Cyberthreats to SaaS solutions are increasing in type and volume – thanks in part to AI – which means providers need to ensure that solutions stay as secure as possible.
While software-as-a-service (SaaS) solutions continue to grow in popularity among businesses of all sizes, so do the threats posed to them by cyber criminals. It is not just about number of threats – the types and complexity of them is increasing too.
“SaaS threats are increasingly driven by identity abuse and social engineering rather than technical vulnerabilities,” says Alex Ruslyakov, Acronis channel chief. “Acronis H1 2025 Cyberthreats Report shows that phishing now accounts for 52% of initial access in attacks targeting MSP-style environments, making it the dominant threat vector.
“Attackers are exploiting stolen credentials, phishing links and legitimate-looking collaboration requests to gain access that appears trusted. Once inside, they can move quietly across SaaS platforms, often without triggering traditional security controls.
“Critically, many SaaS breaches do not start in the SaaS platform itself. Poorly secured endpoints, unpatched tools and over-privileged accounts continue to provide attackers with an easy way in. SaaS security is only as strong as the identities, endpoints and integrations connected to it.”
Mike Puglia, general manager of Kaseya Labs, agrees that user account compromise and installation of third-party malicious applications is a big threat. “Account compromise grew at over 300% in 2025 compared to 2024,” he says. “Yet our research shows few organisations are taking even basic steps to protect their accounts: 50%+ of businesses do not have MFA enabled and adoption of phishing resistant passkeys barely scratches the surface.
“Additionally, applications like Microsoft 365 and Google Workspace are commonly managed by IT, but most SaaS applications remain outside of their purview. Think of Salesforce, HubSpot, QuickBooks, Netsuite, Bamboo HR – they are typically managed by the line of business who may not understand secure access and privilege management.”
Mike says that ‘the data’ now lives in SaaS products – from email to finance to HR – and presents an attractive target for attackers. “In 2025 we saw this shift – to take one example – thousands of major companies had their data in Salesforce compromised not because of a vulnerability in Salesforce, but because a widely used third party application was compromised and, in a separate attack campaign, Salesforce admins were duped into installing a data exporter sending private information directly to the group.”
Adrian Hunt, chief security officer at Redsquid, says that for many years, securing SaaS platforms was largely treated as a configuration exercise: enable multi-factor authentication, turn on logging, and rely on the provider to manage the underlying risk. “But that assumption no longer reflects reality,” he adds. “SaaS security has become one of the most commercially significant challenges – and opportunities – facing resellers and MSPs.
“Identity compromise remains the dominant risk, increasingly enabled by token theft, MFA bypass and OAuth abuse rather than stolen passwords alone. Crucially, this now extends beyond human users. In many organisations, non-human identities such as API keys, service accounts and automation bots already outnumber employees, yet often operate with excessive privilege and limited oversight.”
Trends
As the nature of threats changes, so do the solutions. “One of the biggest trends is a shift from tick box audits to continuous monitoring,” says Karl Bagci, director of IT and information security at Exclaimer. “Organisations are moving away from once a year assessments and towards real time visibility into configurations, access rights and data flows. They want to know, at any given moment, who has access to what, how data is being shared, and whether anything has drifted from the secure baseline.
“There’s also a growing recognition that security is a shared responsibility. Vendors are responsible for securing the underlying platform and infrastructure, but customers own their configurations, role design, access controls and data sharing settings. Most incidents don’t come from a flaw in the SaaS product itself; they come from getting those customer side responsibilities wrong.
“Additionally, compliance has become table stakes. Frameworks like SOC 2 and ISO 27001 are no longer differentiators; they’re expected before serious purchasing conversations even start. Buyers increasingly assume that baseline and then look deeper into how vendors actually manage risk, not just whether they have a badge.”
Anton Shelepchuk, VP of worldwide sales at NAKIVO, agrees a big trend is continuous control. “Customers are realising that SaaS security is posture management (configuration drift, privilege creep, permissions sprawl), so SSPM and continuous monitoring are moving from ‘nice to have’ to absolute necessities,” he says.
“At the same time, the market is consolidating. Buyers are tired of point tools, so they’re leaning toward SSE/SASE-style platforms that unify access policy, inline controls and SaaS visibility under one umbrella.
“Identity is getting stricter as well: least privilege, just-in-time admin, stronger authentication and tighter governance around guests and external sharing because that’s where the real risk lives.”
AI impact
AI is accelerating both sides of the SaaS security equation. “On the threat side, attackers are using AI to scale phishing, automate social engineering and create far more convincing impersonation attacks,” says Alex. “This has contributed to social engineering and BEC attacks increasing to 25.6% of observed incidents.
“On the defensive side, AI is essential for keeping pace. Malware is now extremely short-lived, with the average sample surviving just 1.4 days, which means security teams need behaviour-based detection and automated response to act fast enough. AI helps prioritise risk, reduce noise and focus attention on genuinely suspicious activity, which is critical in high-volume SaaS environments.”
Karl adds that deepfakes are starting to be used in business email compromise and social engineering attacks. “This makes it harder for employees to distinguish legitimate requests from fraudulent ones,” he says.
“Defenders, in turn, are using AI to spot anomalies in logs and behaviour faster than humans ever could. Instead of analysts manually trawling through huge volumes of data, AI models can flag unusual access patterns, suspicious integrations, or configuration changes in near real time, helping security teams prioritise where to look.
“However, the fastest growing issue is shadow AI. Staff are connecting AI tools and assistants directly to business systems and data without fully understanding the permissions they’re granting. This unmanaged use of AI tools is where risk is growing the quickest.”
Brad Bowers, lead field CISO Global at SHI, says AI is being leveraged by attackers to help make their kill chain more efficient. “Attackers often leverage AI research to find vulnerabilities or CVEs that have come out and are associated with a particular SaaS provider or technology used by a provider,” he notes. “They’re using AI derived data like Lego bricks to construct complex and modular attacks, often assembling packages of AI derived exploit code with malware or social engineering components to attempt multiple vectors of attack.
“AI has upped the ante for security practitioners. There’s an old security saying, ‘The attacker only has to be right once, whereas the defender needs to be right 100% of the time’. While AI has tipped the odds in the attacker’s favour for now, it’s providing significant benefits with regards to security data. Security practitioners are using AI to better understand where risk exists within their systems, SaaS solutions and supply chain.
“AI is being widely used with security operations tools to reduce the overall time to detection of malicious activity, resulting in faster remediation of issues. In some instances, AI is proactively automating the response to attack patterns and subtle malicious events that would historically have required a security practitioner’s review and intervention. I expect AI will continue to increase in its efficacy in responding to security issues and will be widely adopted and ultimately become an expected attribute of all Saas provider’s security practice.”
Reseller role
All this means that resellers have a crucial role in SaaS security. “Resellers play a critical role through ensuring solutions are deployed correctly and configured securely, as well as continuously maintained over time,” says Simon Cook, director, new offerings at Genetec. “To keep SaaS solutions secure, ensure access control is implemented, and multi-factor authentication is set up. Ensure customers are well informed about threats and establish shared responsibilities between vendor, partner and end user. Choosing platforms that simplify deployment and reduce operational complexity helps partners focus on delivering value to customers while maintaining high security standards.”
Danny Hemminga, vice president of EMEA partner sales at Tanium, adds that many customers still misunderstand shared responsibility, assuming the SaaS provider handles everything. “In reality, access control, configuration and usage of SaaS environments remain the customer’s responsibility,” he says.
“That gap matters. In the UK, more than 40% of businesses reported experiencing a cyber security breach in the past 12 months. This demonstrates why customers need partners who can help them manage risk continuously, not just at deployment.
“Resellers should focus on continuous visibility across endpoints and SaaS applications, enforcing secure configurations and applying least-privilege access by default. Supporting more automated and autonomous IT operations can further reduce manual effort and speed up response, helping customers operate more securely and with greater confidence. There is also growing demand for managed services that provide ongoing oversight rather than one-off projects.”
Adrian notes that customers are no longer looking for standalone tools; they want demonstrable outcomes. “Many MSPs are now combining continuous SaaS posture management with tighter governance of identities, integrations and AI, and, where browser-based access dominates, applying CASB-style session controls to reduce risky data movement and data leakage,” he says. “Increasingly, buying decisions are influenced by measurable results such as reduced risky access, faster containment of SaaS incidents and improved audit readiness.
“For resellers, SaaS security is moving from a bolt-on service to a core operational capability. Those that can translate growing SaaS complexity into continuous, measurable protection will be best positioned to capture long-term value in an increasingly SaaS-first world.”
Anton says resellers should anchor every conversation on specific high-impact controls: “Who has admin access, how OAuth apps are governed, what the external sharing tools are and how quickly a compromised session or token can be shut down. That’s where incidents start and where damage is contained,” he says.
“The strongest reseller move is packaging this as an ongoing motion. Baseline hardening with continuous posture checks and incident readiness is critical because customers don’t have the time or staff to keep revisiting every SaaS setting across dozens of apps.”
Future
The SaaS security market is expected to continue to evolve rapidly over the coming year. “The SaaS security market will continue to be shaped by flexibility, scalability and long-term trust,” says Simon. “Customers will increasingly expect open, unified platforms that avoid vendor lock-in and can easily evolve with changing requirements.
“Built-in cybersecurity and continuous software delivery will be large factors for customers, and it’ll soon be a baseline expectation for hybrid deployments rather than a differentiator. Reseller success will depend on aligning with vendors that prioritise enterprise-grade security and future-proof architectures.”
Barb Huelskamp, VP of global channel sales and alliances at Solarwinds, notes that IT teams are under constant pressure to modernise while keeping systems secure, reliable and compliant – and that pressure isn’t going away. “Flexibility, complexity and cost will remain core considerations for resellers in the year ahead and beyond,” she says.
“Hybrid environments are here to stay, especially as AI becomes more deeply embedded across IT operations. SaaS will continue to play an important role, particularly in reducing the operational burden of manual upgrades, patching and scaling. For many organisations, staying current through SaaS is also a meaningful way to reduce long-term security risk.
“Resellers have a clear opportunity to move beyond product-led conversations and step fully into a trusted advisor role. Customers need help simplifying increasingly complex environments, adopting technologies like AI responsibly, and making long-term decisions that balance security, cost and flexibility. As a result, the bar for partners is rising. Technical competence alone isn’t enough resellers must be able to translate strategy into day-to-day execution across security, complexity and cost.”
