It's a Tuesday morning, and somewhere inside a Fortune 100 company, a Salesforce admin clicks a checkbox.
She does not think much of it. She is granting a contractor read access to a single object. Three weeks later, that contractor's password ends up in a credential dump on a Telegram channel, and the door she opened is still propped open. This is the kind of thing AppOmni was built to notice. The Tuesday clicks. The Friday OAuth grants. The Sunday quiet of an AI agent given more privilege than anyone meant to give it.
AppOmni runs the largest SaaS Security Posture Management platform in the category - a phrase that means almost nothing until you find yourself responsible for what a thousand people are doing inside Salesforce, Microsoft 365, ServiceNow, Workday, Google Workspace, GitHub and roughly ninety-five other apps. Then it means everything. From its San Francisco office on Harrison Street, the company watches configurations drift, identities multiply, and tokens expire late. It is, in the platform's own telling, a Rosetta Stone: it reads every SaaS application and translates them into a single, security-shaped language.
None of this is glamorous. There are no zero-days here, no hooded figures, no glowing green terminals. There are checklists, integrations, and the unsexy art of asking the right question of an API. Which is exactly why it works.
SaaS made the modern company. It also made a perimeter no one drew.
For two decades, enterprise security was a story about firewalls. You built a wall, you put your servers behind it, and you watched the door. Then the apps left the building. Sales moved into Salesforce. Tickets moved into ServiceNow. Files moved into Microsoft 365 and Google Workspace. HR moved into Workday. The company kept running. The wall stopped mattering.
What replaced it was less a perimeter than a constellation - dozens, then hundreds, of SaaS apps, each with its own permission model, its own admin console, its own little universe of OAuth tokens and integrations and third-party plug-ins quietly granted by users who meant well. Each app, on its own, was reasonable. The sum of the apps was not.
And the configurations - good lord, the configurations. A single Salesforce org can have over six hundred security-relevant settings. Microsoft 365 has more. The dirty secret of the SaaS revolution is that 'secure by default' was a marketing line, not an engineering one. Misconfiguration, not malware, is now the most common path to a SaaS breach. (See: every Verizon DBIR for the last five years, if you enjoy that sort of light reading.)
Two security guys looked at the problem from the inside. Then they quit and built the company they wished had existed.
Brendan O'Connor had a useful résumé for noticing this: he had been CISO at Salesforce and CTO of ServiceNow's security business. Brian Soby had led product security at Salesforce and MITRE before him. They had both spent years inside the very platforms everyone else's company depended on, and they had both seen the same thing - that the SaaS providers were not going to solve customer misconfiguration on the customer's behalf, because they could not. The shared-responsibility model said so. The customer owned the inside of the app.
So in 2018, the two of them started AppOmni. Their bet was unfashionable: that the future of enterprise security would not be more endpoint agents or fancier network sensors, but a layer above the apps - one that read every SaaS platform's API, normalized what it found, and let a security team actually see the thing they were on the hook for. The bet was that SaaS Security Posture Management would become a category. It did.
What the platform actually does, in plain English.
AppOmni connects, via API, to the SaaS apps a company runs. Once connected, it does four things continuously - and, mercifully, without an agent on anyone's laptop.
It inventories every user, every role, every external collaborator, every connected third-party app, and every dataset of consequence. It scans configurations against a baseline - either a customer's own policy or a vendor-recommended one - and flags drift the second it appears. It detects threat-shaped behavior: a downloaded report at 3 a.m., a new integration with rights nobody asked for, an OAuth token used from a country no one on staff has ever visited. And it remediates, either by walking a security analyst through the fix or, where the customer trusts it to, doing the fix itself.
In 2025 the company added AI SSPM - AISPM, because the security industry will name anything - to govern the rapidly multiplying class of AI agents that now log into SaaS apps on humans' behalf. An AI agent with Salesforce access is, in security terms, just a very fast intern who never sleeps. AppOmni watches that intern.
A short, honest history
The receipts: customers, dollars, and a retention rate that should worry the competition.
You can tell a lot about a security company by who is willing to put their name on the customer list. AppOmni's includes Dropbox, Accenture, Ping, PepsiCo, Johnson & Johnson, Sprinklr, Rightmove and - charmingly - the NBA, which apparently has SaaS configurations worth watching, too. There are large Fortune 100 financial and healthcare logos behind NDAs as well. The customers tend to be the kind of organization whose general counsel reads the breach notification law in every state they operate in for fun.
Funding by round
The retention number is the one to watch. AppOmni reports near-100% customer retention since founding, and triple-digit ARR growth three years running. Security buyers churn when products under-deliver - those are not loyalty figures, they are utility figures. The product, evidently, gets used.
Partnerships round out the moat. Cisco Investments is on the cap table. Salesforce Ventures is on the cap table. AWS, PwC and Accenture sit on the implementation side. ServiceNow has a certified integration in its Store. When the apps you are securing are also investing in you, the relationship tends to be sticky.
Make SaaS the most secure place to do business.
That is the official line, and it is more interesting than it sounds. The bet underneath it is that SaaS is, eventually, more securable than the data center it replaced - because every interaction is API-shaped, every change is loggable, and every misconfiguration is, in principle, knowable. The only reason SaaS feels less secure today is that no one has been doing the looking. AppOmni's wager is that someone, finally, should.
This is also why the company has invested in research. The security team has published original disclosures against Salesforce Communities, ServiceNow's access-control rules, and Microsoft Power Pages. (The recurring theme: customers had no idea the defaults were that permissive.) The research arm is part marketing - good blog posts move pipeline - and part civic duty. It is the rare SaaS-security firm that ships both a product and a body of public knowledge about what is going wrong out there.
The next attack surface is already logging in.
The interesting thing about AppOmni in 2026 is not the SaaS part - that fight is largely won, and the category exists. The interesting thing is the AI part. Every major SaaS vendor has shipped, or is shipping, an AI agent that operates inside the app on a user's behalf. These agents authenticate with OAuth tokens, inherit the user's permissions, and act faster than any human reviewer can keep up with. They are also, in many cases, given by default the right to read everything the user can read.
If misconfiguration was the SaaS-era breach pattern, agent abuse is shaping up to be the AI-era one. AppOmni's AISPM product is a bet that the security buyer who once asked 'who has access to this object?' will, very soon, also be asking 'which agents are touching this object, on whose behalf, and with what scopes?' The same Rosetta Stone, translating a new language.
Back to that Tuesday morning. The Salesforce admin clicks the checkbox. Somewhere in the customer's tenant, AppOmni notices. It cross-references the new permission against the org's policy, the contractor's identity, the OAuth tokens connected to that user, and the historical baseline. It files an alert. Maybe a human reviews it. Maybe a workflow auto-rolls it back. Either way, three weeks later, when the contractor's password shows up on Telegram, the door is not propped open. The click was noticed. That is the whole product, and the whole point.