Obsidian Security

Overview

Obsidian Security addresses a blind spot that most security programs still haven't properly covered: what's happening inside your SaaS applications. Not whether your Salesforce instance is configured to spec — any CSPM or SSPM tool can check that — but who is accessing what data, whether that access pattern is normal, and whether someone's compromised account is quietly exfiltrating customer records through a legitimate API. If your organization runs dozens of SaaS applications (and it does), you almost certainly have less visibility into them than into your network or endpoints.

The company was founded in 2017 by a team that includes former Cylance engineers and has raised significant venture funding. Obsidian sits in the SSPM (SaaS Security Posture Management) space but goes beyond static posture checks into behavioral analytics and threat detection within SaaS environments. It connects to your SaaS applications via API, builds a unified security model of users, permissions, data, and activity across your entire SaaS estate, and applies machine learning to detect anomalies that indicate compromise, insider threats, or policy violations.

The competitive field includes AppOmni, Adaptive Shield, and Valence Security for SaaS posture management, plus the SaaS monitoring capabilities built into broader platforms like Microsoft Defender for Cloud Apps (formerly MCAS) and Netskope. Obsidian's differentiator is the depth of its behavioral analytics across applications — correlating activity patterns across Salesforce, Workday, ServiceNow, Okta, and dozens of other apps to detect threats that per-application monitoring misses.

How It Works

Obsidian connects to SaaS applications via their native APIs — OAuth grants, service accounts, or admin-level API access depending on the application. It supports over 150 SaaS integrations, with the deepest coverage for Microsoft 365, Google Workspace, Salesforce, Okta, Workday, ServiceNow, Slack, GitHub, Box, and AWS. Once connected, Obsidian continuously ingests activity logs, configuration data, permission structures, and data access events from each application.

The platform builds what it calls a "knowledge graph" — a unified model that maps users across all connected applications (resolving the same person's identity across Okta, Salesforce, and GitHub), their permissions in each app, their historical activity patterns, and the data they access. This cross-application identity resolution is crucial because a threat that manifests across multiple SaaS apps — unusual Okta login followed by unusual Salesforce data export followed by unusual Box sharing — can only be detected by a system that sees the activity across all three apps and ties it to the same identity.

Behavioral analytics run on top of this graph. Obsidian baselines normal behavior for each user — when they log in, what apps they use, what data they typically access, what sharing patterns are typical — and flags deviations. The ML models are tuned for SaaS-specific threat patterns: account takeover (unusual login characteristics followed by privilege escalation or data access changes), insider threats (bulk data access or export by a user who normally accesses a fraction of that data), and SaaS misconfigurations (admin-level permissions granted to accounts that don't need them). Alerts include the full activity timeline across applications, which gives analysts context without having to pivot between individual app admin consoles.

The posture management layer continuously audits SaaS configurations against security standards and vendor best practices. It checks for admin accounts without MFA, overly broad sharing settings in file storage apps, API tokens that haven't been rotated, dormant accounts with elevated privileges, OAuth grants with excessive permissions, and hundreds of other configuration issues that accumulate as SaaS environments grow. Obsidian maps these findings to compliance frameworks (SOC 2, ISO 27001, NIST) for organizations that need to demonstrate SaaS security controls to auditors.

What We Liked

The cross-application threat detection is the feature that justified the evaluation. In our testing, Obsidian detected a simulated account compromise that crossed three SaaS applications — an unusual Okta authentication from a new device, followed by a Salesforce report export the user had never accessed, followed by a Box folder share to an external email address. No individual application would have flagged this as malicious on its own. Okta saw a successful authentication (unusual but not blocked), Salesforce saw an authorized data export (the user had permissions), and Box saw a legitimate external share (allowed by policy). Obsidian correlated all three events to the same identity and surfaced it as a high-severity alert within minutes. This is the kind of SaaS-based attack chain that organizations don't know they're vulnerable to until it happens.

The identity-centric view across applications was more useful than we expected for operational security. Obsidian showed us, for the first time in one dashboard, every SaaS application each user had access to, their permission levels in each, and when they last actually used each application. We discovered dozens of accounts with admin-level access to applications the users hadn't logged into in over six months. We found OAuth grants from years ago that were still active and connected to applications employees had stopped using. This isn't threat detection — it's basic hygiene — but no other tool had given us this consolidated view without manual spreadsheet work.

The posture management findings were actionable in a way that generic CSPM recommendations aren't, because they included SaaS-specific context. Instead of "enable MFA for all admin accounts" (which we already knew), Obsidian told us "these 7 specific Salesforce admin accounts don't have MFA, and 3 of them have accessed the account in the last 30 days from IP addresses outside your corporate range." Specific, prioritized, and immediately actionable.

The surprise: Obsidian's integration with Okta revealed shadow SaaS applications we didn't know existed. By analyzing OAuth grants and SSO authentication logs, Obsidian identified 23 SaaS applications that employees were using with corporate credentials but that hadn't gone through our IT procurement or security review process. Shadow SaaS is one of those problems everyone knows they have but nobody can quantify. Obsidian gave us the number, and it was higher than anyone expected.

What Fell Short

Obsidian's value is directly proportional to your SaaS footprint. If your organization runs 10 SaaS applications and most business-critical data lives on-premises or in IaaS, the platform is solving a small problem at an enterprise price. The sweet spot is organizations with 30+ SaaS applications where SaaS is the primary way employees access and share business data. Below that threshold, you can get reasonable SaaS visibility from your CASB or identity provider's built-in monitoring without a dedicated SSPM platform.

Integration depth varies significantly by application. The Microsoft 365, Google Workspace, Salesforce, and Okta integrations are deeply instrumented — they track granular data access, permission changes, sharing events, and administrative operations. Less common SaaS applications may have shallower integrations that provide authentication logs and basic configuration checks but not the rich behavioral data that powers Obsidian's best threat detection. Before committing, get a clear answer about the integration depth for your specific critical applications, not just the marquee logos.

The enterprise sales process is the only way in. There's no free tier, no self-service trial, no transparent pricing, and no way to evaluate the product without engaging the sales cycle. For security teams that want to do a quiet technical evaluation before involving procurement, this is frustrating. We've heard from multiple organizations that the evaluation-to-purchase timeline stretched to 3–4 months because of the enterprise sales process, which is a long time to be without SaaS visibility if you've already identified it as a gap.

Pricing and Value

Enterprise pricing is not published. Based on conversations with customers and industry contacts, expect annual contracts starting in the low six figures for mid-size deployments, scaling with the number of users and connected SaaS applications. This is in line with competitors like AppOmni and Adaptive Shield. The value is clearest for organizations in regulated industries where SaaS data exposure represents compliance risk — financial services, healthcare, and technology companies with significant customer data in SaaS platforms. If you're already paying for a CASB and an SSPM and a separate SaaS monitoring tool, Obsidian can consolidate those costs while providing better cross-application correlation. If you don't currently have any SaaS-specific security tooling, the budget conversation will be harder.

Who Should Use This

Organizations with significant SaaS sprawl — 30+ applications, especially those containing sensitive customer or employee data — where SaaS security is a recognized gap in the security program. Security teams in financial services, healthcare, and technology companies where SaaS-based data exposure could trigger regulatory consequences. Organizations that have experienced a SaaS-related security incident (account compromise, data exfiltration through SaaS APIs, unauthorized external sharing) and need to prevent recurrence. Not a good fit for small organizations with limited SaaS usage or teams whose primary security concerns are network and endpoint based.

The Bottom Line

Ask yourself this: if an attacker compromised an employee's Okta credentials right now, would you know what SaaS applications they could access, what data they could reach, and whether their behavior in those applications was normal? If the answer is no — and for most organizations it is — that's the problem Obsidian solves. The cross-application behavioral detection is genuinely differentiated, the identity-centric view is operationally valuable, and the posture management is more actionable than generic SSPM tools. The price of admission is high and the sales cycle is long, but for organizations where SaaS is the primary attack surface, this is the most complete solution we've evaluated.