Mythos found 23,000 potential vulnerabilities across 1,000 open source projects. Only 75 have been patched. That gap is the new reality of SaaS supply chain risk. Frontier AI models like Anthropic's Mythos and OpenAI's GPT-5.5 can now automate reconnaissance, exploitation, and lateral movement at a speed no human attacker or human defender can match. The expertise required to breach an organization just dropped. The number of entry points just exploded. Annual third-party risk assessments and point-in-time reviews were never built for this. Every OAuth grant, every AI agent, every connected app is a live attack surface that changes the moment someone authorizes a new integration. Security teams need continuous answers to 4 questions: 1. What access exists 2. What it can reach 3. What can be removed and 4. What to revoke first when something breaks Here's how we are helping security teams answer all four in real time, before the next Mythos-class model finds the gap first. #aisecurity #saassecurity #thirdpartyapplications #agenticai #obsidiansecurity → https://lnkd.in/gT8jmac2
Obsidian Security
Computer and Network Security
Palo Alto, California 74,462 followers
Comprehensive Security for your Enterprise Applications
About us
Protect your business-critical applications by mitigating threats and reducing risk with Obsidian, the first truly comprehensive security solution for SaaS. The company is backed by Greylock Partners, Wing, GV and Norwest Venture Partners.
- Website
-
http://www.obsidiansecurity.com
External link for Obsidian Security
- Industry
- Computer and Network Security
- Company size
- 51-200 employees
- Headquarters
- Palo Alto, California
- Type
- Privately Held
- Founded
- 2017
- Specialties
- Advanced Threat Protection, Insider Threat Protection, Threat Detection, Threat Response, Automated Intelligence, Machine Learning, Information Security Software, SaaS Security , Incident Response, Visibility and Monitoring, and compliance
Locations
-
Primary
Get directions
Palo Alto, California, US
-
Get directions
Newport Beach, California, US
-
Get directions
Cheltenham, GB
Employees at Obsidian Security
Updates
-
Most organizations have 800+ risky AI agents operating right now. Most were never reviewed by security. Not because anyone made a bad decision. Because agents get shared, access changes, and owners leave while the agent keeps running. The deployment checklist captures a moment. The agent operates indefinitely after it. Three disciplines close the gap: continuous discovery, governance, and runtime enforcement. We break it down where to start on the Obsidian Security blog. Read more: → https://lnkd.in/gsT5T4M7 #AgenticAI #AISecurity #CISO #CyberSecurity
-
-
We asked our customers what keeps them up at night about AI agents. Here's what they told us, ranked by how often it came up: 🔴 #1 — Unsanctioned agents connecting to critical systems Agents being deployed without security's knowledge or approval. Nobody knows they exist until something goes wrong. 🟠 #2 — Destructive or irreversible actions Deleting records. Sending emails. Modifying data. Agents acting with production-level permissions and no undo button. 🟡 #3 — Unauthorized data access & exfiltration Agents reaching data they were never meant to touch and in some cases, making it public or sending it somewhere it shouldn't go. 🔵 #4 — Unapproved MCP server & tool connections Agents silently connecting to external tools and MCP servers that were never reviewed, never approved, never monitored. 🟣 #5 — Prompt injection & intent manipulation Agents being hijacked mid-task to act outside their original purpose with no visibility into what happened or why. These aren't hypothetical risks. These are the exact concerns security leaders at enterprise companies are dealing with right now, as AI agents get deployed faster than any governance framework can keep up. The common thread across all five: agents are operating with real access, real permissions, and real consequences in environments where the security model was never built to govern them. That's the problem Obsidian was built for. Visibility, governance, and behavioral detection across every agent in your environment. That's what Obsidian delivers. → Learn how Obsidian secures your AI agent environment: https://lnkd.in/gmXVeeaz #AgenticAI #AISecurity #NonHumanIdentity #CISO #CyberSecurity
-
The Hacker News cited Obsidian in their coverage of the Klue-Icarus Gang attack — and the threat signal here is hard to ignore. One compromised OAuth token. Dozens of enterprise Salesforce environments exposed. Huntress, Tanium, Gong, Snyk, and more — all affected not because their own security failed, but because a trusted vendor's did. SaaS supply chain breaches are accelerating. Check out the Hacker News article here: https://lnkd.in/gTXsZn85 #SaaSsecurity #SupplyChainRisk #OAuth #CloudSecurity
-
-
Your employees are already using Claude. For autonomous code reviews. For multi-step SaaS workflows. For live CRM automation. The adoption isn't coming — it's here. And most security teams have zero visibility into what those agents are accessing, what permissions they've inherited, or what data they're moving. Obsidian governs Claude deployments across your enterprise — from Claude Code in dev environments to Claude agents operating across your SaaS stack. Swipe to see the three ways we're seeing Claude used in production today. Check out how we secure this usage here: https://lnkd.in/g3PgqAij #AISecurity #AIAgents #Claude #SaaSSecurity #NHI #CyberSecurity
-
SaaS threats don't wait. Neither do our customers. Three enterprises. Three very different environments. One shared result: security teams that can move faster than attackers. 🏨 Wyndham Hotels & Resorts manages 300+ SaaS apps across 9,200 locations. When a major vendor security event hit on a Friday evening, their team had a complete picture in five minutes — and zero false positives to chase. Today, 60–70% of their daily security activity comes directly out of Obsidian. 📱 T-Mobile needed enterprise-scale SaaS security across 100+ tenants and a sprawling multi-vendor environment. With Obsidian, they achieved 85% reduction in manual SaaS security work and 100% compliance with critical alert remediation SLAs — all from a single platform. 🔍 Algolia powers 1.75 trillion searches annually and operates in a globally distributed, remote-first environment where separating legitimate activity from real threats is anything but simple. After deploying Obsidian, a phishing investigation that once took 18 hours now takes 5 minutes. And malicious activity detected at 12:40am? Resolved by 12:43. The common thread: no noise, no blind spots, no guessing. Just answers. Read all three stories → https://lnkd.in/gtjGSJNs #SaaSsecurity #SSPM #CyberSecurity #CustomerStory
-
One OAuth token. Eight weeks of undetected access. A $2M ransom disclosure. That's the Vercel / context.ai breach from earlier this year — and it's one of the clearest examples yet of what happens when AI agents operate outside the scope of security visibility. The agent security problem isn't exotic. It's structural. When a user builds an agent and connects it to their tools, the agent inherits their permissions. It acts with their badge. Then it gets shared. Or its owner leaves the company. Or it picks up integrations nobody reviewed. The deployment checklist catches a moment in time. The agent keeps running long after. What we're seeing in production environments: 38% of agents carry medium or high risk. Over 800 risky agents per organization. Data moving at 16x the rate of human users. Most of those agents were built by end users and never touched by security. We put together a piece on what it actually takes to govern this — starting with the inventory question most teams can't yet answer. Read it here: https://lnkd.in/gtW9mdz3 #AIAgentSecurity #SaaSSecurity #GartnerSRM #Obsidian
-
-
In March 2026, a developer asked their Cursor agent a purely conceptual question. No changes requested. No edits authorized. The agent deleted their main Python script anyway. When security pulled the logs, it got worse: the agent knew it made a mistake — and chose not to say anything. This isn't a horror story. It's a Tuesday. Most agents in your environment were never reviewed by security — and they reason and act in ways no checklist can anticipate. One model swap can quietly turn a trusted agent into a serious risk. We built the CISO Playbook for Securing AI Agents to change that: discovery, governance, and runtime enforcement grounded in real data. 40% of agents carry medium-to-critical risk. Most run with 10x the access they need. Download the playbook 👉 https://lnkd.in/gv3et38v #AISecurity #AIAgents #CyberSecurity #SaaSSecurity #CISO #RuntimeSecurity
-
Thrilled to share that VentureBeat featured Obsidian's research this week. Our team's LiteLLM disclosure was cited alongside the SearchLeak Copilot vulnerability, two of the most critical AI security threats hitting enterprise stacks right now. AI infrastructure is the new attack surface, and the stakes are real: our research exposed a critical chain that put every API key a LiteLLM gateway holds at immediate risk, at a moment when LiteLLM carries more than 40,000 GitHub stars and sits in thousands of enterprise deployments. "Two tools, two teams, one broken boundary." That's how VentureBeat framed it. We couldn't have said it better. We'll keep finding these vulnerabilities before the attackers do. → Full story: https://lnkd.in/di72WgV9 #ObsidianSecurity #AIAgentSecurity #CyberSecurity #ThreatResearch #CISO
-
-
Today we're thinking about the cybersecurity dads. The ones who can't fully turn off the security instincts — not at work, not at home, not on vacation when someone connects to hotel WiFi without a VPN. The ones who've explained to their families, patiently and repeatedly, that "password123" is not acceptable. That the suspicious email is always suspicious. That yes, we do need two-factor authentication on everything. They're not just protecting organizations. They're protecting the people they love most — one patched router and one declined suspicious link at a time. Happy Father's Day. You're doing important work. All of it. — The Obsidian Team 🔐 #FathersDay #Cybersecurity #SecurityCommunity #ObsidianSecurity
-