On August 20, 2025, Salesloft and Salesforce revoked every live OAuth token for the Drift chat application after the threat group UNC6395 spent ten days exporting data from more than 700 corporate Salesforce environments. Cloudflare, Zscaler, and Palo Alto Networks all confirmed exposure, and not one of them had been breached directly.
Every victim inherited the incident from a SaaS vendor that had already cleared procurement, which is exactly the gap a SaaS vendor risk assessment built for the cloud exists to close. Verizon’s 2025 DBIR now ties 30% of breaches to third parties, double the prior year’s share.
| SaaS Vendor Risk Assessment: Key Takeaways |
| A SaaS vendor risk assessment scores what a standard vendor review misses: OAuth token scopes, subprocessor chains, tenant isolation, and the controls that stay on your side of the shared responsibility line. |
| The blast radius is proven: one compromised Drift integration exposed more than 700 Salesforce customers in August 2025, and Black Kite counts 5.28 downstream victims for every breached vendor. |
| Verizon’s 2025 DBIR put third parties in 30% of breaches, double the prior year, while the average company now runs 275 SaaS applications (Zylo 2025 SaaS Management Index). |
| Six steps carry the work: inventory the estate, tier by data and integration exposure, collect cloud-specific evidence, test shared-responsibility fit, score and contract, then monitor continuously. |
| Evidence means a current SOC 2 Type II read past the opinion page, CAIQ answers against the CSA Cloud Controls Matrix, a recent pen test summary, and a live subprocessor list. |
| Contracts do the enforcement: breach notice in hours, subprocessor change alerts, data return and deletion at exit, and audit rights sized to the vendor tier. |
Cloud delivery changes what you assess, not just who. The six steps below run from app inventory to continuous monitoring, with the evidence list and contract clauses that make each step hold, leaning on the CSA Cloud Controls Matrix, SOC 2 Type II reports, and the June 2023 interagency guidance from US banking regulators.
Why a SaaS Vendor Risk Assessment Is Not a Standard Vendor Review
A SaaS vendor holds your data on infrastructure you cannot inspect, patches software on a schedule you do not control, and connects to your other systems through tokens that outlive the people who granted them. A vendor review built for suppliers of goods and services prices none of that exposure.
Drift proved the difference in production. Attackers never breached Salesforce itself; they stole integration tokens from the chat vendor’s environment and walked in through trusted connections, a path serious enough that FINRA issued a cybersecurity alert to US member firms. Standard third-party risk management had never scored the token store.
Shared Responsibility Inside the SaaS Vendor Risk Assessment
Every SaaS subscription splits control duties between provider and customer, and the split is where assessments go wrong. The provider runs the infrastructure, the application code, and availability. Identity configuration, OAuth scopes, offboarding, and data handling stay with you, whatever the sales deck implies.

Figure 1. The shared responsibility split a SaaS vendor risk assessment has to test: recent breaches broke on the customer-owned rows.
Mandiant’s Snowflake investigation made the same point in 2024. UNC5537 raided roughly 165 customer environments using stolen credentials on accounts that lacked MFA, a customer-side control on every responsibility chart. The cybersecurity risk management burden does not transfer with the subscription fee.
So the SaaS vendor risk assessment has to look both ways. It scores the provider’s controls through evidence, then scores your own tenant configuration against the vendor’s hardening guidance, because information security risk management fails at whichever side of the line is weaker.
The 2025-2026 Data Behind SaaS Vendor Risk Assessment
Fresh breach numbers justify the effort a real SaaS vendor risk assessment takes. Verizon’s 2025 DBIR found third parties involved in 30% of breaches, up from roughly 15% a year earlier, and Black Kite’s 2026 Third-Party Breach Report counts 5.28 downstream victims publicly compromised for every breached vendor. SecurityScorecard’s 2025 tracking puts the third-party share higher still, at 35.5%.
SaaS Vendor Risk Assessment Inputs: The Breach Numbers

Figure 2. The breach math behind a SaaS vendor risk assessment: a doubled third-party share and a 275-app average portfolio.
Portfolio size compounds the exposure. Zylo’s 2025 SaaS Management Index puts the average company at 275 SaaS applications, with roughly seven new apps arriving each month, most adopted outside IT’s line of sight. Nobody assesses 275 vendors at equal depth, so tiering decides where the hours go.
| Incident | What actually failed | Organizations affected |
| Salesloft Drift, Aug 2025 | OAuth tokens stolen from the vendor’s own environment | 700+ Salesforce customers |
| Snowflake campaign, 2024 | Customer accounts without MFA, stolen credentials | About 165 tenants |
| MOVEit Transfer, 2023 | Zero-day in a managed file transfer product (Cl0p) | 2,770+ organizations |
| Okta support system, Oct 2023 | Compromised service account exposed session tokens | 134 customers confirmed |
Gartner saw the curve early, predicting in 2022 that 45% of organizations would face software supply chain attacks by 2025, three times the 2021 rate. The table above is that forecast landing, and concentration risk in third-party relationships is why single incidents now cascade across whole sectors.
How to Run a SaaS Vendor Risk Assessment in Six Steps
Treat the assessment as a production line rather than an annual event. The sequence assumes a working step-by-step risk assessment discipline and a named owner per vendor tier; two weeks covers a critical vendor when the evidence arrives on time, and the portfolio runs on a rolling calendar.
| Step | What you do | Output that proves it |
| 1 | Inventory the SaaS estate from SSO logs, expense reports, and browser extension data | A living app register with named owners |
| 2 | Tier vendors by data sensitivity and integration scope, not by spend | A tier list: critical, high, standard, watch |
| 3 | Collect cloud-specific evidence: SOC 2 Type II, CAIQ, pen tests, subprocessor list | An evidence file per critical vendor |
| 4 | Test shared-responsibility fit against your own tenant configuration | A control-gap list covering both sides |
| 5 | Score residual risk and write every gap into the contract with a date | A signed contract with dated remediation |
| 6 | Monitor OAuth scopes, trust pages, and subprocessor feeds continuously | A KRI dashboard wired to the register |
Auditors will ask which frameworks sit behind the method. ISO/IEC 27017 supplies the cloud-specific control catalog, ISO/IEC 27018 covers personal data in public clouds, and NIST SP 800-161 frames the supply chain lens regulated buyers expect to see cited when the evidence file reaches an examiner.
Step four is the pass most programs skip. Pull the vendor’s hardening guide and score your own tenant against it: SSO enforced, MFA on every admin, audit logs flowing to your SIEM, retention configured, offboarding wired to the HR feed. The Snowflake casualties were tenants that skipped this check, not vendors that failed theirs.
Tiering Vendors Inside the SaaS Vendor Risk Assessment
Tier by what the vendor can touch. An app holding regulated customer records with write access to your CRM outranks a whiteboard tool with a bigger invoice, and the key elements of a risk register apply directly to the app register: owner, exposure, controls, and a review date.
| Tier | Definition | Assessment depth | Refresh |
| Critical | Regulated data, broad OAuth scopes, or single point of failure | Full evidence file, config review, contract clauses | Annual + event-driven |
| High | Sensitive internal data or write access to core systems | SOC 2 review, CAIQ subset, contract check | Annual |
| Standard | Limited internal data, no core integrations | Questionnaire plus trust page review | Every two years |
| Watch | No meaningful data or system access | Automated registration and terms scan | On change |
Score the tiers on evidence rather than seniority. Pairing qualitative and quantitative risk assessment keeps a tier defensible when an executive wants a favorite tool waved through. Your risk appetite statement supplies the threshold each tier has to clear at renewal.
Cloud-Specific Evidence for the SaaS Vendor Risk Assessment
Badges are not evidence. A compliance logo wall proves nothing about the tenant that will hold your data, so demand four specific documents: a current SOC 2 Type II report, a completed CAIQ against the CSA Cloud Controls Matrix, a recent penetration test summary, and the live subprocessor list.
| Evidence | What it proves | What it misses |
| SOC 2 Type II | Controls operated over 6-12 months, auditor-tested | Scope may exclude the product you buy |
| CAIQ v4 (CSA) | About 280 cloud-specific answers across 17 CCM domains | Self-attested unless STAR Level 2 |
| ISO 27001 + 27017 | Certified ISMS with cloud control extensions | Certificate scope, not tenant configuration |
| Pen test summary | Real attack surface tested within 12 months | Redacted findings can hide severity |
| Subprocessor list | The fourth parties your data will actually reach | Change notice only if the contract requires it |
| FedRAMP authorization | Government-grade baseline for US agency sales | Rarely covers the commercial tenant you buy |
Trust centers speed the chase without replacing it. Most critical-tier vendors now publish SOC 2 reports and CAIQ answers behind an NDA click-through, so a complete evidence file should assemble in days. A vendor that cannot produce a current SOC 2 Type II on request is itself a finding.
Reading a SOC 2 Type II in a SaaS Vendor Risk Assessment
Read past the opinion page. Check the system description for the exact service assessed, confirm the trust services criteria include security and availability, and read every exception with the vendor’s response. A clean opinion on a scoped-out sub-service is how surprises get certified.
Then cross-check the layers. CSA’s STAR registry stacks CCM assessment on top of SOC 2 or ISO 27001 at Level 2, FedRAMP matters when US agencies are downstream, and NIST CSF 2.0 gives the vocabulary your board already hears in every NIST risk assessment briefing.
Scoring and Contract Clauses in a SaaS Vendor Risk Assessment
Findings die unless the contract carries them. Convert the evidence file into a residual score against your tiers, then write every gap into the agreement with a date, the loop the OCC’s June 2023 interagency guidance expects at US banks: due diligence, contract, and monitoring as one lifecycle.
| Clause | What to require | Why it matters |
| Breach notification | 24-72 hours from discovery, named security contact | Weeks-long vendor silence eats your response window |
| Subprocessor changes | Advance notice with objection rights | Fourth parties change without asking you |
| Data return and deletion | Export format, deadline, deletion certificate at exit | Prevents hostage data at renewal time |
| Security posture | MFA enforced, SSO and audit logs in your tier | Vendors still gate security features by price |
| Audit and evidence rights | Annual SOC 2 delivery plus questionnaire refresh | Keeps the evidence file current without renegotiation |
| Availability SLA | Uptime, RTO and RPO commitments, service credits | Your continuity now depends on their recovery |
Keep the scoring model boring and auditable. A simple grid of likelihood against data impact works when every band is defined in records exposed and hours down, and the same score feeds the vendor row in the corporate register. Precision theater with weighted decimals convinces nobody at renewal.
Public-company buyers carry a disclosure clock of their own. The SEC’s cyber rules require material incidents on Form 8-K within four business days of the materiality call, so a vendor that sits on a breach for weeks spends your legal runway. Notification windows in hours are the fix.
Exit terms are continuity controls in disguise. The difference between RPO and RTO frames what the SLA has to commit to. Regulated buyers can fold the results into compliance risk assessment reporting, and mitigating vendor risks at signature costs a fraction of the mid-incident price.
Continuous Monitoring After the SaaS Vendor Risk Assessment
Point-in-time reviews age fast when the vendor ships code weekly, so the assessment expires long before the renewal does. Continuous signals keep the score honest: OAuth scope reviews, trust page and status feeds, subprocessor alerts, and breach intelligence on every vendor in the critical tier.

Figure 3. The blast radius argument for monitoring: four SaaS incidents, each reaching victims who never bought the failing product directly.
The chart doubles as the budget case. MOVEit’s victim list included organizations that had never heard of the software because a vendor of a vendor ran it, which is fourth-party risk management in a single lesson, and CISA’s Cl0p advisory documented how fast exploitation spread.
| Monitoring KRI | Threshold | Response |
| Dormant OAuth grants | Any token unused for 60+ days | Revoke and force re-authorization |
| Vendor breach disclosure | Any, in the critical tier | Reassess within 10 business days |
| Subprocessor additions | Any new data-touching subprocessor | Review against the data map |
| SOC 2 report age | Older than 12 months | Request a bridge letter |
| Admin accounts without MFA | Above zero on your side | Fix the tenant the same week |
| SLA misses | Two consecutive months | Trigger credits and a review call |
Watch dormant OAuth grants first; they are the quietest way in. Treat the thresholds like any other key risk indicators, owned and dated, using the calibration method in how to develop key risk indicators, and let how often risk assessments should run set the refresh floor.
Frequently Asked Questions About SaaS Vendor Risk Assessment
What is a SaaS vendor risk assessment?
A SaaS vendor risk assessment is a structured evaluation of a cloud software provider covering its security controls, data handling, subprocessors, and integration exposure, plus the duties that stay with your own admins. It pairs vendor evidence, such as SOC 2 Type II and CAIQ answers, with a review of your tenant configuration.
How is a SaaS vendor risk assessment different from a normal vendor assessment?
Cloud delivery moves the risk into places a goods-and-services review never looks. A SaaS vendor risk assessment weighs OAuth scopes, tenant isolation, shared responsibility splits, and subprocessor chains. The Drift theft reached more than 700 companies through integration tokens that no generic questionnaire had ever scored.
What evidence should a SaaS vendor risk assessment collect?
Collect a current SOC 2 Type II report, a completed CAIQ against the CSA Cloud Controls Matrix, ISO 27001 certification with the 27017 cloud extension where available, a penetration test summary under 12 months old, and the live subprocessor list. Read the scope pages as closely as the opinions.
How often should a SaaS vendor risk assessment be refreshed?
Reassess critical-tier vendors annually and after any incident, high-tier vendors annually, and standard-tier vendors every two years. Continuous signals fill the gaps between reviews: quarterly OAuth scope checks, subprocessor alerts on change, and a reassessment within ten business days of any vendor breach disclosure.
Who should own the SaaS vendor risk assessment?
Split the ownership three ways. Security or risk owns the method, the evidence standards, and the tiers; the business owner of each application owns remediation and renewal decisions; procurement enforces the contract clauses. One analyst owning 275 apps alone is how shadow IT wins.
Does a SOC 2 report make a SaaS vendor risk assessment unnecessary?
No. A SOC 2 Type II proves the vendor operated its own controls over the audit window, and says nothing about your tenant configuration, your OAuth grants, or your offboarding hygiene. Snowflake’s 2024 campaign ran through customer accounts missing MFA while the provider’s audited controls held.
Pitfalls That Sink a SaaS Vendor Risk Assessment
Shortcuts sink more assessments than attackers do, and most trace back to reviewing the vendor everyone can see while ignoring the integration layer nobody owns. Each row pairs a pitfall with its root cause and the remedy that keeps the assessment working long after procurement closes.
| Pitfall | Root cause | Remedy |
| Tiering by contract value | Spend used as a proxy for risk | Tier by data and integration exposure |
| Collecting badges, not reports | Logo walls accepted as evidence | Demand the documents and read the scope |
| One-time assessment at purchase | Review treated as a procurement gate | Continuous signals plus tiered refresh |
| Ignoring OAuth and API grants | Integrations invisible to procurement | Quarterly scope review, revoke dormant tokens |
| No exit terms in the contract | Renewal assumed to be forever | Data return, deletion certificate, tested export |
| Skipping your own tenant config | Shared responsibility read as vendor-only | Config review against the hardening guide |
The 2026-2027 Outlook for SaaS Vendor Risk Assessment
AI features are rewriting the questionnaire. Vendors are wiring agent capabilities into products faster than security teams can score them, and Drift itself was an AI chat integration, so assessments now ask where prompts, embeddings, and training data flow before anything else.
Regulators keep raising the floor under the same work. The interagency guidance treats monitoring as a lifecycle stage at US banks, the SEC’s four-day clock keeps pressure on notification clauses, and state privacy laws from California outward keep adding processor obligations to the contract list.
Expect the tooling to consolidate around continuous signals. SaaS security posture management watches tenant drift, external ratings track vendor posture between reviews, and the platforms compared in the best third-party risk management software increasingly automate evidence collection that analysts once chased by email.
The Drift lesson will outlast the incident. Salesloft cleared hundreds of procurement reviews before August 2025 because those reviews scored the company rather than the token store, and a SaaS vendor risk assessment built for the cloud is how the next integration gets scored before it becomes a headline.
Infographic: SaaS Vendor Risk Assessment in Six Steps

Figure 4. The SaaS vendor risk assessment as a six-step loop: four steps build the evidence-backed score, two keep it true between renewals.
Run Your SaaS Vendor Risk Assessment with Risk Publishing
Risk Publishing helps US risk and security teams stand up a defensible SaaS vendor risk assessment program, from tiering the app estate to the enterprise risk management framework reporting behind it. Review our services, then contact us before the next vendor incident sets the schedule for you.

Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.