AI Agent Security for Salesforce

See what your Salesforce AI agents can actually do.

Agentforce and external agents read, change, and delete business critical records on plain language prompts — usually switched on without security in the loop. Connect TrailSight in minutes, agentless and read only, and get prioritized, SOC ready findings on how your agents are configured, how they behave, and the blind spots native tooling leaves behind.

  • Connect in minutes — agentless, OAuth, read only
  • Deterministic first detection you can explain
  • Honest about blind spots — it won't cry wolf

The visibility gap

AI agents in Salesforce open a security gap your current tooling wasn't built for.

Teams switch on agents for productivity — often without security in the room. Those agents act on natural-language prompts, reach data through OAuth-connected apps and APIs, and trigger actions that read, create, update, and delete records. The same flexibility that makes them useful is what makes them risky, and it doesn't map cleanly onto a config checklist or a static SIEM rule.

Two agent worlds, two risk profiles

Agentforce agents are native to Salesforce: you can see their instructions, allowed actions, and confirmation requirements. External agents connecting in over Hosted MCP are far thinner — you typically get the login and after-the-fact logs, but not a real-time, tool-by-tool account of what they did. Treating both the same is a mistake.

Not just another config scanner

Posture checks tell you how an agent is set up. They don't tell you whether a token is being abused, whether an agent is acting outside its declared scope, or whether a prompt-injection attempt just steered it off-script. TrailSight covers both configuration risk and runtime behavior.

Why SIEM and SSPM rules miss it

Generic Salesforce security reviews and SIEM correlation rules were written for users and integrations, not agentic behavior. They rarely model agent actions, MCP doorways, confirmation gates, or the link between a config change and the activity that follows it — so agentic risk slips through the seams.

Some activity arrives late — or never natively

Event logs can lag by hours, and for standard external agents the per-tool detail may never be visible from the platform alone. If you don't know where visibility stops, "no alerts" reads as "no risk" — exactly the assumption attackers rely on.

Detection coverage

What TrailSight detects.

TrailSight answers the three questions security teams need before Salesforce agents scale: are they configured safely, are they behaving as expected, and what can't the platform see?

Are they configured safely?

Dangerous agent configuration

Destructive actions with no confirmation, instruction-only guardrails, and agent setups that drift from their approved state.

Over-permissive actions & tools

Actions broader than the job needs, vague definitions an agent could misapply, and tools whose description does not match what they really do.

OAuth & connected app risk

Full-API scopes, long-lived or never-expiring tokens, missing modern login protections, relaxed approval, and admin-level reach for external apps.

Trust Layer misconfiguration

Toxicity, prompt-injection, and PII-masking controls switched off; risky model/data processing settings where applicable.

External agent access paths

Write-capable MCP doorways, newly activated access, and explicit visibility gaps that come with standard Hosted MCP traffic.

Are they behaving as expected?

Suspicious runtime behavior

Out-of-hours bursts, create-then-delete chains, failure streaks, permission probing, and agents touching objects or actions they have never used before.

Data access anomalies

Mass reads of regulated objects and policy-threshold breaches measured against each agent's learned normal and customer-defined limits.

Prompt-injection exposure

Trust Layer detection disabled while write-capable agents run, and opt-in review of manipulation attempts inside agent conversations where available.

What can't the platform see?

  • Explicit findings when native real-time tool visibility is unavailable.
  • Distinguishes “no monitoring source exists” from “source returned nothing.”
  • Recommends compensating controls such as edge interception, custom telemetry, and login monitoring.
  • Flags missing log sources before they are needed in an investigation.
  • Never presents missing evidence as confirmed risk.

Built on the signals Salesforce already produces:

  • Agent & action definitions
  • Trust Layer settings
  • Connected app / OAuth posture
  • MCP server access
  • Setup Audit Trail
  • Event Monitoring logs
  • Real-Time login events
  • Field history settings
  • Conversation transcripts*

*Conversation-based prompt-injection review is available as an opt-in add-on.

Every finding is SOC ready

Every finding carries severity, plain-language impact, evidence, affected component, likely path, and recommended fix — structured and exportable for SOC and SIEM workflows.

How it works

From Salesforce signals to prioritized findings.

A read-first pipeline: TrailSight only reads the configuration and logs it collects — it never writes during analysis. Remediation, when you choose it, is deliberate and audited.

  1. 1

    Collect

    Securely gather agent and action definitions, Trust Layer and OAuth posture, MCP access, Setup Audit Trail, Event Monitoring logs, and login events — per org.

  2. 2

    Normalize

    Bring configuration and activity into one model, with a remembered baseline so changes and drift stand out from normal.

  3. 3

    Analyze

    Run deterministic, explainable checks on configuration and behavior first; reserve AI assistance for genuinely borderline judgment calls.

  4. 4

    Generate findings

    Produce business-readable findings with evidence, affected component, actor where known, and a recommended fix — duplicates merged.

  5. 5

    Prioritize

    Rank by impact-driven severity, with the reasoning and likely path spelled out so teams fix the most dangerous things first.

  6. 6

    Act & export

    Triage in the console, preview and apply safe single-setting fixes, and export findings into SOC and SIEM workflows — every action audited.

Why security teams use it

Catch agent risk while it's still a setting — not an incident.

Find the dangerous setups first

Over-scoped tokens and confirmation-free delete actions are where agent incidents begin — TrailSight surfaces them as a config finding, long before they become a forensics case.

Know exactly what each agent can reach

Effective permissions, OAuth scope, and MCP capability per agent — the real blast radius, so a compromised agent never reaches further than you thought.

Spend your controls where they matter

Exploitable misconfiguration and platform blind spots are flagged distinctly, so you invest in the right compensating controls instead of guessing.

Give analysts findings, not noise

Impact-driven severity, plain-language impact, and merged duplicates — the SOC works the handful that matter, not hundreds of raw events.

Prove agent governance as it scales

Multi-org coverage, persistent triage, and a full audit trail — a defensible record for every org, every auditor, every board review.

Example findings

What a finding looks like.

Representative examples of the findings TrailSight produces. Severity reflects real impact — most issues are not Critical, and that's the point.

Critical External Agent · Configuration

External agent holds broad write/delete access with weak token controls

A connected app serving a Hosted MCP agent is granted full-API access with long-lived refresh tokens, and the only native real-time signal is its login.

Why it matters: a stolen or misused token inherits do-anything access with almost no forensic trail and no per-tool visibility to catch it in the act.

High Agentforce · Configuration

Agent action can delete records without a confirmation gate

A destructive action on a regulated object runs without human confirmation; the only guardrail is instruction text telling the agent not to.

Why it matters: a single misread or injected instruction can destroy or corrupt data, because written guardrails can be talked around and enforced gates can't.

High Org · Trust Layer

Prompt-injection detection disabled while write-capable agents are active

The org-wide prompt-injection control is switched off on an org running agents that can change records.

Why it matters: manipulated input can flow straight to the model and steer agent actions, with the safety net that would catch it turned off.

Medium External Agent · Configuration

Write-capable MCP doorway enabled since the last scan

An external-AI connection that can create, update, or delete records was switched on after the previous baseline — new write capability appearing between reviews.

Why it matters: write access for an external agent should be deliberately justified and watched. A doorway that opens quietly is exactly the change a security team needs to catch early.

Low Org · Audit coverage

Field history tracking off on a regulated object with a write-capable agent

History tracking is disabled on an object an active write-capable agent can modify, so record changes leave no field-level trail.

Why it matters: without history, agent-driven changes to regulated data can't be reconstructed for audit or forensics.

Security by design

Enterprise-grade security, without the enterprise lift.

TrailSight gives growing Salesforce teams the controls usually reserved for large security organizations — auditability, isolation, and a controlled rollout — even when agent governance is non-negotiable for compliance.

  • Local & in-region by design. Analysis stays within your environment and region; AI assistance respects regional processing.
  • Credentials kept out of the product database. Stored only in a secured secrets store, never in app data.
  • Strict per-org isolation. Each org keeps its own data, findings, and history, with least-privilege role-based access.
  • Auditable end to end. Durable triage history plus a full record of every remediation action.
  • Controlled data lifecycle. Reversible disconnect, or an irreversible, type-to-confirm erasure for a single org.

We don't publish customer names or logos. Read more about how we handle your data on the Trust & Security page.

Founding team

Built by operators, not first-timers.

TrailSight's founding team combines multiple ventures built and exited, decades of enterprise security and IT leadership — including CIO and CTO roles — and deep, hands-on Salesforce security and offensive-testing expertise. The same depth large security organizations rely on, focused now on the agent risk surface inside Salesforce.

  • Multiple ventures built & exited
  • Enterprise security leadership — CIO / CTO
  • Salesforce-deep, offensive-testing expertise

Request a demo

See what your Salesforce AI agents can actually do.

Tell us about your estate and the agents you're rolling out. We'll walk you through what TrailSight surfaces — configuration risk, runtime anomalies, and the blind spots you'll want compensating controls for.

  • Connect in minutes — agentless, OAuth, read-only.
  • Nothing is written to your org during analysis.
  • A real walkthrough, not a slideshow.
trailsight · request a demo
Agents in use

We use your details only to arrange your demo — see our Privacy Policy. Required.