Salesforce Built Four Connected Layers. Attackers Are Already Inside One of Them.

The company that built the tool to find your Salesforce misconfiguration is the same company that got breached through it. 

In January 2026, Mandiant released AuraInspector — an open-source utility to help Salesforce administrators identify exposed Experience Cloud configurations before attackers could exploit them. By March, ShinyHunters had weaponized it. According to BleepingComputer, between 300 and 400 organizations were compromised, including roughly 100 high-profile companies, many in cybersecurity — the campaign had been running quietly since September 2025. The tool release just made it faster. 

The timing is not incidental. The same week ShinyHunters’ campaign went public, Salesforce launched Agentforce Contact Center — its most ambitious architecture yet, unifying voice, digital channels, CRM data, and AI agents into a single native system. A week before that, Salesforce published eight design principles for the Agentic Enterprise. The opening line: “Simply plastering an agent on top of an existing but inadequate architecture won’t work.” 

That sentence is aimed at implementation teams. It should concern security teams just as much. Salesforce built four connected layers. Attackers are already inside one of them. The rest of this blog explains which one, how they got there, and what it means for every organization now deploying Agentforce on top of the same infrastructure. 

The Architecture Salesforce Just Shipped 

TDX 2026 is April 15. The architecture being showcased there is already in production. Salesforce’s Agentic Enterprise model organizes the operating environment into four interconnected layers. The System of Engagement sits at the top — Slack, messaging, collaboration, the channels where content first enters the enterprise. Below that is the System of Agency — Agentforce, where autonomous AI agents reason, plan, and execute multi-step workflows without waiting for human instruction. Below that is the System of Work — Customer 360, spanning Sales, Service, Marketing, Healthcare, Financial Services, and industry clouds. At the foundation is the System of Context — Data 360, the layer connecting CDPs, MuleSoft, Tableau, and real-time pipelines to everything above it. Beneath all four sits a trust layer of LLMs from OpenAI, Anthropic, Google, and Meta. 

A recent Salesforce survey of 1,050 enterprise IT leaders found that 83% of organizations report most or all teams have adopted AI agents, with an average of 12 agents currently deployed per organization — a figure projected to climb 67% within two years. Agentforce is not a roadmap item. It is running in production environments right now. 

The Salesforce Architecture Center identifies “Trust-throughout” as a core design principle: dynamic, granular permissions enforced at every layer based on the intent of the agent’s task. What the architecture documentation does not address is the content entering those layers in the first place — files uploaded to Slack, attachments processed through Service Cloud, links shared through Chatter, documents ingested by Data 360 pipelines. Those are not governed by agent permissions. They are governed by whatever scanning and inspection infrastructure the organization has put in place. For most organizations, that infrastructure has not been updated since before Agentforce existed. 

What a Threat Looks Like Moving Through All Four Layers 

This is not theoretical. The architecture creates a specific propagation path, and understanding it is the prerequisite for protecting it. 

Content that enters through the System of Engagement — a file in Slack, an attachment from an external partner, a URL in a Chatter post — does so before any agent has touched it. Without automated inspection at this layer, malicious content enters the enterprise workflow clean. In the System of Agency, the problem compounds. Agentforce agents do not wait. They retrieve content, analyze it, and act on it autonomously. In September 2025, Noma Security disclosed ForcedLeak — a CVSS 9.4 vulnerability chain in Salesforce Agentforce in which the LLM at an agent’s core could not distinguish between legitimate context data and malicious instructions embedded within it. That is not a narrow edge case. It is a structural property of any system where unvalidated content reaches an AI model. 

The System of Work is where the value lives — contracts, financial records, case files, healthcare data, customer information. Every upload into Sales or Service Cloud is an ingress point. When files move between objects and clouds, a single undetected threat traverses the entire Customer 360 ecosystem without triggering a platform alert. At the System of Context, the damage becomes compounding: content ingested into Data 360 is indexed, analyzed by models, and shared across connected applications. A compromised file at this layer corrupts the grounding data every agent above it relies on. One file, missed at entry, degrades the quality of every autonomous decision made downstream. 

This Is the Active Threat Environment 

The 2025 breach wave was not a precursor. It is a continuing campaign against the same infrastructure that Agentforce now operates on top of. 

In August 2025, attackers exploited OAuth tokens from the Salesloft Drift integration and accessed Salesforce environments across more than 700 organizations — including Palo Alto Networks, Cloudflare, Zscaler, and Proofpoint. Palo Alto Networks confirmed publicly that the breach was isolated to its CRM platform. These are not underfunded organizations with immature security programs. They are the vendors whose products most organizations rely on to stay protected. 

The March 2026 ShinyHunters campaign shifted vector but not target. The Register confirmed the group claims victims including Snowflake, LastPass, Okta, AMD, and Salesforce itself. Help Net Security and Infosecurity Magazine both reported the campaign active across hundreds of organizations simultaneously. The attack vector: a misconfigured guest user profile on a public-facing Experience Cloud site, granting unauthenticated access to CRM objects through the Aura API endpoint. 

As EzProtect has detailed at length, securing Experience Cloud starts with enforcing least privilege at the object, record, and field level — not trimming down from too much, but building from zero access and restoring only what tested functionality requires. Salesforce’s own CSOC advisory from March 2026 confirms this exactly. The highest-impact single change available: disable public API access on the guest user profile, which closes the Aura endpoint to unauthenticated queries — the precise vector ShinyHunters exploited. 

The architecture those breaches exploited was a relatively static Salesforce environment. The organizations now getting hit are the same ones actively deploying Agentforce agents on top of it. Salesforce’s own research found that 55% of security leaders are not fully confident they have appropriate guardrails to deploy AI agents. That survey predates widespread Agentforce adoption. 

What Native Scanning Does Not Solve 

The informed question at this point is whether Salesforce’s Spring ’26 native file scanning closes the gap. It does not. 

EzProtect’s CEO Matt Meyers, a Salesforce Certified Technical Architect, uploaded a real trojan to the Spring ’26 beta scanner. It was not detected. EzProtect caught and blocked it. Salesforce’s scanner relies on hash-based detection — matching files against a database of known fingerprints. An attacker who modifies a payload or renames a malicious executable as a document file bypasses that entirely. True file type detection — examining actual binary content regardless of extension — is what separates genuine protection from a checkbox. Native scanning is progress. It is not sufficient for an architecture where agents act on content before humans review it.  

Closing the Gap Before the Agent Opens It 

When a file enters a Salesforce environment protected by EzProtect, it is blocked immediately — not flagged, not queued, blocked — until multi-layer scanning confirms it is clean. That process takes under two seconds. Only then does the file become available to users, agents, or downstream pipelines. When a customer recently migrated to EzProtect from another enterprise solution, the initial scan found 298 active threats that the previous solution had missed entirely — sitting in a production environment, accessible to users and to any agent configured to retrieve them. 

EzProtect also scans URLs across every Salesforce field and object — Chatter, Slack, WhatsApp, and API integrations — using a two-stage process that combines a 50-million-entry threat database with AI behavioral analysis for zero-day links. That coverage addresses the System of Engagement directly, catching threats at the point of entry before the agent layer ever processes them. 

Salesforce built four connected layers. Attackers are already inside one of them — and that layer connects to every other layer in the stack. The same group that weaponized a defender’s tool to breach 400 organizations is actively scanning for the next misconfiguration right now. They do not need a zero-day. They need your guest user profile to have one extra permission, or an unscanned file sitting in a Service Cloud case, or a malicious link that moved through Slack before an agent retrieved it. 

The assessment we offer starts with exactly those questions: what is entering your four layers, and what happens to it before your agents act on it. If you do not have a clean answer, that is where we start. 

Schedule a Free Security Assessment 

A misconfiguration ShinyHunters can find in seconds may take your team weeks to discover. Our assessment identifies exposed configurations, unscanned file ingress points, and URL risks across your Salesforce environment — no org access required to start. Schedule your assessment

Frequently Asked Questions 

Why does the Salesforce Agentic Enterprise architecture create new security risks? The architecture connects four layers — Slack and messaging at the top, Agentforce AI agents below that, Customer 360 applications below that, and Data 360 at the foundation — through which content moves continuously. AI agents act on that content autonomously and at machine speed, meaning a threat that enters anywhere in the stack propagates to every other layer before a human can intervene. Most organizations’ security models were built for a static Salesforce environment. They were not designed for a system where an autonomous agent can retrieve, analyze, and act on a file seconds after it is uploaded. 

Does Salesforce’s Spring ’26 native file scanning address this? Partially but not sufficiently. Salesforce’s scanner uses hash-based detection, which matches files against known threat fingerprints. An attacker who modifies a payload or renames an executable can bypass it. EzProtect’s CEO demonstrated this directly: a real trojan submitted to the Spring ’26 beta scanner was not detected. EzProtect caught and blocked it. Full payload scanning — analyzing actual binary content regardless of file extension — is required to close that gap. Details here. 

What is the ShinyHunters Experience Cloud campaign and does it affect Agentforce deployments? In a campaign running since September 2025 and publicly confirmed in March 2026, ShinyHunters weaponized Mandiant’s AuraInspector tool to mass-scan public-facing Experience Cloud sites for misconfigured guest user profiles. Between 300 and 400 organizations were compromised. The attack vector — an overpermissioned guest user profile granting unauthenticated access to CRM objects — exists independently of Agentforce. But any organization running Agentforce on top of that environment now has autonomous agents operating on data that may already have been exposed. Salesforce’s March 2026 advisory provides remediation steps. 

How does EzProtect protect content across the four architecture layers? EzProtect blocks every file uploaded to Salesforce until multi-layer scanning confirms it is clean — full payload analysis, true file type identification, signature scanning against a 50-million-entry database, and AI behavioral analysis for zero-day threats. It also scans URLs in every Salesforce field and object, including Chatter, Slack, and API integrations, using a two-stage detection process. Files are blocked at the System of Engagement layer, before any Agentforce agent in the System of Agency layer can act on them.