Salesforce security matters more than ever in 2025

Salesforce is the backbone of digital transformation for over 150,000 organizations worldwide. In 2025, attackers are targeting it more aggressively than ever.

As businesses embrace agentic AI, cyber threats evolve in tandem. Ransomware can infiltrate through file uploads, phishing links can hide within customer interactions, and attackers are constantly seeking novel ways to enter corporate networks. Securing Salesforce data and eliminating cyber threats among it is the responsibility of the customer. In a highly connected environment, you should not rely on protection measures outside Salesforce – such as email security – alone. 

Security and Salesforce teams alike must ask themselves in 2025: 

• How can we secure Salesforce from malware and phishing without adding complexity and inefficiency?
• Which security solution ensures compliance, seamless integration, and cost effectiveness?
• What tools are compatible with our Salesforce roadmap?
• What are the hidden risks of choosing the wrong approach?

This buyer’s guide will help you navigate those questions by explaining why native Salesforce threat protection is now a baseline requirement, how it differs from older approaches such as CASBs and non-native integrations, and what to look for when comparing vendors.

Why native threat protection is essential for Salesforce

As Salesforce becomes more deeply embedded in business operations, security must evolve alongside it. Files are uploaded, URLs are clicked, and AI-driven automation accelerates processes – creating new attack surfaces. Cybercriminals take advantage of these entry points, embedding malware in file uploads, disguising phishing links in records, and exploiting integrations to launch supply chain attacks. 

Despite its abundant security features, Salesforce does not include built-in malware scanning or phishing protection. This forces security teams to decide: should they rely on external tools that introduce complexity and integration risks, or choose a fully native solution designed to secure Salesforce from the inside? 

A Salesforce-native security solution operates directly within the platform, without the need for external dashboards, API connections, or third-party portals. This ensures real-time scanning, seamless automation, and airtight compliance. Effectiveness comes without slowing down workflows or introducing new security gaps. And a solution that is developed in close partnership with Salesforce ensures compatibility with the platform roadmap, too.

Unlike non-native solutions and CASBs, a truly native threat protection solution like WithSecure™ Cloud Protection for Salesforce scans files and URLs in real time, blocking ransomware, phishing, and malware at the source. Enterprises and public sector organizations need in-depth protection that easily scales with their needs without complexity, slowdown or hidden costs.

Salesforce security options compared

CASBs for Salesforce security: benefits and major drawbacks

Cloud Access Security Brokers (CASBs) provide cloud security by acting as intermediaries between users and cloud applications. While CASBs offer policy enforcement and visibility across multiple cloud platforms, they are not purpose-built for Salesforce security and introduce several significant drawbacks for organizations requiring real-time, advanced threat protection. CASBs often introduce a plethora of unnecessary capabilities and complexity, that can bring more harm than good when aiming to sustain a streamlined and healthy Salesforce environment.

Common issues with CASB solutions 

• Complex deployment and management – CASBs require extensive configuration, long deployment times, and specialized expertise to maintain. 
• Limited real-time threat protection – Most CASBs rely on batch processing instead of real-time scanning, allowing threats to go undetected for hours or even days. 
• No real-time phishing protection – CASBs typically lack phishing protection that blocks malicious links at the moment of click. 
• Delayed malware detection – Malware scanning is often limited to file uploads, meaning dormant threats can activate later. 
• Performance and latency issues – CASBs sit between users and cloud services, potentially slowing down Salesforce workflows and resulting in delayed security and visibility. 
• Data security and compliance risks – Files and URLs are often sent outside Salesforce for scanning, creating potential compliance and data exposure risks. 
• Lack of deep Salesforce visibility – CASBs focus on securing multiple cloud applications but do not provide in-depth protection for Salesforce-specific objects. 
• High total cost of ownership (TCO) – CASBs come with hidden costs, including licensing fees, external hosting charges, and ongoing maintenance efforts. 

CASBs provide general cloud security but fall short in delivering real-time, Salesforce-specific threat protection. Their complexity, lack of real-time scanning, and potential compliance risks make them unsuitable for enterprises and public sector organizations that require robust Salesforce-native security. 

Non-native third-party solutions: hidden costs and gaps

Some vendors claim to offer Salesforce native security, but their solutions aren’t truly native – even if they provide a Salesforce app or UI integration. These solutions rely on external portals, API connections, and heavy off-platform processing, introducing security gaps, operational inefficiencies, and higher maintenance burdens. 

Common issues with non-native Salesforce security solutions: 

• Not truly Salesforce-native – These solutions require external portals, meaning security teams must manage threats outside Salesforce, adding complexity. 
• API-dependent integration – Security checks rely on API connections, which can introduce latency, potential vulnerabilities, and increased attack surfaces. Many Salesforce workflows, especially the agentic AI ones, rely on fast performance. Security that slows things down, adds as much problems as it solves.
• Data leaves Salesforce – These solutions send all files and URLs to an external service, even if they are not suspicious. This increases exposure risks and raises compliance concerns. 
• Limited real-time threat protection – Many non-native solutions scan at the time of upload or post but don’t continuously monitor for evolving threats, such as phishing links that become malicious after posting. Security capabilities are likely limited in terms of entry point coverage, too, missing protection for Agentforce and custom fields, for example.
• Detection vs. prevention – Some solutions only detect threats, requiring manual remediation, rather than actively blocking malicious content before damage occurs. 
• Limited investment in continuous threat research – Non-native solutions may lag behind evolving threats, particularly when it comes to how Salesforce is exploited. 
• Manual software updates – Unlike Salesforce-native solutions that update seamlessly, these tools often require manual intervention, increasing maintenance overhead. 
• Scalability challenges – These solutions may struggle to scale with growing organizations, requiring additional infrastructure and licensing costs as Salesforce environments expand. 
• Higher total cost of ownership (TCO) – Hidden costs such as extra hosting fees, API costs, and additional maintenance resources make these solutions expensive over time. 
• Uncertain product lifecycle and support – The longevity and continued investment in the product can vary. Does the vendor have a dedicated Salesforce security team, or is the product in maintenance mode with limited focus? Are new Salesforce platform capabilities like Agentforce supported with new security features?

A fragmented, non-native approach that increases security blind spots, inefficiencies, and compliance risks while demanding higher operational effort and costs. For enterprises and highly targeted organizations, a fully Salesforce-native solution ensures stronger protection, real-time security, and a lower long-term cost of ownership. 

DIY Salesforce antivirus tools: why internal builds fail

Some organizations consider building their own malware scanning solution for Salesforce, believing it to be a cost-effective and customizable approach. However, developing and maintaining an internal AV tool comes with significant resource, security, and compliance challenges—often making it an inefficient and risky choice. 

Common issues with internal solutions 

• Time-consuming deployment – Building a security tool from scratch is a long and complex process, leaving Salesforce unprotected for months or longer. 
• High development and maintenance costs – Maintaining network security, cloud stability, and scanning engine connections requires ongoing investment in infrastructure and skilled personnel. 
• Not real-time protection – Many DIY solutions rely on scheduled or reactive scanning, failing to block threats at the moment of upload, download, or click. 
• Manual threat response required – Unlike automated security solutions, internal tools often require manual review and removal of threats, increasing response times and risk. Especially in case of rapidly moving Agentforce and AI use cases, speed is key in defence.
• Compliance risks – Ensuring certifications like ISO 27001, SOC 2 Type 2, GDPR, and ISAE 3000 is complex and time-intensive, making DIY solutions a liability for regulated industries. 
• Limited threat intelligence – Internal solutions lack access to global, real-time threat intelligence, making them ineffective against zero-day threats, advanced phishing techniques, and evolving malware tactics. 
• No dedicated support – If the tool fails or is compromised, organizations are left to troubleshoot and mitigate issues without external security expertise. 
• Scalability challenges – As Salesforce environments grow, internal solutions may struggle with multi-org protection, integrations with SOC/SIEM tools, and expanding security requirements. 
• Hidden total cost of ownership (TCO) – Hosting, maintenance, compliance, and security updates require constant resources, making long-term costs unpredictable and often higher than expected. 

Why DIY security is a risky bet? While internal tools may seem like a flexible solution, they introduce security blind spots, operational inefficiencies, and compliance risks. Security for Salesforce requires continuous updates, real-time protection, and expert management—something few organizations can maintain internally. 

Open-source Salesforce security: high risk, high maintenance

Some organizations consider using open-source security solutions for Salesforce to reduce costs and gain customization flexibility. However, open-source tools present significant security, compliance, and operational challenges, which makes them an impractical choice for enterprise-level protection. 

Common issues with Open Source solutions 

• Security vulnerabilities – Open-source tools often contain unpatched vulnerabilities, and publicly disclosed security flaws can be exploited if updates aren’t applied promptly. 
• Lack of active maintenance – Many open-source projects are developed by volunteers, leading to slow patching cycles, outdated software, and a lack of long-term support. 
• Dependency management risks – Open-source projects rely on multiple third-party libraries, making it difficult to track vulnerabilities in dependencies and apply necessary updates. 
• Susceptibility to supply chain attacks – Threat actors can compromise popular open-source libraries, injecting malicious code that spreads across all dependent projects. 
• No security oversight by Salesforce – Open-source security solutions aren’t reviewed or optimized for Salesforce, meaning potential gaps in protection and poor compatibility with native features. 
• Limited detection capabilities – Most open-source AV scanners rely on signature-based detection, lacking advanced behavioral analysis, AI-driven threat detection, or sandboxing for sophisticated malware. 
• No real-time phishing protection – Open-source tools often lack URL scanning and analysis, leaving organizations exposed to phishing attacks targeting Salesforce users. 
• Manual updates and maintenance required – Security definitions, software patches, and configurations must be updated manually, increasing the risk of outdated protection. 
• Infrastructure and performance burden – Open-source scanners typically require external servers, adding complexity, performance bottlenecks, and extra security risks. 
• No automated threat response – Unlike commercial solutions, open-source tools often only detect threats, requiring manual intervention to remove malicious files or block harmful URLs. 
• No dedicated support – Without a vendor-backed support team, organizations must rely on community forums and open-source documentation for troubleshooting, which can delay issue resolution. 
• Compliance risks – Open-source solutions typically lack certifications like SOC 2 Type 2, ISO 27001, GDPR, and ISAE 3000, making them unsuitable for enterprises with strict regulatory requirements. 

While open-source solutions may seem attractive for their low upfront costs, they come with hidden risks, resource-heavy maintenance, and major security gaps.  

Open-source security is a patchwork solution that leads to constant firefighting, and likely covers the most basic security use cases at best. 

Relying on email security alone: a critical Salesforce blind spot

Enterprises by and large have strong email security defenses, but unfortunately cybercriminals have adapted to these. As email security has improved, attackers have shifted their focus to other vulnerable entry points. Salesforce is one and has often been overlooked in security strategies. Relying on email security alone to protect Salesforce leaves organizations exposed to evolving cyber threats. 

Common issues with relying on email security for Salesforce 

• Phishing is no longer just an email problem – 26% of cyberattacks now exploit public-facing applications like Salesforce, according to IBM, meaning phishing attempts now bypass traditional email defenses entirely. 
• Salesforce lacks built-in anti-phishing and anti-malware protection – Unlike email, Salesforce does not have default security features to detect malicious files or links. Email security simply does not reach the platform once the threat enters it – and this can happen outside email, for example through Agentforce use cases and omni-channel suppirt flows.
• Users trust Salesforce more than email – Employees have been trained to spot phishing emails but may not expect the same threats inside Salesforce, making them more likely to fall for social engineering attacks. 
• Malware and phishing links spread within Salesforce – A file uploaded to a Salesforce record is out of email security solution’s reach. It can be shared across teams, spreading malware internally before detection. Phishing links embedded in Salesforce records can sit undetected, becoming malicious later. 
• API and integration risks – Salesforce connects with email, document-sharing platforms, and ERP systems, creating a broad attack surface that email security alone cannot protect. 

While email security is critical, it does not protect Salesforce against modern threats. A multi-layered approach is necessary – one that includes real-time threat detection within Salesforce to block malware and phishing attempts before they reach users.

Note: Relying on your last line of defense like the endpoint security solution alone, is also highly risky and insufficient.

WithSecure Cloud Protection for Salesforce: a native security solution 

A Salesforce-Native Security Solution for enterprises and public sector organizations 

WithSecure Cloud Protection for Salesforce is a 100% native security app, purpose-built to protect Salesforce environments against malware, ransomware, phishing, and evolving cyber threats. Unlike CASBs, open-source tools, DIY internal solutions, or non-native third-party security platforms, WithSecure™ provides real-time, automated protection with seamless Salesforce integration—without security gaps, performance slowdowns, or hidden costs. 

Advantages of WithSecure – purpose-built for Salesforce security: 

• Seamless native integration – Fully embedded within Salesforce, requiring no external dashboards, API-dependent scanning, or third-party hosting. Evolves in step with the platform, and offers trailblazing security capabilities for new use cases like Agentforce.

• True real-time protection – Instantly scans every file and URL before threats reach users. Prevents access to malicious files and phishing sites at the moment of click, blocking dormant threats before they become active. 

• Advanced multi-engine anti-malware – Stops both commodity malware and sophisticated targeted threats using layered detection techniques. 

• Sandboxing threat analysis for zero-day attacks – Detects emerging threats with behavioral analysis, not just signature-based scanning. 

• Real-time security visibility – In the event of a security incident, knowing exactly what files have been found malicious, all the locations for them, and which users are affected enables you to respond faster and more effectively, eventually minimizing damages. 

• Optimized for speed – Runs directly inside Salesforce with minimal latency, and no impact on workflows and user experience. 

• Fully automated – automated threat detection and response, and automated software updates. 

• Scalable for enterprise & public sector use – Protects multiple Salesforce orgs with centralized security controls, and global data residency options. 

• Compliance-ready security – ISO 27001 & ISAE 3000 (SOC 2 Type 2) certified, meeting regulatory demands for governments, financial services, healthcare, and critical industries. 

• Lower total cost of ownership (TCO) – Eliminates the hidden expenses of CASBs and non-native solutions – no extra hosting fees, no API charges, and no additional infrastructure needed. 

• Enterprise-grade support & dedicated security experts – Access to 24/7 technical support, a dedicated Customer Success Manager, and a strategic Salesforce security partnership. 

How to choose the right Salesforce security solution

Key questions security leaders must ask in 2025: 
 

• Who is the solution built for? Does it align with the security needs of large enterprises, government agencies, and highly targeted industries that demand advanced threat protection, compliance, and a trusted security partner? Or is it designed for smaller companies with only basic cybersecurity requirements? 

• Is the solution truly Salesforce-native? Does it fully operate within Salesforce, or does it require an external portal and API integrations, increasing complexity and potential vulnerabilities? 

• Does it provide real-time scanning? Can it detect and block threats instantly – or does it rely on scheduled or manual scans that leave security gaps? 

• Does is provide real-time visiblity? Does the solution offer real-time view into what is happening in the Salesforce environment? Does it offer an efficient way to filter out threats and security events? 

• How is data handled? Is all data processed within Salesforce, ensuring compliance and minimal exposure, or is it sent externally for analysis, increasing risk? 

• Does it meet compliance needs? Does the vendor hold and maintain SOC 2 Type 2, ISO 27001, and GDPR certifications—critical for regulated industries? 

• What level of support is provided? Is there 24/7 expert support for critical issues, or only basic ticketing with long response times? 

• Does the solution evolve in parallel with the Salesforce platform? Does the solution adapt to new platform capabilities like Agentforce? Or is it left behind, introducing security loopholes or hindering the roadmap?

• What expertise does the vendor have? Does the company have deep in-house cybersecurity knowledge and a proven track record in guiding customers through Salesforce security challenges? If a serious threat emerges, can they provide swift, expert remediation? 

• What is the overall service reliability? Does the vendor provide consistent, high-quality service, or is their offering fragmented and dependent on third-party providers? 

• How much automation does it offer? Is the solution seamless and fully automated, or does it require manual updates and maintenance? 

• What is the total cost of ownership (TCO)? Are there hidden costs, such as API usage fees, external hosting, or additional infrastructure requirements? 

Choosing the right security solution for Salesforce depends on the size, security maturity, and risk profile of your organization. Large enterprises, public sector entities, and highly targeted industries require a robust, reliable, and fully integrated security solution. They need a solution that is backed by a vendor with deep expertise and a commitment to long-term security and compliance.

Key takeaways: choosing Salesforce threat protection in 2025

• Go native: only in-platform protection delivers real-time scanning for files and links without exporting data.
• Plan for Agentforce: AI-driven workflows create new risks that non-native tools and CASBs can’t fully cover.
• Check compliance: look for ISAE 3000 Type 2, SOC 2 Type 2, ISO 27001, and strong data residency controls.
• Think beyond features: evaluate latency, hidden costs, and integration effort across your Salesforce roadmap.
• Prioritize resilience: the right choice simplifies Salesforce security while reducing enterprise risk.

Build a secure, resilient Salesforce environment

Salesforce is too critical – and too heavily targeted in 2025 – to rely on security tools built for other platforms. Email gateways, endpoint defenses, and even CASBs leave blind spots that attackers can exploit through file uploads, phishing links, and now autonomous Agentforce workflows.

The right answer is native Salesforce threat protection: real-time scanning inside the platform, seamless integration with your org, and proven compliance with standards like SOC 2 Type 2 and ISO 27001. Choosing wisely doesn’t just reduce risk — it makes security simpler, ensuring Salesforce continues to be both your most powerful business platform and your most resilient.

If you’re responsible for Salesforce security, the right choice is one that scales with your business, secures your data, and stays ahead of threats before they become breaches. WithSecure™ provides the expertise, technology, and committed support you need to safeguard your Salesforce environment as it scales and evolves.