Obsidian Security Launches 2025 SaaS Security Threat Report

Almost every breach resulted from identity compromise, making SaaS identities the new frontline for cyber attacks

Palo Alto, CA, Jan 27, 2025 — Obsidian Security, the pioneer in Software as a Service (SaaS) security, today released its inaugural 2025 SaaS Security Threat Report, revealing an unprecedented 300% year-over-year increase in SaaS breaches between September 2023 to 2024. This surge in attacks has impacted organizations across all sectors, including major technology and telecommunications companies like Microsoft and AT&T who experienced significant breaches during this period. This dramatic surge comes as organizations increasingly rely on SaaS applications with current spend on SaaS in the hundreds of billions, or approximately $8,700 per employee for tools such as Workday, Google Workspace, ServiceNow, and Office 365.

Having built the industry’s largest SaaS breach data repository and through direct involvement in over 150 incident responses alongside leading firms like GuidePoint and Kroll, Obsidian Security unveils critical findings that reshape our understanding of the current threat landscape:

• The critical importance of securing SaaS identities, Obsidian data showing 99% of SaaS compromises originate at the identity provider (IdP). Although IdPs help manage access, if they are compromised, attackers can gain lateral movement across entire systems, putting sensitive data at risk. 
• While Multi-Factor Authentication (MFA) is commonly viewed as essential, Obsidian’s data uncovers that MFA failed to prevent attacks in 84% of incident responses. MFA alone is insufficient, bringing to light the need for more robust, layered security solutions to defend against modern threats.
• SaaS breaches unfold at an alarming speed. Obsidian’s data observed the fastest time from initial access to data exfiltration was in as little as 9 minutes. Traditional security controls cannot respond quickly enough, increasing the risk of rapid data loss and necessitating real-time monitoring and response strategies.

“The data is stark and unmistakable; securing the identity and its dynamic relationship with services and applications should be the first task for every security team,” said Glenn Chisholm, CPO of Obsidian Security. “Our unmatched dataset of real-life, real-time SaaS compromise telemetry, combined with our knowledge graph of identities across hundreds of large enterprises has allowed  Obsidian Security to build AI models with unmatched efficacy. These AI and LLM models continuously learn and adapt to catch attackers before they breach an organization’s environment through SaaS.”

Obsidian Security’s ongoing research and unique insights have directly influenced updates to the MITRE ATT&CK framework, particularly in how identity-based attacks in SaaS environments are categorized and addressed. This contribution underscores Obsidian’s leadership role in shaping industry-wide security standards.

“In our breach response and intelligence work, we’re increasingly seeing that threat actors recognize the relatively vulnerable state of interconnected SaaS applications as fertile hunting grounds,” says Jim Hung, Associate Managing Director, SPARK, Cyber Risk at Kroll. “The quality of malicious tradecraft is improving to rapidly exploit identity and configuration weaknesses to the fullest.” 

Emerging Threats and Predictions

The report also highlights critical emerging risks in SaaS environments:

• SaaS Integration Vulnerabilities: The proliferation of third-party applications has created new attack vectors, with Microsoft integration abuse becoming increasingly prevalent
• AI Application Risks: Organizations typically deploy around 100 AI applications, with 60% lacking proper security controls or federation behind the IdP
• Shadow SaaS Expansion: Unauthorized applications continue to connect to core environments, significantly increasing security risks

The average cost of a SaaS breach has risen to $4.88 million, yet security investment in this area continues to lag behind the rapid adoption of SaaS solutions. This disparity creates an urgent need for organizations to reassess their security strategies and investments.

The complete 2025 SaaS Security Threat Report is now available. Read here.

To see how SaaS breach data powers ML-based threat detection — and how organizations can achieve an 85% reduction in their SaaS attack surface, Book your demo with Obsidian.

About Obsidian
Obsidian Security is the premier security solution designed to drastically reduce the attack surface area of SaaS applications by 85% on average. With contextual user activity data, configuration posture, and a rich understanding of 3rd party integrations in SaaS, the Obsidian platform reduces incident response times by 10x and streamlines compliance with internal policies and industry regulations. Notable Fortune 500 companies trust Obsidian Security to secure SaaS applications, such as Salesforce, GitHub, ServiceNow, Workday, and Atlassian. Headquartered in Southern California, Obsidian Security is a privately held company backed by Menlo Ventures, Norwest Venture Partners, Greylock Partners, IVP, GV, and Wing. For more information, visit www.obsidiansecurity.com.