After Login: When Zero Trust Breaks Down, Teams Lose Visibility, and Attackers Move Inside SaaS Apps
Published
Key Takeaways
- Soby highlights that modern attacks are winning because they are post-authentication.
- Zero Trust fails if you only focus on the point of entry; your security becomes performative.
- AppOmni observes adversaries compromising SaaS sessions where device posture and login checks are already complete.
- Visibility disappears the moment the user moves inside SaaS platforms.
- ZTNA-only architectures are easy to bypass because they do not protect against threats operating inside SaaS services.
In this interview, Brian Soby, CTO and Co-Founder of AppOmni, discusses breaches that unfold after authentication, inside SaaS applications. Attackers are hijacking valid sessions, abusing OAuth integrations, and targeting service accounts instead of breaking login controls.
Soby has two decades of experience in cybersecurity across defense and enterprise environments. He previously held security leadership positions at Salesforce, MITRE, and Raytheon.
Soby notes that device posture checks and identity verification are not stopping privilege abuse. Organizations lose visibility once users move deeper into applications. Soby points to risky actions like configuration changes, large data exports, and lateral movement across SaaS services that go undetected.
He adds that many Zero Trust programs are still centered on ZTNA or the identity provider, while application activity remains unmanaged. For security teams, this means Zero Trust must extend into each application’s enforcement layer.
Soby stresses that security teams must monitor and control actions in all the SaaS platforms, not just the network entry point. Because attackers are exploiting these hidden in-app gaps.
Vishwa: When you read the NSA’s Zero Trust enforcement guidance, what parts most closely reflect how real attacks are actually unfolding today?
Brian: The emphasis on continuous evaluation after login is the most critical part. Modern attacks are winning because they are post-authentication. We see adversaries compromising SaaS sessions where device posture and login checks are already complete, or other post-authentication attacks such as the OAuth Vishing of ShinyHunters.
If you only focus on the point of entry, your security becomes performative. The guidance correctly identifies that we must detect abuse happening after the login to stop these threats.
Vishwa: The guidance emphasizes post-authentication controls. From what you’ve seen, where do organizations lose visibility?
Brian: Visibility disappears the moment the user moves inside the application. Most organizations rely on weak signals like login location or new IP addresses. These are easily bypassed. They lose sight of high-signal activities like privilege use, data access, configuration changes, and lateral movement across SaaS capabilities.
They also lack context because they don’t have a meaningful understanding of what 95% of activity events actually mean in a given application. Without understanding the context and behavioral patterns of what a user is doing with resources, the organization is effectively blind to the most dangerous phase of an attack.
Vishwa: Many teams equate Zero Trust with ZTNA. In practice, what kinds of attacks bypass those architectures most easily?
Brian: ZTNA-only architectures are easy to bypass because they only control the path to the application. Attackers today go straight to SaaS or leverage supply chain integrations. In these scenarios, the attacker uses post-authentication workflows to steal data from within applications.
This makes the organization's ZTNA and identity provider completely irrelevant. If your Zero Trust strategy stops at the front door, you have no defense against the attacks that are most successful.
Vishwa: The guidance leans heavily on policy decision points and enforcement points. Where do organizations usually centralize these incorrectly?
Brian: The common mistake is pretending that the only real decisions happen at the identity provider or a network proxy. Organizations over-center on these points and ignore the application layer.
In reality, every single application is its own policy decision point and enforcement point. When you ignore this, you end up with false confidence that access control and authorization are being managed when they’re actually completely unmanaged and invisible.
Vishwa: How does treating each application as its own Policy Decision Point (PDP) and Policy Enforcement Point (PEP) change how security teams should think about SaaS risk?
Brian:
It forces teams to realize that Zero Trust is an operating model, not a product.
This means security teams must address the application layer itself. You cannot achieve Zero Trust without application-aware telemetry and adaptive policies that are coordinated across these disparate enforcement points.
The idea that you can ignore these enforcement points and try to use a company-wide CASB (often as part of your SASE) is unrealistic, as it doesn’t have deep enough application insight and misses too many risk areas, such as external users, supply chain attacks, and now AI agents.
Vishwa: In environments dominated by SaaS and integrations, which identities are commonly misunderstood?
Brian: Organizations often ignore identities that never traverse the enterprise front door. This includes non-human identities, service accounts, integrations, external collaborators, and AI agent integrations.
Because these identities don't sign in through the standard identity provider, they are often left out of the Zero Trust strategy. But they have direct access to resources and represent a massive, unmonitored attack surface.
Vishwa: From breaches you’ve observed, what Zero Trust assumptions tend to fail under adversary pressure?
Brian: The biggest failure is the "authenticate, check device posture, then trust" mindset. Organizations assume that once a user is in, the job is done. This assumption fails because it creates a static environment.
Without real-time monitoring and orchestration, controls cannot adapt as conditions change. When an adversary begins moving laterally or exporting unusual amounts of data, a static Zero Trust implementation won't even notice.
Getting Zero Trust right requires looking at what’s happening inside your applications:
- Privilege use,
- data access,
- configuration changes,
- creation of integrations,
- unusual exports, and
- lateral movement across SaaS capabilities.
It needs application-aware telemetry, behavior context, and adaptive policy.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular