Agent Security Console for Salesforce

Security for the AI agents running inside Salesforce.

Agentforce and external agents can read, change, and delete business-critical records on plain-language instructions. TrailSight inspects how those agents are configured, watches how they behave at runtime, and names the blind spots native tooling leaves behind — as prioritized findings your security team can act on.

  • Local & in-region analysis
  • Deterministic-first detection
  • Honest about blind spots

The visibility gap

AI agents in Salesforce open a security gap your current tooling wasn't built for.

Teams switch on agents for productivity — often without security in the room. Those agents act on natural-language prompts, reach data through OAuth-connected apps and APIs, and trigger actions that read, create, update, and delete records. The same flexibility that makes them useful is what makes them risky, and it doesn't map cleanly onto a config checklist or a static SIEM rule.

Two agent worlds, two risk profiles

Agentforce agents are native to Salesforce: you can see their instructions, allowed actions, and confirmation requirements. External agents connecting in over Hosted MCP are far thinner — you typically get the login and after-the-fact logs, but not a real-time, tool-by-tool account of what they did. Treating both the same is a mistake.

Not just another config scanner

Posture checks tell you how an agent is set up. They don't tell you whether a token is being abused, whether an agent is acting outside its declared scope, or whether a prompt-injection attempt just steered it off-script. TrailSight covers both configuration risk and runtime behavior.

Why SIEM and SSPM rules miss it

Generic Salesforce security reviews and SIEM correlation rules were written for users and integrations, not agentic behavior. They rarely model agent actions, MCP doorways, confirmation gates, or the link between a config change and the activity that follows it — so agentic risk slips through the seams.

Some activity arrives late — or never natively

Event logs can lag by hours, and for standard external agents the per-tool detail may never be visible from the platform alone. If you don't know where visibility stops, "no alerts" reads as "no risk" — exactly the assumption attackers rely on.

What TrailSight does

One console for configuration risk and runtime behavior — plus the blind spots in between.

TrailSight reads the configuration and activity Salesforce already produces, analyzes it for agent-specific risk, and turns it into findings with severity, business impact, the likely path, and a recommended fix. It answers three questions security teams keep asking: are these agents configured safely, are they behaving as expected, and what can't the platform see?

Configuration safety

Catch unsafe agent setups before they become incidents:

  • Agents that can delete or modify records with no confirmation gate
  • Over-permissive actions and vague action definitions
  • Trust Layer protections (prompt-injection, toxicity, PII masking) switched off
  • Over-broad OAuth scopes, long-lived tokens, weak login controls on connected apps
  • True blast radius from a running user's effective permissions, not just attached ones
  • Write-capable MCP doorways, newly enabled access, missing field-history coverage

Runtime behavior

Watch what agents actually do, and alert on what's off:

  • Mass reads of sensitive objects and out-of-hours data changes
  • Create-then-delete chains, failure streaks, and permission probing
  • An agent touching a new object, action, IP, or country for the first time
  • External agents acting outside their declared, approved scope
  • Logins from new origins for integration users
  • Risky config change correlated with the activity that follows it

Blind-spot honesty

Name what the platform can't see, and what to do about it:

  • Explicit findings when native real-time tool visibility isn't available
  • Distinguishes "no monitoring source exists" from "source returned nothing"
  • Recommends compensating controls — edge interception, custom telemetry, login monitoring
  • Flags missing log sources before you need them in an investigation
  • Never presents missing evidence as a confirmed risk

Built on the signals Salesforce already produces:

  • Agent & action definitions
  • Trust Layer settings
  • Connected app / OAuth posture
  • MCP server access
  • Setup Audit Trail
  • Event Monitoring logs
  • Real-Time login events
  • Field history settings
  • Conversation transcripts*

*Conversation-based prompt-injection review is available as an opt-in add-on.

Detection coverage

What TrailSight detects.

Coverage spans how agents are configured and how they behave — for both native Agentforce and external agents connecting in.

Dangerous agent configuration

Destructive actions with no confirmation, instruction-only guardrails, and agent setups that have drifted from their approved state.

Over-permissive actions & tools

Actions broader than the job needs, vague definitions an agent could misapply, and a description that doesn't match what an action really does.

Prompt-injection exposure

Trust Layer detection switched off while write-capable agents run, and — as an opt-in add-on — manipulation attempts inside agent conversations.

OAuth & connected app risk

Full-API scopes, long-lived or never-expiring tokens, missing modern login protections, relaxed approval, and admin-level reach for external apps.

Suspicious runtime behavior

Out-of-hours bursts, create-then-delete chains, failure streaks, and agents touching objects or actions they've never used before.

Data access anomalies

Mass reads of regulated objects and policy-threshold breaches — measured against each agent's learned normal and your own rate limits.

Trust Layer misconfiguration

Toxicity, prompt-injection, and PII-masking switches turned off; beta models on production data; AI processing allowed to fall back out of region.

External agent access paths

Write-capable MCP doorways, newly activated access, and the explicit blind spots that come with standard Hosted MCP traffic.

SOC-ready findings

Every finding carries severity, plain-language impact, evidence, and the affected component — structured and exportable for SOC and SIEM workflows.

How it works

From Salesforce signals to prioritized findings.

A read-first pipeline: TrailSight only reads the configuration and logs it collects — it never writes during analysis. Remediation, when you choose it, is deliberate and audited.

  1. 1

    Collect

    Securely gather agent and action definitions, Trust Layer and OAuth posture, MCP access, Setup Audit Trail, Event Monitoring logs, and login events — per org.

  2. 2

    Normalize

    Bring configuration and activity into one model, with a remembered baseline so changes and drift stand out from normal.

  3. 3

    Analyze

    Run deterministic, explainable checks on configuration and behavior first; reserve AI assistance for genuinely borderline judgment calls.

  4. 4

    Generate findings

    Produce business-readable findings with evidence, affected component, actor where known, and a recommended fix — duplicates merged.

  5. 5

    Prioritize

    Rank by impact-driven severity, with the reasoning and likely path spelled out so teams fix the most dangerous things first.

  6. 6

    Act & export

    Triage in the console, preview and apply safe single-setting fixes, and export findings into SOC and SIEM workflows — every action audited.

Why security teams use it

Turn Salesforce agent activity into something a SOC can actually work.

Find risky behavior before it's an incident

A purpose-built lens on agent activity surfaces dangerous setups and anomalous runtime patterns early — instead of reconstructing them after the fact.

Know which agents can reach what

See effective permissions, OAuth scope, and MCP capability per agent — the real blast radius, not just what's directly attached.

Separate exploitable risk from visibility gaps

Misconfiguration and platform blind spots are flagged distinctly, so teams invest in the right compensating controls rather than guessing.

Cut Salesforce noise into actionable findings

Impact-driven severity, plain-language explanations, and merged duplicates keep the board signal-rich instead of drowning analysts.

Govern Agentforce and external AI rollout

Multi-org coverage, persistent triage, and an audit trail give security a durable record as agent adoption scales across the estate.

Shorten the path to a fix

Deep links into Salesforce, zero-impact previews, and safe single-setting changes move teams from detection to resolution in one place.

Example findings

What a finding looks like.

Representative examples of the findings TrailSight produces. Severity reflects real impact — most issues are not Critical, and that's the point.

Critical External Agent · Configuration

External agent holds broad write/delete access with weak token controls

A connected app serving a Hosted MCP agent is granted full-API access with long-lived refresh tokens, and the only native real-time signal is its login.

Why it matters: a stolen or misused token inherits do-anything access with almost no forensic trail and no per-tool visibility to catch it in the act.

High Agentforce · Configuration

Agent action can delete records without a confirmation gate

A destructive action on a regulated object runs without human confirmation; the only guardrail is instruction text telling the agent not to.

Why it matters: a single misread or injected instruction can destroy or corrupt data, because written guardrails can be talked around and enforced gates can't.

High Org · Trust Layer

Prompt-injection detection disabled while write-capable agents are active

The org-wide prompt-injection control is switched off on an org running agents that can change records.

Why it matters: manipulated input can flow straight to the model and steer agent actions, with the safety net that would catch it turned off.

Medium External Agent · Configuration

Write-capable MCP doorway enabled since the last scan

An external-AI connection that can create, update, or delete records was switched on after the previous baseline — new write capability appearing between reviews.

Why it matters: write access for an external agent should be deliberately justified and watched. A doorway that opens quietly is exactly the change a security team needs to catch early.

Low Org · Audit coverage

Field history tracking off on a regulated object with a write-capable agent

History tracking is disabled on an object an active write-capable agent can modify, so record changes leave no field-level trail.

Why it matters: without history, agent-driven changes to regulated data can't be reconstructed for audit or forensics.

Built for governed environments

Designed for regulated, Salesforce-heavy enterprises.

TrailSight fits where agent governance is non-negotiable — financial services and banking, healthcare, public sector, and large regulated enterprises — and where security needs auditability, isolation, and a controlled rollout.

  • Local & in-region by design. Analysis stays within your environment and region; AI assistance respects regional processing.
  • Credentials kept out of the product database. Stored only in a secured secrets store, never in app data.
  • Strict per-org isolation. Each org keeps its own data, findings, and history, with least-privilege role-based access.
  • Auditable end to end. Durable triage history plus a full record of every remediation action.
  • Controlled data lifecycle. Reversible disconnect, or an irreversible, type-to-confirm erasure for a single org.

Target environments, not customer claims — we don't publish customer names or logos.

See what your agents are doing in Salesforce.

Tell us about your Salesforce estate and the agents you're rolling out, and we'll walk you through what TrailSight surfaces — configuration risk, runtime anomalies, and the blind spots you'll want compensating controls for.