Mandiant’s 2025 M-Trends report highlights SaaS security as a significant source of risk

For security professionals seeking insight into emerging threats, Mandiant’s annual M-Trends report has long served as an essential compass. Drawing from countless hours of incident response work, this year’s findings cast a particularly stark light on a challenge that’s been lurking in the shadows for years: the rapidly expanding—and increasingly vulnerable—SaaS attack surface.

‍

Why SaaS security is now front and center

Here’s a reality check that might sting a bit: while organizations have enthusiastically embraced cloud and SaaS solutions for their undeniable benefits (who doesn’t love scalability and flexibility?), they’ve stumbled into a security twilight zone. The shared responsibility model between providers and customers leaves IT and security teams trying to secure identities and manage configurations across 10’s if not 100’s of disparate SaaS tools, all with unique options and business requirements. That is, if they even know the tool is being used in the first place.

‍

These findings from the report underscore this risk:

• Cloud & SaaS are “the norm” in modern intrusions. Mandiant analysts note that almost every frontline engagement in 2024 contained a cloud or SaaS component, exposing gaps in organizations’ shared-responsibility understanding.
• Stolen credentials rule the day. For the first time, credentials stolen via infostealers became the second-most-common initial infection vector (16 %), offering instant access to SSO portals and downstream SaaS estates.
• UNC3944 shows how bad it can get. The financially motivated “Scattered Spider/UNC3944” crew pivoted from SIM-swapping into large-scale SaaS data theft leaping from Okta into Salesforce, CyberArk and more through permissions abuse.
• Logging blind spots slow investigations. Mandiant repeatedly found incident responders hamstrung because critical SaaS audit logs were only available in higher-tier subscriptions something victims discovered after a breach.
• Data theft now starts in SaaS. Attackers increasingly pull sensitive files straight from SaaS storage and collaboration tools, bypassing traditional network exfiltration controls.

‍

The bottom line

The 2025 M-Trends report confirms what many defenders feel: SaaS is where business happens, and where attackers follow. The organizations that fare best are those that:

• Map the entire SaaS attack surface. After all, you can’t protect what you don’t know about.
• Treat SaaS like critical infrastructure—with the same rigor they apply to endpoints and networks.
• Invest in visibility and logging up-front rather than finding out the hard way during an incident that they don’t have what they need.
• Assume identity is the perimeter and design controls (MFA, least privilege, session monitoring) accordingly.

The writing on the wall couldn’t be clearer: understanding and securing your SaaS attack surface isn’t just another checkbox on your security to-do list—it’s becoming as fundamental as having a disaster recovery plan.

‍

How Nudge Security can help

Nudge Security discovers every SaaS and GenAI account ever created by anyone in your org within minutes of starting a free trial and provides security posture checks to help you prioritize and resolve SaaS security risks. Learn more about Nudge Security’s approach to SaaS security and governance.