Protecting software-as-a-service (SaaS) applications is challenging because traditional security measures aren’t built for this environment.
The core problem is that users don’t own the software, which typically runs on external infrastructure. Conventional security tools are designed for software the user owns and operates on their own systems.
While SaaS providers try to enforce security within their platforms, they cannot dictate how customers use their applications. Usage patterns differ across users and are primarily shaped by how each app is set up. This setup configuration is the sole built-in security option for SaaS users, and incorrect configurations remain the leading and most frequent cause of vulnerabilities.
“Legal teams might be using one or more SaaS tools, while HR, finance, and engineering each rely on different ones — with the entire company potentially using around 100 distinct applications,” explains Melissa Ruzzi, senior director of AI at AppOmni. Each application has its own unique configuration, typically determined by the user themselves. “That’s what makes SaaS so fascinating,” she adds (likely using ‘fascinating’ in what some call the ‘Chinese sense’ of the word), “because the configuration is where all the real security decisions are made.”
The SaaS attack surface is already enormous and keeps growing as more users and departments adopt more applications. When these tools are accessed and operated locally, IT and security teams may not even be aware of their existence, potentially creating “shadow SaaS” environments that frequently include unmonitored AI tools.
AppOmni is among the cybersecurity companies stepping in to help. Their platform offers SaaS security posture management (SSPM), helping organizations gain visibility into their SaaS landscape, maintain control over their configurations, and reduce the risk of data breaches. However, the challenge intensifies as the threat surface continues to expand in both scale and complexity.
This challenge isn’t unique to SaaS security. Security vendors, including AppOmni, are increasingly leveraging AI to make their services more efficient and effective. In December 2023, AppOmni launched AskOmni, an AI-driven SSPM assistant that lets users ask questions in plain language and receive answers about anything related to the platform.
Marlin AI
On May 26, 2026, AppOmni introduced Marlin AI, designed to provide as much autonomy as possible in addressing the security issues detected by the platform. AskOmni and Marlin function as a team. “Marlin investigates and analyzes issues and performs a range of tasks,” says Ruzzi. “If you want to understand what it’s found, you simply AskOmni.”
Marlin analyzes all the various configurations across different users and SaaS applications within an organization. It draws on years of SaaS expertise built up by AppOmni, allowing it to automatically flag potentially risky settings. “For example, if it discovers that multi-factor authentication isn’t enabled,” notes Ruzzi. “That’s clearly a concern. But how severe is that concern?”
Marlin digs deeper because the actual risk depends on other factors. “Are you downloading large amounts of data from an unusual IP address via an unfamiliar VPN… Now you need to examine everything else happening across the platform.”
Traditionally, human analysts conduct all of this work manually, which is time-consuming. Marlin handles it automatically — and goes a step further. Users don’t just want to hear “this missing MFA could cause a breach”; they want guidance on what to do about it. Marlin provides exactly that through actionable recommendations.
An emerging question with all new AI tools is whether the autonomy of problem detection should extend to automatic problem resolution. For Marlin, the answer is nuanced. Actions within the AppOmni platform itself can be fully automated. It might flag a low-risk issue and essentially give the user a single button. “You press that button, and instantly, Marlin takes care of everything,” Ruzzi explains.
It’s a different story when the needed action falls outside the platform. “Say we identify a misconfiguration in your Salesforce setup,” she continues. “Think about how much access Marlin would need to make changes automatically on your behalf. That’s a boundary we don’t cross — clients are generally uncomfortable granting a third-party vendor like us administrative access to their data.”
Could Marlin technically operate autonomously? Yes. Does it do so currently? Not yet. “We’d love to offer that capability, but customers aren’t ready for it — and I don’t see that changing anytime soon. If attitudes shift in the future, we’re prepared, and yes, we’ll deliver it.”
What Marlin does offer today is significantly more detailed information about its investigations. It generates visual graphs that enable users to explore the underlying data in depth.
Related: Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
Related: Reco Raises $30 Million to Enhance AI SaaS Security
Related: CSA Unveils SaaS Security Controls Framework to Ease Complexity
Related: Thousands of SaaS Apps Could Still Be Susceptible to nOAuth
