SaaS Security Posture Management (SSPM)
Roadmap — read-only posture, MFA/SSO, external-exposure, and identity checks across business SaaS, with OAuth-app and shadow-SaaS enumeration as the headline capability.
SaaS Security Posture Management (SSPM)
Roadmap — not yet available. SSPM is a planned capability documented here for direction. It builds on the shipped connector framework, identity analysis, and compliance engine, but the SSPM engine itself is not yet available.
SSPM adds the business-SaaS pillar alongside cloud (CSPM/CIEM), data (DSPM), and AI (AI-SPM) posture. It is designed to connect read-only to your SaaS estate and surface misconfigurations, weak authentication, risky third-party app grants, and over-exposed data — with OAuth-app and shadow-SaaS enumeration as the headline capability.
Planned coverage
Each SaaS provider will be a read-only connector on the existing framework. Planned providers include Microsoft 365 / Entra, Google Workspace, and Okta first, then Slack, GitHub org, Salesforce, Zoom, Atlassian, and Snowflake.
| Check family | Examples |
|---|---|
| Config posture | External sharing defaults, legacy/basic auth allowed, weak session/token policy, audit-log enablement, admin-console hardening |
| MFA / SSO gaps | Admin without MFA (critical), users without MFA, SSO bypass allowed, legacy-auth MFA bypass |
| OAuth apps / shadow-SaaS | Over-scoped, dormant, unknown-publisher, high-risk-scope-combination, and non-admin-installed-tenant-wide app grants — the headline |
| Identity risk | Over-privileged and dormant admins (via reused CIEM analysis), orphaned/guest/stale accounts, cross-app admin view |
| External exposure | World/link-shared files, external Slack Connect, public Salesforce sites, public Zoom recordings, open Confluence spaces, external Snowflake shares |
OAuth-app risk scoring (planned)
The headline capability scores every third-party OAuth grant in a connected provider on weighted factors — high-risk scope combinations, over-scoping, unknown publisher, non-admin tenant-wide installs, and dormancy. A dormant, tenant-wide, unknown-publisher app is the canonical high-risk case; high-scoring apps produce a finding with the exact provider admin path to revoke the grant. (Enumerating apps within connected providers is in scope; discovering entirely unconnected SaaS is a later extension.)
Safety model (planned)
SSPM is designed read-only and least-privilege throughout:
- Read-only scopes only — a connector requesting any write/modify scope is refused at registration; requesting write scope is treated as a defect.
- Credentials from the secret store — never persisted, never logged, redacted in every log line.
- OAuth consent is a documented user action — the code never automates a grant.
- No raw SaaS content stored — evidence is a redacted setting name plus value class and a resource reference, never file or message content.
When it ships
Posture issues will surface as sspm findings in the single findings store, inventory in its own tenant-scoped indexes, and checks will map to SOC 2, ISO 27001, and CIS-for-SaaS through the reused compliance engine. The engine will be gated by the ff.sspm feature flag.
Related
- DSPM — the data-posture pillar, available today.
- AI-SPM — the AI-posture pillar, available today.
- Connectors — the connector framework SSPM extends.
- Compliance — the framework engine SSPM maps into.
- Unified Findings & Feature Flags — where SSPM findings land.
CTEM & EASM
Roadmap — external attack-surface management plus a Gartner-style continuous threat exposure management program that unifies every engine's findings into one prioritized, exploitability-validated exposure list.
Identity Threat Detection (ITDR) & DLP
Roadmap — identity-attack detection (MFA fatigue, impossible travel, token theft, privilege escalation) with approval-gated response, plus data-loss prevention that reuses the DSPM classifier at the AI gateway, API, and export paths.