Securing software-as-a-service (SaaS) apps is hard. The standard cybersecurity controls are not designed for SaaS.
The difficulty is the software doesn’t belong to the user and usually runs on somebody else’s infrastructure. Standard cybersecurity products are designed to operate on software owned by the user and housed on the users’ infrastructure.
SaaS providers attempt to maintain security inside their apps, but they cannot control how they are used. Usage varies from user to user and is fundamentally governed by how the app is configured. This configuration is the only native security available to SaaS users, and misconfiguration is the primary and most common source of insecurity.
“The legal team might be using one (or more) SaaS apps, HR, financial and engineering something else – everyone across the company is using different tools, perhaps 100 different tools,” suggests Melissa Ruzzi, senior director of AI at AppOmni. Each one will have a different configuration, generally set by the user. “That’s what makes SaaS so interesting,” she continues (probably including ‘interesting ‘ in the purported ‘Chinese sense’), “because the configuration is where all the security actually lies.”
The SaaS threat surface is already huge and constantly expanding, with more users and more company departments using more SaaS apps. If downloaded and run locally, this is not always with the knowledge of the IT and security departments, possibly creating shadow SaaS that often includes shadow AI.
AppOmni is one of the cybersecurity firms offering specialized assistance. It provides a SaaS security posture management (SSPM) platform, aiding visibility into, control over, and reduced breach risk from SaaS apps. But it simply gets harder through the growing size and complexity of the threat surface.
This is not a problem unique to SaaS security. Security firms, including AppOmni, are turning to AI to improve the efficiency and effectiveness of their service. In December 2023, AppOmni introduced AskOmni, an AI-powered SSPM assistant designed to answer, in natural language, user queries on anything arising from the platform.
Marlin AI
On May 26, 2026, AppOmni launched Marlin AI, designed to allow as much autonomy in addressing the issues discovered by the platform as possible. AskOmni and Marlin work hand-in-hand. “Marlin investigates and analyzes issues, and does a bunch of things,” explains Ruzzi. “If you have any questions about what it has done, you can just AskOmni.”
Marlin examines all the different configurations used by different users across all the SaaS apps used by different companies. Marlin’s context is drawn from the years of SaaS expertise accumulated by AppOmni – so it can automatically detect potentially worrying configuration settings. “Let’s say it finds an unenabled MFA in a configuration,” comments Ruzzi. “That’s a problem in itself. But how dangerous is that problem?”
Marlin looks further, because the urgency of the problem depends on other factors. “Have you been doing mass downloads from a weird IP under a weird VPN… So, now you must look into everything else that is happening across the platform.”
Normally, all of this work is performed manually by a human analyst, and that takes time. Marlin does it automatically, but it goes further. Users wish to know what to do rather than just be told ‘this missing MFA could lead to a breach’ – Marlin does this; it recommends a course of remedial action.
An expanding issue with all new AI solutions is does it, or could it, take the autonomy of fault detection to an autonomy of automatic fault correction. The answer for Marlin is nuanced. Actions inside the AppOmni platform can be automated. It may report a benign issue and effectively provide the user with a button. “You click the button, and ‘boom’, Marlin does everything for you,” explains Ruzzi.
But it is different when the required action goes beyond the platform. “Let’s say we find a misconfiguration on your Salesforce,” she continues. “Consider the level of access Marlin would require making changes automatically. That’s a line we don’t cross, because customers are not generally happy to give a third party, us, admin rights to their data.”
Could Marlin perform autonomous action? Yes. Does it? No; at least not yet. “We’d love to be able to do it, but customers aren’t ready to accept it – and I don’t see that changing. If it does change, we’re ready, and yes, we’ll do it.”
What Marlin does provide, however, is a greater level of information on its investigations. It provides graphs that allow the user to take a deep dive into the data concerned.
Related: Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
Related: Reco Raises $30 Million to Enhance AI SaaS Security
Related: CSA Unveils SaaS Security Controls Framework to Ease Complexity
Related: Thousands of SaaS Apps Could Still Be Susceptible to nOAuth
