Stop Token Compromise

36% of SaaS Breaches Involve Token Compromise

It only takes 62 minutes for attackers to move laterally through your network after they’ve gained initial access.

Detect token compromise in minutes to stop attackers from stealing sensitive data.

Get a demoFree trial
The Challenge

Tokens Make Access to Apps Easier for Users, Same for Attackers

1-in-3 Attacks Use Attacker in the Middle (AiTM) Frameworks

Token Compromise is Harder to Detect Since Attackers Mimic Users to Stay Hidden

The Obsidian Approach
Software activity flow screenshot

ML-Based Detections

- Gain a normalized view of identities to help detect suspicious behavior across apps
- Identify anomalous user behaviors across various phases of the kill chain
- Thwart attacks using AiTM frameworks like Evilginx
- Gain deeper context to pivot investigations using explainable ML models

Rule-Based Detections

- Accelerate investigations with out-of-the-box rules mapped to the MITRE ATT&CK framework
- Benefit from detection rules informed by hundreds of IRs
- Define, test, and deploy custom rules to tailor detection for specific needs
- Understand expected alert volume through automated backtesting
- Fine-tune rules based on risk factors such as terminated employees

Software screenshot highlighting rule-based detections
Software activity screenshot

Respond with Context

- Simplify SecOps workflows with months of searchable SaaS logs available in a human-readable format
- Pivot and hunt with contextual insights, including IP, user, event type, and more
- Baseline understanding with context on normal behavior for a user
- Analyze identities and activity across SaaS apps to enhance incident response
- Start with tailored remediation steps to accelerate response efficiency

Other SaaS Identity Security Use Cases

Prevent SaaS Spear Phishing

Prevent advanced SaaS phishing attacks from stealing sensitive business data.

Learn More

Detect Threats Pre-Exfiltration

Detect and respond to attacks like SSPR and social engineering before data exfiltration.

Learn More
What customers are saying
Headshot of Mario Duarte from Snowflake

The default tokens on some of the most prevalent applications extend from one day to several weeks, giving attackers persistent access to our environment. Detecting and stopping abnormal access in minutes is critical for us to meet our service level agreements.

Vice President of Information Security, Mass Media Company

Frequently Asked Questions

What is token compromise in SaaS environments?

Token compromise occurs when attackers steal or misuse authentication tokens to gain unauthorized access to SaaS applications. Because these tokens allow user-like access, attackers who obtain them can mimic legitimate users, making detection much harder for security teams.

Why are attacker-in-the-middle (AiTM) frameworks a significant threat?

Attacker-in-the-middle (AiTM) frameworks, such as Evilginx, intercept authentication flows to capture session tokens. According to Obsidian Security, 1 in 3 SaaS attacks now use AiTM frameworks, making them a growing and urgent security threat.

How does Obsidian detect token compromise?

Obsidian uses machine-learning-based detections to identify anomalous user behavior across SaaS apps and phases of the kill chain. Their solution also leverages rule-based detections mapped to the MITRE ATT&CK framework, including both out-of-the-box and customizable rules to flag suspicious activities.

How does Obsidian differentiate between legitimate and malicious user activity?

Obsidian's ML models provide a normalized view of identities and baseline user behavior, allowing organizations to identify deviations that could indicate compromise. Contextual insights such as IP addresses, event types, and user activity support quick and accurate investigations.

What contextual information does Obsidian provide during incident response?

Security teams can search months of human-readable SaaS logs, enabling pivots on IP, user, geolocation, event type, and more. Obsidian enriches each alert with context about normal user behavior, making it easier to identify and respond to suspicious activity.

Can detection rules in Obsidian be customized?

Yes, Obsidian lets users define, test, and deploy custom detection rules tailored to their organization’s specific needs. Automated backtesting helps teams understand expected alert volumes and fine-tune rules based on real risk factors, such as recently terminated employees.

How quickly can Obsidian detect and stop abnormal SaaS access?

Obsidian’s approach is designed for rapid detection, helping organizations identify and respond to abnormal access in minutes. Continuous monitoring and real-time alerting enable swift remediation, critical for meeting service level agreements (SLAs).

What other SaaS identity security use cases does Obsidian support?

In addition to stopping token compromise, Obsidian helps prevent SaaS spear phishing, detect threats before data exfiltration, and respond to attacks like SSPR (self-service password reset) and social engineering. Their platform delivers comprehensive identity security across all your SaaS apps.

Get Started

Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.

get a demo