Okta, Snowflake, MOVEit, Bybit. Every major SaaS incident traces back to stolen credentials, a social-engineered support engineer, or an OAuth token nobody revoked. Live expert training that closes the human layer — and satisfies your SOC 2 auditor.
Defining incidents in the SaaS & tech threat landscape
SaaS and technology companies are prime targets not because their code is weak — but because their access sprawl, trust culture, and third-party integrations create attack paths that bypass every technical control. Here's where your exposure lives.
Infostealer malware (Redline, Raccoon, Lumma) harvests credentials from developer machines, personal browsers, and contractor endpoints. Those credentials get tested against every SaaS tenant in your stack — Snowflake, GitHub, AWS, Jira — until they hit one without MFA. The 2024 Snowflake wave was credential reuse, nothing more.
Admin accounts — Okta, Entra ID, Google Workspace Super Admin — are the skeleton key for your entire SaaS stack. MFA fatigue attacks (repeated push bombardment until the admin approves) and social engineering attacks (Scattered Spider's signature move) target these accounts specifically. One compromised SSO admin = your entire user directory.
The average SaaS company uses 130+ SaaS tools. Each integration is a potential pivot point. MOVEit, Okta, and SolarWinds SUNBURST all show the pattern: attackers compromise a vendor's system, then traverse to every downstream customer. Your vendor's breach is your breach — and your customers will hold you accountable for it.
OAuth consent phishing tricks users into granting a malicious app persistent access to their Microsoft 365 or Google Workspace account — without entering a password or triggering MFA. The app then has access to email, files, and calendar until someone manually revokes it. Engineering teams who regularly authorize OAuth apps are desensitized to consent prompts and especially vulnerable.
Scattered Spider's core technique: call your IT helpdesk or support team, impersonate a new employee or a contractor, and request MFA reset. Okta's 2022 and 2023 breaches were both executed this way. Support engineers are trained to be helpful — that culture becomes a vulnerability when the person on the line is a threat actor with LinkedIn-researched details about your company.
Two separate breaches in 18 months, both via social engineering of support engineers. In 2022, Scattered Spider compromised a third-party support contractor. In 2023, attackers used a stolen service account to access Okta's support case management tool. Downstream victims included Cloudflare, 1Password, BeyondTrust, and MGM Resorts ($100M+ impact). Okta's market cap dropped $2B+ following the 2023 disclosure.
$2B+ Market cap impact · 5,000+ customers exposedInfostealer-harvested credentials used against 160+ Snowflake tenants with no MFA enforced. Ticketmaster (560M records), AT&T (110M call metadata records), Advance Auto Parts, Santander Bank, and LendingTree were among victims. A single control — mandatory MFA on all Snowflake tenant accounts — would have stopped every compromise. Mandiant attributed the campaign to threat actor UNC5537.
560M+ Records exposed · 160+ enterprise tenantsCl0p ransomware group exploited a zero-day SQL injection in MOVEit Transfer. 2,700+ organizations affected — BBC, British Airways, Boots, Shell, US Department of Energy, TIAA, and government agencies across 8 countries. 95M+ individuals' data exposed. The breach required no phishing — but downstream risk was entirely preventable with vendor security questionnaire requirements and contractual controls.
2,700+ Organizations affected · 95M+ recordsNorth Korea's Lazarus Group compromised Safe{Wallet} multisig infrastructure and injected a malicious smart contract into a transaction a Bybit signer approved. The signer saw a familiar interface — he was approving what he believed was a routine cold-wallet operation. In seconds, $1.46B in ETH was drained. Attribution confirmed by FBI (March 2025). The human-verification gap was the entire attack surface.
$1.46B Stolen · Largest crypto heist in historySOC 2, ISO 27001, and enterprise security questionnaires all have explicit requirements for security awareness training. Here's what applies and what's at stake.
SOC 2 CC6.1 requires logical access controls, which auditors routinely support with evidence of security awareness training for all users who handle production systems. CC7.2 (monitoring for anomalies) pairs with CC2.2 (communicating security requirements). Auditors expect training completion records as supporting documentation — missing them triggers exceptions.
Type II opinion risk without training recordsISO 27001:2022 Annex A.6.3 (information security awareness, education, and training) requires organizations to ensure all personnel receive appropriate awareness training. A.5.10 (acceptable use of information and other assets) requires documented policies and evidence of training. Certification auditors will request training completion records as objective evidence during Stage 2 audit.
Certification blocked without documented trainingEnterprise deals now routinely include SIG (H domain: Human Resources) or CSA CAIQ (GRC-06, HRS-09.02) questionnaires that ask directly about security awareness training frequency, content, and documentation. A 'no' or 'partial' on training questions delays deals and triggers remediation requirements. SecurEveryone provides completion certificates that answer these questionnaire items with a clean 'yes.'
Deal delays + remediation requirementsSaaS companies typically process personal data for customers across all 50 US states. California (CPRA), New York (SHIELD Act), Texas, and 47 other states have breach notification laws that trigger when personal data is accessed without authorization. A breach caused by inadequate security training — the pattern in Okta, Snowflake, and MOVEit — exposes the company to notification obligations in every state where affected individuals reside.
50-state notification · AG enforcement riskGeneric phishing simulation doesn't address the specific attack patterns targeting SaaS companies. These three drills cover the Okta-style support attack, MFA bypass at scale, and the OAuth consent phishing that bypasses your identity platform entirely.
Walk your IT helpdesk and support engineers through the exact Scattered Spider technique — impersonation calls from "new employees" or "contractors" requesting MFA reset, with LinkedIn-researched organizational details to establish credibility. This is the kill chain that brought down Okta, MGM Resorts, and Caesars Entertainment.
MFA push bombing — sending repeated authentication requests until a tired admin approves one — is documented in Uber, Cisco, and dozens of SaaS breaches. This tabletop covers push-fatigue recognition, phishing-resistant MFA options (hardware keys, passkeys), and the procedures to follow if an admin accidentally approves a fraudulent push request.
OAuth consent phishing targets engineers who routinely authorize new apps — making them the highest-risk group. This drill covers illicit consent grant attacks against Microsoft 365 and Google Workspace, recognition of suspicious OAuth permission scopes, and the process for auditing and revoking unauthorized app consents across your organization.
These free resources cover the specific attack patterns and compliance requirements SaaS and tech companies face. Download them and put them to work today.
No per-seat licensing. No annual contracts. Book a session, train your engineering team, satisfy your SOC 2 auditor.
Yes. SOC 2 Trust Service Criteria CC1.4 and CC2.2 require organizations to communicate security expectations to personnel, and CC6.1 requires logical access controls that include training on recognizing social engineering. Auditors commonly ask for evidence of security awareness training — completion records, training materials, and attestation from employees — as supporting documentation for CC6.1 and CC6.2 (logical access provisioning). SaaS companies that lack documented training risk a qualified opinion or exceptions on their Type II report. SecurEveryone provides a training completion certificate you can include in your SOC 2 evidence package.
The 2024 Snowflake-linked breach affecting Ticketmaster (560M+ records), AT&T, and over 160 other tenants was caused by stolen credentials — specifically, infostealer malware on contractor machines that harvested Snowflake credentials. Snowflake itself was not breached; the attackers used valid usernames and passwords with no MFA to authenticate. The single control that would have stopped every compromise: mandatory MFA on all Snowflake tenant accounts. This is exactly the kind of human-layer failure our MFA Rollout Playbook and phishing-resistance training prevent — attackers stole credentials via phishing/stealer malware, then used them on a platform that didn't enforce MFA.
OAuth consent phishing (also called 'illicit consent grant') tricks a user into authorizing a malicious third-party application access to their Microsoft 365 or Google Workspace account via a legitimate OAuth flow. Because the victim never enters their password on a fake page — they click 'Allow' on an OAuth permissions screen — it bypasses MFA entirely. The malicious app then has persistent access to email, files, and calendar. Engineering and admin teams are especially vulnerable because they regularly authorize new OAuth apps for legitimate development work and are less suspicious of consent prompts. Microsoft DART and Google TAG have both documented active campaigns targeting SaaS companies via this vector.
The Standardized Information Gathering (SIG) questionnaire (domain H — Human Resources) and the Cloud Security Alliance CAIQ (GRC-06, HRS-09) both ask directly whether employees receive security awareness training, how often, and whether training completion is documented. Enterprise customers increasingly require SIG or CAIQ responses as part of vendor qualification — a 'no' on training documentation can block a deal or trigger a remediation requirement. The fastest path to a clean 'yes': documented live training sessions with completion records per employee. This is exactly what SecurEveryone provides, and it satisfies both the SIG H domain and CAIQ HRS-09.02.
In February 2025, Bybit suffered the largest cryptocurrency theft in history — $1.46B in ETH stolen via a social engineering attack that compromised a Safe{Wallet} cold-wallet signer. Attackers (attributed to North Korea's Lazarus Group) compromised the Safe multisig infrastructure and manipulated the transaction a Bybit signer was approving, substituting a malicious contract at the last second. The signer saw a familiar-looking interface and approved a transaction they believed was routine. The lesson for SaaS security teams: supply-chain social engineering can compromise the software your team uses to authorize critical operations. Reviewing deployment pipelines, signing authorities, and any third-party infrastructure used for privileged operations is essential — and training signers to verify out-of-band is the human layer that the Bybit team lacked.
Phishing simulation platforms (KnowBe4, Proofpoint Security Awareness) send fake phishing emails and track click rates. That's useful for awareness metrics, but it doesn't build the judgment to handle a live BEC attempt, an OAuth consent phishing flow, or a Scattered Spider-style helpdesk call. SecurEveryone training is live, interactive, and expert-led — your team works through real-world SaaS attack scenarios with a human expert who can answer 'but what if they said X?' in real time. Simulation platforms give you click data. SecurEveryone gives your team the mental models to make good decisions under pressure. Most SaaS companies benefit from both — simulation for ongoing reinforcement, live training for the playbooks that actually stop the hardest attacks.
The Vendor Questionnaire Response Library has 80+ pre-written, audit-ready answers across 12 security domains. Includes a SIG Lite/Core → CAIQ v4 crosswalk and a Red-Flag Guide for answers that trigger extra scrutiny. Free PDF + editable DOCX.
Download Free — PDF + DOCX →Book a live session today. Sessions are 60–120 minutes, held over Zoom, and built around your team's actual SaaS stack — Okta, GitHub, AWS, Snowflake, Slack. Walk away with SOC 2 evidence, a vendor risk checklist, and a team that knows what Scattered Spider looks like in the wild.