SaaS breaches
According to Obsidian Security’s 2025 SaaS Security Threat Report, SaaS breaches have increased by 300% over the past year. That’s not a small bump; it’s a surge that signals a major shift in cyber threats. This rapid growth aligns with the rise of SaaS (Software as a Service) adoption. As companies invest heavily in tools like Workday, Google Workspace, ServiceNow, and Office 365, the security challenge grows exponentially.
Think about it: Businesses are spending roughly $8,700 per employee on these services annually. It’s efficient and scalable, sure. But with each new service comes a potential entry point for attackers. Major players like Microsoft and AT&T have already been hit by these breaches. If it can happen to them, it can happen to anyone.
It’s not just about recognizing the risk; it’s about acting fast and staying ahead. The more you lean into digital transformation, the more you have to prioritize security as part of the same strategy, not an afterthought.
Identity providers
Here’s the thing: 99% of these SaaS breaches don’t start with someone hacking your core systems. They begin at the identity provider (IdP) level. For those not familiar, an IdP is like the gatekeeper for your digital identity, managing user credentials and controlling who gets access to what. If the IdP is compromised, attackers can essentially walk through every connected system without raising alarms.
Once inside, they can move laterally across systems, spreading from one to another, stealing data, gaining control, and creating chaos. This isn’t just a theoretical scenario; it’s happening in real time. Securing your IdPs and making sure they’re protected with more than basic defenses is now essential. Forget the traditional walls and fences, focus on identity first.
Glenn Chisholm, Chief Product Officer at Obsidian Security, puts it simply: “Securing the identity and its dynamic relationship with services and applications should be the first task for every security team.” He’s right. If you miss this, the rest won’t matter.
MFA Is good, but it’s not enough
Multi-Factor Authentication (MFA) is one of the most popular security tools out there. It’s been sold as a must-have for keeping systems secure, and for good reason. MFA requires users to verify their identity in multiple ways: a password, a text message code, a biometric scan. That’s powerful protection against basic attacks, but here’s the reality: It’s not foolproof.
Obsidian’s report shows that over 84% of SaaS breaches involved cases where MFA failed. Attackers are getting smarter, using phishing, social engineering, and even technical loopholes to bypass these defenses.
The solution? Think beyond single-layer defenses. You need a multi-layered strategy that combines MFA with real-time monitoring, behavioral analysis, and advanced AI-driven security. This is how you outpace attackers, not just defend, but predict and prevent.
Speed is everything
Time is your most valuable asset, especially in cybersecurity. One of the most eye-opening statistics from Obsidian’s report is that the fastest recorded time from breach initiation to data exfiltration was just nine minutes. Nine. That’s faster than most people take to respond to a Slack message. By the time you notice something’s off, the data could already be gone.
This kind of speed changes everything. Traditional security approaches, like periodic checks and manual reviews, just don’t cut it anymore. Real-time monitoring and automated response systems are essential. You need technology that can detect unusual activity the moment it happens and shut it down before damage is done.
In this game, seconds matter. If you’re not ready to act in real time, you’re leaving the door wide open for attackers.
AI-driven threat detection
When it comes to cybersecurity, Artificial Intelligence (AI) is huge. Obsidian Security is using AI and large language models (LLMs) to tackle SaaS breaches before they happen. Traditional security systems are reactive, they respond after something goes wrong. AI flips that script. It’s predictive, constantly learning and adapting to detect threats in real-time.
These AI models don’t just monitor your network; they build a deep understanding of how users behave across hundreds of large enterprises. They detect subtle patterns and anomalies that human eyes might miss. Essentially, they think like attackers and catch them in the act, before the breach even happens.
SaaS integrations and shadow SaaS
If your business relies on SaaS, and let’s be honest, most do, you’re probably using more than one service. These tools are often integrated to make workflows seamless, but every integration creates new opportunities for attackers. Abuses of Microsoft integrations, in particular, have become more common. When an attacker gains access through one weak spot, they can exploit the entire connected ecosystem.
Then there’s the issue of “Shadow SaaS.” This refers to unauthorized apps that employees use without IT approval. Think about it: Someone installs a helpful tool to speed up their workflow, not realizing it opens up a huge security risk. These apps bypass official security protocols and give attackers an easy back door into your systems.
Managing these risks requires visibility. You need a governance framework that covers not just the tools you know about, but also the ones operating under the radar. It’s not about shutting down innovation, it’s about staying aware and proactive.
The financial cost of SaaS breaches
Here’s a number that should grab your attention: $4.88 million. That’s the average financial loss from a single SaaS breach. This includes everything, data recovery, legal fees, regulatory fines, lost business, and reputational damage. But what’s more concerning is that many companies haven’t adjusted their security investments to match the pace of SaaS adoption.
The problem isn’t just that these breaches cost a lot, it’s that they happen faster than companies can respond. With SaaS spending soaring and security budgets lagging behind, attackers are finding fertile ground. The financial impact can extend far beyond immediate losses, affecting customer trust and long-term growth.
Key executive takeaways
- Rapid surge in SaaS breaches: A 300% increase in breaches over the past year indicates a dramatic escalation in cyber risks. Decision-makers should urgently reassess their SaaS security strategies to address this exponential threat.
- Critical focus on identity providers: With 99% of breaches originating at the identity provider level, strengthening access management and user credential security is essential. Leaders must prioritize robust identity security measures to prevent lateral attacks.
- MFA limitations demand a multi-layered approach: Over 84% of breaches occurred despite the use of Multi-Factor Authentication, highlighting its insufficiency on its own. Executives should invest in comprehensive, real-time monitoring and advanced threat detection systems.
- Swift response and increased investment are vital: Breaches can lead to data exfiltration in as little as nine minutes, with an average financial impact of $4.88 million per incident. Leaders should improve rapid detection capabilities and allocate sufficient resources to mitigate potential losses.
