What does a Salesforce security assessment review?
A Salesforce security assessment reviews profiles, permission sets, sharing, guest and community access, data exposure, and integrations — passively and under authorization.
Why Salesforce needs its own assessment
Salesforce is often the system of record for a company's most sensitive data — customers, pipeline, contracts. Its security model is powerful but easy to misconfigure: layered profiles, permission sets, sharing rules, and public-facing communities create many ways for access to drift wider than intended. Perimeter-focused security testing rarely looks inside it.
Access and permissions
The assessment reviews profiles and permission sets for excessive privileges, over-broad 'Modify All' or 'View All' grants, and administrative access sprawl. It checks org-wide defaults and sharing rules to confirm data isn't exposed more broadly than the business intends, applying a least-privilege lens throughout.
Guest and community exposure
Public sites, Experience Cloud communities, and guest-user profiles are a common source of Salesforce data exposure. The assessment examines what an unauthenticated or low-privilege user can actually see and do, since misconfigured guest access has led to real-world data leaks.
Data, integrations, and monitoring
Finally, the review looks at sensitive-field exposure, connected apps and API integrations, and whether audit and event monitoring are in place. The output is a prioritized list of concrete permission and configuration changes — safe to review passively, because the assessment reads configuration rather than altering it.
Frequently asked
Will a Salesforce security assessment disrupt our org?
What are the most common Salesforce security issues?
Want this checked on your own systems? Start with a free, passive Quick Scan.