9.4 CVSS
ForcedLeak (2025)
A critical Agentforce flaw let attackers exfiltrate CRM data via indirect prompt injection.
Source: Noma Security (opens in new tab)Salesforce-native security, end to end
Deploy Salesforce with Confidence
TrailSight brings AI Agent Security, automated penetration testing, compliance evidence, and Salesforce SAST into one platform — starting with deep Agentforce and external MCP visibility, honest blind-spot reporting, and SOC-ready findings.
Why now
AI agents and third-party integrations have already turned Salesforce into an exfiltration path in the wild. The category of risk is real — and the parts you configure are yours to secure.
9.4 CVSS
A critical Agentforce flaw let attackers exfiltrate CRM data via indirect prompt injection.
Source: Noma Security (opens in new tab)700+ orgs
One compromised AI chat integration exposed Salesforce data across 700+ organizations — a broad sweep of technology and enterprise firms.
Source: Google Threat Intelligence (opens in new tab)On You
Agent permissions, FLS and sharing rules are your responsibility — not Salesforce's.
Source: Salesforce (opens in new tab)The platform
TrailSight starts with deep AI-agent visibility and extends across the Salesforce security lifecycle: runtime behavior, exploitable configuration risk, compliance evidence, and shift-left code/config analysis.
Real-time analysis of agent queries and logs. Detects and alerts on prompt injection, permission bypass and PII leaks — in near-real-time.
Every AI agent in your org — Agentforce and external agents connecting over MCP — is analyzed for what it can actually read, change and delete, and for how it behaves in practice.
TrailSight reviews agent activity out-of-band: zero added latency, zero impact on your users, nothing written to your org during analysis.
Findings are honest about coverage: where visibility ends (encrypted payloads, off-platform hops), we say so — no false confidence, no crying wolf.
The Differentiator
Continuous attack simulations against your Salesforce configuration — proving which weaknesses are actually exploitable, before attackers do.
Monitoring shows symptoms; we attack. TrailSight runs adversarial scenarios modeled on real Salesforce attack paths — prompt-injection chains, over-permissioned integrations, sharing-rule escalations.
Every finding is ranked by exploitability, not theory: what an attacker could reach, through which path, and what closes it.
Simulations are safe by design — they run against your org's configuration and metadata, never against production data or live users.
From Agent Behavior to Audit Evidence
Maps what your agents actually do — not just configs — to SOC 2, GDPR, HIPAA, the EU AI Act and Israel's Privacy Protection Law. Board-ready reports in one click.
Auditors and regulators now ask how you control AI access to data. "We trust Salesforce" is not an answer — evidence from real agent behavior is.
TrailSight continuously maps observed agent activity and permissions to the controls each framework expects, and flags the gaps in plain language.
One-click reports give your board, your auditor and your customers' vendor reviews the same independent evidence.
Shift-Left for Salesforce
Static analysis of Apex code, flows and configuration — catching security issues before they ever reach production.
Agent risk starts before runtime: an insecure flow or over-broad Apex class becomes an agent's capability the moment it ships.
TrailSight scans code, flows and config changes in your pipeline and reports findings in Salesforce language — Profiles, FLS, sharing rules — with concrete remediation steps.
Together with runtime analysis, this closes the loop: issues caught pre-production, behavior verified post-deployment.
The visibility gap
Teams switch on agents for productivity — often without security in the room. Those agents act on natural-language prompts, reach data through OAuth-connected apps and APIs, and trigger actions that read, create, update, and delete records. The same flexibility that makes them useful is what makes them risky, and it doesn't map cleanly onto a config checklist or a static SIEM rule.
Agentforce agents are native to Salesforce: you can see their instructions, allowed actions, and confirmation requirements. External agents connecting in over Hosted MCP are far thinner — you typically get the login and after-the-fact logs, but not a real-time, tool-by-tool account of what they did. Treating both the same is a mistake.
Posture checks tell you how an agent is set up. They don't tell you whether a token is being abused, whether an agent is acting outside its declared scope, or whether a prompt-injection attempt just steered it off-script. TrailSight covers both configuration risk and runtime behavior.
Generic Salesforce security reviews and SIEM correlation rules were written for users and integrations, not agentic behavior. They rarely model agent actions, MCP doorways, confirmation gates, or the link between a config change and the activity that follows it — so agentic risk slips through the seams.
Event logs can lag by hours, and for standard external agents the per-tool detail may never be visible from the platform alone. If you don't know where visibility stops, "no alerts" reads as "no risk" — exactly the assumption attackers rely on.
Detection coverage
TrailSight answers the three questions security teams need before Salesforce agents scale: are they configured safely, are they behaving as expected, and what can't the platform see?
Destructive actions with no confirmation, instruction-only guardrails, and agent setups that drift from their approved state.
Actions broader than the job needs, vague definitions an agent could misapply, and tools whose description does not match what they really do.
Full-API scopes, long-lived or never-expiring tokens, missing modern login protections, relaxed approval, and admin-level reach for external apps.
Toxicity, prompt-injection, and PII-masking controls switched off; risky model/data processing settings where applicable.
Write-capable MCP doorways, newly activated access, and explicit visibility gaps that come with standard Hosted MCP traffic.
Out-of-hours bursts, create-then-delete chains, failure streaks, permission probing, and agents touching objects or actions they have never used before.
Mass reads of regulated objects and policy-threshold breaches measured against each agent's learned normal and customer-defined limits.
Trust Layer detection disabled while write-capable agents run, and opt-in review of manipulation attempts inside agent conversations where available.
Built on the signals Salesforce already produces:
*Conversation-based prompt-injection review is available as an opt-in add-on.
Every finding carries severity, plain-language impact, evidence, affected component, likely path, and recommended fix — structured and exportable for SOC and SIEM workflows.
How it works
A read-first pipeline: TrailSight only reads the configuration and logs it collects — it never writes during analysis. Remediation, when you choose it, is deliberate and audited.
Securely gather agent and action definitions, Trust Layer and OAuth posture, MCP access, Setup Audit Trail, Event Monitoring logs, and login events — per org.
Bring configuration and activity into one model, with a remembered baseline so changes and drift stand out from normal.
Run deterministic, explainable checks on configuration and behavior first; reserve AI assistance for genuinely borderline judgment calls.
Produce business-readable findings with evidence, affected component, actor where known, and a recommended fix — duplicates merged.
Rank by impact-driven severity, with the reasoning and likely path spelled out so teams fix the most dangerous things first.
Triage in the console, preview and apply safe single-setting fixes, and export findings into SOC and SIEM workflows — every action audited.
Why security teams use it
Over-scoped tokens and confirmation-free delete actions are where agent incidents begin — TrailSight surfaces them as a config finding, long before they become a forensics case.
Effective permissions, OAuth scope, and MCP capability per agent — the real blast radius, so a compromised agent never reaches further than you thought.
Exploitable misconfiguration and platform blind spots are flagged distinctly, so you invest in the right compensating controls instead of guessing.
Impact-driven severity, plain-language impact, and merged duplicates — the SOC works the handful that matter, not hundreds of raw events.
Multi-org coverage, persistent triage, and a full audit trail — a defensible record for every org, every auditor, every board review.
Example findings
Representative examples of the findings TrailSight produces. Severity reflects real impact — most issues are not Critical, and that's the point.
A connected app serving a Hosted MCP agent is granted full-API access with long-lived refresh tokens, and the only native real-time signal is its login.
Why it matters: a stolen or misused token inherits do-anything access with almost no forensic trail and no per-tool visibility to catch it in the act.
A destructive action on a regulated object runs without human confirmation; the only guardrail is instruction text telling the agent not to.
Why it matters: a single misread or injected instruction can destroy or corrupt data, because written guardrails can be talked around and enforced gates can't.
The org-wide prompt-injection control is switched off on an org running agents that can change records.
Why it matters: manipulated input can flow straight to the model and steer agent actions, with the safety net that would catch it turned off.
An external-AI connection that can create, update, or delete records was switched on after the previous baseline — new write capability appearing between reviews.
Why it matters: write access for an external agent should be deliberately justified and watched. A doorway that opens quietly is exactly the change a security team needs to catch early.
History tracking is disabled on an object an active write-capable agent can modify, so record changes leave no field-level trail.
Why it matters: without history, agent-driven changes to regulated data can't be reconstructed for audit or forensics.
Security by design
TrailSight gives growing Salesforce teams the controls usually reserved for large security organizations — auditability, isolation, and a controlled rollout — even when agent governance is non-negotiable for compliance.
Customer confidentiality by design — we never publish who we protect. Read more about how we handle your data on the Trust & Security page.
Founding team
TrailSight's founding team combines multiple ventures built and exited, decades of enterprise security and IT leadership — including CIO and CTO roles — and deep, hands-on Salesforce security and offensive-testing expertise. The same depth large security organizations rely on, focused now on the agent risk surface inside Salesforce.
Request a demo
Tell us about your estate and the agents you're rolling out. We'll walk you through what TrailSight surfaces — configuration risk, runtime anomalies, and the blind spots you'll want compensating controls for.