Salesforce-native security, end to end

Security Platform for Salesforce

Deploy Salesforce with Confidence

TrailSight brings AI Agent Security, automated penetration testing, compliance evidence, and Salesforce SAST into one platform — starting with deep Agentforce and external MCP visibility, honest blind-spot reporting, and SOC-ready findings.

  • Connect in minutes — agentless, OAuth, read only
  • Deterministic first detection you can explain
  • Honest about blind spots — it won't cry wolf

Why now

The Threat Is No Longer Theoretical

AI agents and third-party integrations have already turned Salesforce into an exfiltration path in the wild. The category of risk is real — and the parts you configure are yours to secure.

The platform

Four Modules, One Platform

TrailSight starts with deep AI-agent visibility and extends across the Salesforce security lifecycle: runtime behavior, exploitable configuration risk, compliance evidence, and shift-left code/config analysis.

Automated Penetration Testing

Early access

The Differentiator

Continuous attack simulations against your Salesforce configuration — proving which weaknesses are actually exploitable, before attackers do.

How it works — Automated Penetration Testing

Monitoring shows symptoms; we attack. TrailSight runs adversarial scenarios modeled on real Salesforce attack paths — prompt-injection chains, over-permissioned integrations, sharing-rule escalations.

Every finding is ranked by exploitability, not theory: what an attacker could reach, through which path, and what closes it.

Compliance

From Agent Behavior to Audit Evidence

Maps what your agents actually do — not just configs — to SOC 2, GDPR, HIPAA, the EU AI Act and Israel's Privacy Protection Law. Board-ready reports in one click.

How it works — Compliance

Auditors and regulators now ask how you control AI access to data. "We trust Salesforce" is not an answer — evidence from real agent behavior is.

TrailSight continuously maps observed agent activity and permissions to the controls each framework expects, and flags the gaps in plain language.

One-click reports give your board, your auditor and your customers' vendor reviews the same independent evidence.

SAST

Early access

Shift-Left for Salesforce

Static analysis of Apex code, flows and configuration — catching security issues before they ever reach production.

How it works — SAST

Agent risk starts before runtime: an insecure flow or over-broad Apex class becomes an agent's capability the moment it ships.

TrailSight scans code, flows and config changes in your pipeline and reports findings in Salesforce language — Profiles, FLS, sharing rules — with concrete remediation steps.

Together with runtime analysis, this closes the loop: issues caught pre-production, behavior verified post-deployment.

The visibility gap

AI agents in Salesforce open a security gap your current tooling wasn't built for.

Teams switch on agents for productivity — often without security in the room. Those agents act on natural-language prompts, reach data through OAuth-connected apps and APIs, and trigger actions that read, create, update, and delete records. The same flexibility that makes them useful is what makes them risky, and it doesn't map cleanly onto a config checklist or a static SIEM rule.

Two agent worlds, two risk profiles

Agentforce agents are native to Salesforce: you can see their instructions, allowed actions, and confirmation requirements. External agents connecting in over Hosted MCP are far thinner — you typically get the login and after-the-fact logs, but not a real-time, tool-by-tool account of what they did. Treating both the same is a mistake.

Not just another config scanner

Posture checks tell you how an agent is set up. They don't tell you whether a token is being abused, whether an agent is acting outside its declared scope, or whether a prompt-injection attempt just steered it off-script. TrailSight covers both configuration risk and runtime behavior.

Why SIEM and SSPM rules miss it

Generic Salesforce security reviews and SIEM correlation rules were written for users and integrations, not agentic behavior. They rarely model agent actions, MCP doorways, confirmation gates, or the link between a config change and the activity that follows it — so agentic risk slips through the seams.

Some activity arrives late — or never natively

Event logs can lag by hours, and for standard external agents the per-tool detail may never be visible from the platform alone. If you don't know where visibility stops, "no alerts" reads as "no risk" — exactly the assumption attackers rely on.

Detection coverage

What TrailSight detects.

TrailSight answers the three questions security teams need before Salesforce agents scale: are they configured safely, are they behaving as expected, and what can't the platform see?

Are they configured safely?

Dangerous agent configuration

Destructive actions with no confirmation, instruction-only guardrails, and agent setups that drift from their approved state.

Over-permissive actions & tools

Actions broader than the job needs, vague definitions an agent could misapply, and tools whose description does not match what they really do.

OAuth & connected app risk

Full-API scopes, long-lived or never-expiring tokens, missing modern login protections, relaxed approval, and admin-level reach for external apps.

Trust Layer misconfiguration

Toxicity, prompt-injection, and PII-masking controls switched off; risky model/data processing settings where applicable.

External agent access paths

Write-capable MCP doorways, newly activated access, and explicit visibility gaps that come with standard Hosted MCP traffic.

Are they behaving as expected?

Suspicious runtime behavior

Out-of-hours bursts, create-then-delete chains, failure streaks, permission probing, and agents touching objects or actions they have never used before.

Data access anomalies

Mass reads of regulated objects and policy-threshold breaches measured against each agent's learned normal and customer-defined limits.

Prompt-injection exposure

Trust Layer detection disabled while write-capable agents run, and opt-in review of manipulation attempts inside agent conversations where available.

What can't the platform see?

  • Explicit findings when native real-time tool visibility is unavailable.
  • Distinguishes “no monitoring source exists” from “source returned nothing.”
  • Recommends compensating controls such as edge interception, custom telemetry, and login monitoring.
  • Flags missing log sources before they are needed in an investigation.
  • Never presents missing evidence as confirmed risk.

Built on the signals Salesforce already produces:

  • Agent & action definitions
  • Trust Layer settings
  • Connected app / OAuth posture
  • MCP server access
  • Setup Audit Trail
  • Event Monitoring logs
  • Real-Time login events
  • Field history settings
  • Conversation transcripts*

*Conversation-based prompt-injection review is available as an opt-in add-on.

Every finding is SOC ready

Every finding carries severity, plain-language impact, evidence, affected component, likely path, and recommended fix — structured and exportable for SOC and SIEM workflows.

How it works

From Salesforce signals to prioritized findings.

A read-first pipeline: TrailSight only reads the configuration and logs it collects — it never writes during analysis. Remediation, when you choose it, is deliberate and audited.

  1. 1

    Collect

    Securely gather agent and action definitions, Trust Layer and OAuth posture, MCP access, Setup Audit Trail, Event Monitoring logs, and login events — per org.

  2. 2

    Normalize

    Bring configuration and activity into one model, with a remembered baseline so changes and drift stand out from normal.

  3. 3

    Analyze

    Run deterministic, explainable checks on configuration and behavior first; reserve AI assistance for genuinely borderline judgment calls.

  4. 4

    Generate findings

    Produce business-readable findings with evidence, affected component, actor where known, and a recommended fix — duplicates merged.

  5. 5

    Prioritize

    Rank by impact-driven severity, with the reasoning and likely path spelled out so teams fix the most dangerous things first.

  6. 6

    Act & export

    Triage in the console, preview and apply safe single-setting fixes, and export findings into SOC and SIEM workflows — every action audited.

Why security teams use it

Catch agent risk while it's still a setting — not an incident.

Find the dangerous setups first

Over-scoped tokens and confirmation-free delete actions are where agent incidents begin — TrailSight surfaces them as a config finding, long before they become a forensics case.

Know exactly what each agent can reach

Effective permissions, OAuth scope, and MCP capability per agent — the real blast radius, so a compromised agent never reaches further than you thought.

Spend your controls where they matter

Exploitable misconfiguration and platform blind spots are flagged distinctly, so you invest in the right compensating controls instead of guessing.

Give analysts findings, not noise

Impact-driven severity, plain-language impact, and merged duplicates — the SOC works the handful that matter, not hundreds of raw events.

Prove agent governance as it scales

Multi-org coverage, persistent triage, and a full audit trail — a defensible record for every org, every auditor, every board review.

Example findings

What a finding looks like.

Representative examples of the findings TrailSight produces. Severity reflects real impact — most issues are not Critical, and that's the point.

Critical External Agent · Configuration

External agent holds broad write/delete access with weak token controls

A connected app serving a Hosted MCP agent is granted full-API access with long-lived refresh tokens, and the only native real-time signal is its login.

Why it matters: a stolen or misused token inherits do-anything access with almost no forensic trail and no per-tool visibility to catch it in the act.

High Agentforce · Configuration

Agent action can delete records without a confirmation gate

A destructive action on a regulated object runs without human confirmation; the only guardrail is instruction text telling the agent not to.

Why it matters: a single misread or injected instruction can destroy or corrupt data, because written guardrails can be talked around and enforced gates can't.

High Org · Trust Layer

Prompt-injection detection disabled while write-capable agents are active

The org-wide prompt-injection control is switched off on an org running agents that can change records.

Why it matters: manipulated input can flow straight to the model and steer agent actions, with the safety net that would catch it turned off.

Medium External Agent · Configuration

Write-capable MCP doorway enabled since the last scan

An external-AI connection that can create, update, or delete records was switched on after the previous baseline — new write capability appearing between reviews.

Why it matters: write access for an external agent should be deliberately justified and watched. A doorway that opens quietly is exactly the change a security team needs to catch early.

Low Org · Audit coverage

Field history tracking off on a regulated object with a write-capable agent

History tracking is disabled on an object an active write-capable agent can modify, so record changes leave no field-level trail.

Why it matters: without history, agent-driven changes to regulated data can't be reconstructed for audit or forensics.

Security by design

Enterprise-grade security, without the enterprise lift.

TrailSight gives growing Salesforce teams the controls usually reserved for large security organizations — auditability, isolation, and a controlled rollout — even when agent governance is non-negotiable for compliance.

  • Local & in-region by design. Analysis stays within your environment and region; AI assistance respects regional processing.
  • Credentials kept out of the product database. Stored only in a secured secrets store, never in app data.
  • Strict per-org isolation. Each org keeps its own data, findings, and history, with least-privilege role-based access.
  • Auditable end to end. Durable triage history plus a full record of every remediation action.
  • Controlled data lifecycle. Reversible disconnect, or an irreversible, type-to-confirm erasure for a single org.

Customer confidentiality by design — we never publish who we protect. Read more about how we handle your data on the Trust & Security page.

Founding team

Built by operators, not first-timers.

TrailSight's founding team combines multiple ventures built and exited, decades of enterprise security and IT leadership — including CIO and CTO roles — and deep, hands-on Salesforce security and offensive-testing expertise. The same depth large security organizations rely on, focused now on the agent risk surface inside Salesforce.

  • Multiple ventures built & exited
  • Enterprise security leadership — CIO / CTO
  • Salesforce-deep, offensive-testing expertise

Request a demo

See what your Salesforce AI agents can actually do.

Tell us about your estate and the agents you're rolling out. We'll walk you through what TrailSight surfaces — configuration risk, runtime anomalies, and the blind spots you'll want compensating controls for.

  • Connect in minutes — agentless, OAuth, read-only.
  • Nothing is written to your org during analysis.
  • A real walkthrough, not a slideshow.
trailsight · request a demo
Agents in use

We use your details only to arrange your demo — see our Privacy Policy. Required.