4 min read·Updated July 16, 2026

What does a Salesforce security assessment review?

A Salesforce security assessment reviews profiles, permission sets, sharing, guest and community access, data exposure, and integrations — passively and under authorization.

Why Salesforce needs its own assessment

Salesforce is often the system of record for a company's most sensitive data — customers, pipeline, contracts. Its security model is powerful but easy to misconfigure: layered profiles, permission sets, sharing rules, and public-facing communities create many ways for access to drift wider than intended. Perimeter-focused security testing rarely looks inside it.

Access and permissions

The assessment reviews profiles and permission sets for excessive privileges, over-broad 'Modify All' or 'View All' grants, and administrative access sprawl. It checks org-wide defaults and sharing rules to confirm data isn't exposed more broadly than the business intends, applying a least-privilege lens throughout.

Guest and community exposure

Public sites, Experience Cloud communities, and guest-user profiles are a common source of Salesforce data exposure. The assessment examines what an unauthenticated or low-privilege user can actually see and do, since misconfigured guest access has led to real-world data leaks.

Data, integrations, and monitoring

Finally, the review looks at sensitive-field exposure, connected apps and API integrations, and whether audit and event monitoring are in place. The output is a prioritized list of concrete permission and configuration changes — safe to review passively, because the assessment reads configuration rather than altering it.

Frequently asked

Will a Salesforce security assessment disrupt our org?
No. A proper assessment is passive and read-only — it reads configuration, permissions, and sharing settings under authorization, without changing records or settings or disrupting users.
What are the most common Salesforce security issues?
Over-permissioned profiles and permission sets, over-broad sharing or org-wide defaults, and misconfigured guest/community access that exposes data to unauthenticated users.

Want this checked on your own systems? Start with a free, passive Quick Scan.

Run a free Quick Scan