2 of 19

DemoJam Competitors

Silver

Gold

Platinum

Thank You

Our Sponsors

3 of 19

About Matt Meyers, CTA

CEO & Founder of EzProtect & Certified Technical Architect
19+ years in Salesforce ecosystem & Architects mentor
Author of Amazon bestseller "Securing Salesforce Digital Experiences"
Founding Member of the Low Code Security Alliance
Host of Salesforce Security Office Hours

Photo

Placeholder

4 of 19

Agenda

The Threat Landscape

The First 24 Hours

What Most Orgs Miss

Your Data Breach Readiness Recovery Checklist

CzechDreamin

5 of 19

The Threat �Landscape

6 of 19

AI has changed the math on breach speed and scale

960+

Salesforce-related breaches

reported in 2025 alone

Salesforce Ben, Salesforce Security Report

20 hrs

Mean time-to-exploit for

new vulnerabilities, down

from 2.3 years in 2018

Zero Day Clock, Sergej Epp, 2026

241 days

Average time to identify and

contain a data breach

IBM Cost of a Data Breach, 2025

After the Allianz Life breach: 43% of customers researched alternatives. 15% said they would never use again (EzProtect Security Research Report, 2025).

7 of 19

It is not a question of if your org will be breached.

It is a question of how fast you can respond.

86%

of phishing attacks are now AI-driven

KnowBe4 Phishing Threat Trends Report Vol. 7, 2026

Most Salesforce teams lack a dedicated security role.

IT security teams audit orgs but do not know Salesforce. Salesforce teams understand permissions but not security frameworks. Leadership assumes the gap is covered.

The first 24 hours after a breach is where the most damage occurs and where preparation pays off the most.

8 of 19

The First �24 Hours

9 of 19

NIST Incident Response Lifecycle for Salesforce

PREPARE

Build the plan. Name a response owner, inventory every connected app, document token revocation steps, and drill quarterly.

IDENTIFY

Confirm the breach. Monitor Shield logs, Setup Audit Trail, connected app activity, and login anomalies.

CONTAIN

Stop the bleeding. Revoke tokens, freeze users, block IPs, expire sessions. Password resets do not revoke OAuth.

ERADICATE

Remove all traces. Check for malicious Apex, corrupted metadata, rogue scheduled jobs, and altered integrations.

RECOVER

Restore from backup. Reconcile record IDs across integrations. Verify data integrity at field level.

LEARN

Document root cause. Test the fix. Validate that the vector is closed, not just patched.

Source: NIST SP 800-61 Rev 3 (April 2025), adapted for Salesforce

10 of 19

HOUR 1

Detection and Assessment

Confirm the Breach

Review Shield Event Monitoring and Setup Audit Trail for anomalous patterns.
Check login history for unexpected geolocations, off-hours access, or new admin accounts.
Inspect connected app OAuth usage for unauthorized grants or unusual API volume.
Monitor vendor communications, social media, and breach disclosure channels.

Assess the Blast Radius

Map every user who authorized the compromised app and the scopes that were granted.
Identify which data objects, business units, and customer records are exposed.
Determine whether metadata was altered: Apex classes, flows, permission sets, or remote site settings.
Document which vendors and integrations touched the affected data.

Organizations with a mature incident response plan saved $1.49M on average per breach.

IBM, 2025

11 of 19

HOURS 2 – 6

Containment: Stop the Bleeding

Expire all passwords and active sessions

Use the org-wide option in Session Settings. This is step one before anything else.

Revoke all OAuth tokens separately

Password resets do not invalidate OAuth refresh tokens. Connected app sessions persist until explicitly revoked.

Block unknown IPs and restrict login ranges

Limit access to known corp IP ranges. Enable the session setting that checks IP on every request, not just login.

Freeze or deactivate compromised users

Deactivating a user does not revoke their active OAuth tokens. You must do both explicitly.

Uninstall or disable suspect connected apps

Check for rogue scheduled Apex jobs, external integrations, and unauthorized ECAs.

Activate your escalation tree

Who gets the 2 a.m. call? Leadership, legal, insurance, and authorities all need defined contact paths.

12 of 19

What Most �Orgs Miss

13 of 19

Recovery traps that extend the damage

OAuth tokens survive password resets

Resetting a user password does not revoke connected app refresh tokens. Attackers retain API access until tokens are explicitly rotated. This is the single most common containment failure in Salesforce breaches.

The Apex Crypto API is a ransomware vector

The Crypto class in Apex is available to all orgs, not just Shield customers. An attacker with admin access can deploy a batch job that silently encrypts field data using AES-CBC, stores the key in a custom setting, then deletes it.

Metadata changes outlast data restores

Attackers can alter Apex classes, flows, permission sets, or remote site settings to reroute data or reestablish access. Restoring records from backup does not restore metadata to its pre-breach state.

Backup restores break integration IDs

Hard-deleted records restored from backup receive new Salesforce IDs. External systems referencing the original IDs will lose their link. Plan for a reconciliation exercise across every integration.

Single-org containment leaves the rest exposed

Revoking tokens in one org does not revoke them in your sandbox, acquired company's org, or regional instance. Your containment checklist must cover every org, not just the one where the alert fired.

14 of 19

HOURS 6 – 24

Eradicate, Recover, and Learn

Eradicate

Scan for malicious Apex, rogue batch jobs, and unauthorized metadata deployments.
Audit all remote site settings and named credentials for redirected endpoints.
Review permission sets and profiles for silently escalated privileges.
Check for canary field access or unusual data exports in Shield logs.

Recover

Restore data from your most recent verified backup point.
Reconcile restored record IDs with external integration systems.
Verify that no bank routing numbers, PII fields, or financial data was silently altered.
Re-sync integration data deltas for the gap between backup and restore.

Learn

Document root cause, attack vector, timeline, and organizational response.
Validate the fix: test users, simulate the attack vector, and confirm closure.
Establish ongoing token rotation policies and connected app inventory ownership.
Schedule recurring breach drills. Practice your response quarterly.

15 of 19

Your �Data Breach �Recovery Readiness Checklist

16 of 19

Your Data Breach Recovery Readiness Checklist

Do you have a named Salesforce breach response owner and escalation tree?

Can you revoke all OAuth tokens and expire all sessions within one hour?

Do you have a verified, tested backup that you can restore from today?

Is every connected app in your org inventoried with an assigned owner?

Does your cyber insurance policy cover third-party connected app compromise?

Have you tested your breach response plan in the last 90 days?

Are you actively monitoring Shield Event Monitoring or Setup Audit Trail?

If your answer to any of these is no, your org is not ready for the first 24 hours.

17 of 19

18 of 19

Feedback is Appreciated