goal becomes persistence and hiding within trusted processes.
Governance shortens that dwell time by enforcing integrity, surfacing anomalies, and ensuring every configuration and connection is auditable.
When governance, identity, and content protection reinforce each other, Salesforce operates as a cohesive, trusted environment. Every action, human or automated, stays within defined and observable boundaries.
The automation layer at the core – where Salesforce intelligence comes to life
AI and automation are now the heart of Salesforce, but at the same time its newest attack path.
At the core of Salesforce are the automations and autonomous AI workflows that drive modern business – from Flows to Agentforce. This is the Agentic AI–powered Salesforce environment: a living system where data, processes, and AI agents interact to execute work at speed and scale.
As Salesforce embeds AI agents across every process, the attack surface now includes the workflows themselves. Salesforce’s emerging direction “Agentforce for Security” introduces agentic capabilities for automated detection, incident triage, and intelligent remediation. These innovations aim to help security teams respond faster and reduce the manual overhead of investigation and response. As Salesforce continues embedding AI agents across its ecosystem, the need to ensure these automations act on safe, trusted inputs only grows more critical.
Automation is not part of the traditional defense in depth thinking, but in modern Salesforce environments automation is the business logic itself. It’s not just “a layer” but an amplifier for both productivity and potential risk.
- Automated Flows and AI agents directly execute actions that affect data and users.
- That means automation and especially autonomous AI can propagate malicious inputs (e.g., a poisoned file, fake record, or compromised user action) at machine speed.
That’s where layered defense plays a defining role. When data is secure, and configurations are consistent, automation can operate safely and predictably. Without those guardrails, AI agents and automated workflows can quickly amplify mistakes, or act on malicious inputs.
Defense in depth must now extend into automation, because automation acts with the same privileges as humans in the attack path, only faster. When every layer reinforces the next, both human and AI-driven actions inside Salesforce remain trustworthy and resilient.
Visibility that leads to action
When each layer feeds visibility back into the next, you not only prevent attacks, you learn from them. That’s how depth becomes intelligence.
Every defense layer in Salesforce is connected by a visibility loop that turns detections into prevention, and prevention into ongoing improvement. Visibility in Salesforce is not just adding more dashboards.
Having this overarching visibility means exposures are caught before they become incidents and attacks are blocked before they cause damage (and tracked swiftly if something has slipped through). Patterns of malicious activity or misuse feed directly into stronger governance.
Visibility isn’t an extra layer but something that connects everything. It helps improve every layer continuously with each event.
- User risk: detect → reset
- Content risk: scan → block
- Platform risk: monitor → fix
When each action is logged and traceable, you have provable control, compliance-readiness, and stronger prevention against incidents.
Salesforce has become one of the most targeted and valuable operational systems in any enterprise. Prioritizing its detections and exposures delivers disproportionate risk reduction.
The new meaning of depth
In Salesforce, layers don’t sit neatly on top of each other, they intersect.
In practice, defense in depth inside Salesforce results in clearer sight and faster action. Visibility turns detections into decisions, and decisions into effective prevention.
Salesforce security needs layers that look inward – at the users, the content, and the automation driving your business every day.
Innovation isn’t optional anymore. Agentic AI isn’t a “maybe”, it’s a “when.” Securing it can’t wait for maturity or readiness. Salesforce found that 79% of IT leaders believe that defenses are falling behind AI-driven cyber threats. IBM found that 97 % of AI-related breaches involved systems with no proper access controls. The timing for security isn’t later – it’s day one.
If you run Salesforce, don’t ask how tall your walls are. Ask how deep your defenses go.
WithSecure Cloud Protection for Salesforce offers layered defense
Defense in depth in Salesforce only works when each layer reinforces the others, and when those layers live where the risks occur. WithSecure Cloud Protection for Salesforce puts this layered model into practice – in Salesforce, in real time.
File and URL Protection
Scans every file and link at upload, download, and interaction. It stops sophisticated malware, ransomware, and phishing from entering Salesforce through various channels.
Identity Protection
Detects compromised user credentials before they’re exploited. Continuously monitors internal and community accounts against the latest breach intelligence, providing early warnings.
Visibility & Analytics
Delivers deep insight into detections and user risk. It complements built-in platform tools like Salesforce Shield and Event Monitoring.
Together, these capabilities form multi-layered defense for the AI-powered Salesforce environment including Agentforce. They protect against malware, phishing, and identity threats without slowing down the business.
