Mind the Gap: Why Detection Is Not Enough for Salesforce Security

Global spending on information security reached $213 billion in 2025, according to Gartner. Detection tools have never been more capable. And the average breach lifecycle still sits at 241 days, according to IBM’s 2025 Cost of a Data Breach Report. That number has not changed significantly in over a decade. The tools got better. The time to resolution did not follow.

This is Part 1 of a three-part series on the accountability gap between detecting a security threat and proving it has been resolved. Part 2 introduces three principles that close the gap. Part 3 addresses what auditors and regulators actually require after a security event.

Detection keeps accelerating while remediation falls behind

The Verizon 2026 DBIR found that vulnerability exploitation overtook credential theft for the first time in nineteen years as the number one breach entry point, now responsible for 31% of all confirmed breaches. Mandiant’s M-Trends 2026, based on over 500,000 hours of frontline investigations, found that the time between an attacker gaining initial access and handing off to a secondary group has collapsed to just 22 seconds.

Meanwhile, remediation is falling further behind. The Verizon 2026 DBIR found that median time to fully remediate critical vulnerabilities increased to 43 days, up from 32 the prior year, and only 26% of known exploited vulnerabilities tracked by CISA were fully patched.

The gap between Salesforce expertise and security expertise

The ISC2 2025 Cybersecurity Workforce Study, which surveyed over 16,000 professionals, found that 88% of organizations experienced at least one significant security event tied directly to a skills shortage. A third said their organizations cannot afford to staff security adequately.

Meet Anika. Anika is a Salesforce admin at a mid-size financial services company, and she is exceptionally good at her job. She built the firm’s Experience Cloud community from scratch, manages the permission model across three business units, and is the go-to person when anything in the Salesforce environment breaks. Anika has deep platform expertise. What Anika does not have is security incident response training, because that has never been part of her role. When a security alert lands in her queue alongside 40 other items, the system Anika works in measures her on how fast she resolves cases, not on how thoroughly she documents a security response.

James is the firm’s Security Lead. James knows security frameworks. He understands what containment means, what blast radius investigation requires, and what a SOC 2 auditor expects to see. James also manages three Salesforce orgs with a two-person team, and today he is in the middle of a priority request from the board. James cannot personally chase every milestone on every incident.

Rachel is the VP of Security. Rachel reports to the board. She has a SOC 2 audit in 90 days, and three of the firm’s customers are headquartered in EU member states, which means Rachel has GDPR exposure she has not yet fully quantified. Rachel depends on Anika and James to handle incidents properly, but she has no system that tells her whether they did.

What happens after EzProtect catches the threat

A customer uploads a file containing embedded macro malware through the Experience Cloud portal. EzProtect’s virus scanner catches it immediately. EzProtect performs full payload scanning, not just hash-based detection, which means it identifies threats that rename executables to disguise themselves and catches payloads that signature-only scanners miss entirely. The file is blocked before any internal user can access it. The detection worked.

Here is what happens next. Anika sees the alert. She confirms the file is quarantined. EzProtect protects the firm’s entire Salesforce environment, so if the same file hash were uploaded to another of the firm’s Salesforce applications, EzProtect would catch it there too. But Anika does not know whether the same actor submitted the same payload through a different channel, whether another community user received the file externally and uploaded it to a different application before EzProtect could scan it, or whether coordinated accounts submitted variants across multiple community portals. No system has ever asked Anika to confirm across the firm’s other registered Salesforce applications. No system has told Anika what documentation a SOC 2 auditor would expect, because that has never been part of her workflow. Anika closes the support case and moves on, because closing the case is what her system incentivizes.

James gets an email from EzProtect. He sees the file was blocked, mentally marks it as handled, and returns to the board request.

Ninety days later, Rachel sits down with the SOC 2 auditor. The auditor asks to see evidence of the firm’s incident response over the past twelve months. Rachel asks James. James asks Anika. Anika has a closed case with no attachments, no sign-off, and no record that anyone confirmed the threat was isolated across all three of the firm’s Salesforce applications. The auditor notes it as a finding: the firm has an incident response policy, but no evidence that the policy was followed.

This is the accountability gap. Nobody failed at their job. Everyone followed the incentives the system gave them. The system was never designed for accountability.

What the gap actually costs

Every day between detection and verified resolution compounds cost. IBM’s 2025 data shows breaches resolved in under 200 days cost $3.61 million on average, while those exceeding 200 days cost $5.49 million, a $1.88 million difference. The global average reached $4.44 million, climbing to $10.22 million for US organizations. And the operational cost is the most insidious: an untracked incident means no one learns from it. The same attack vector persists. The next incident becomes more likely, not less.

Where EzProtect stops and where Argus begins

EzProtect scans every file and URL across Salesforce in real time, blocking threats at the point of upload. Every file is blocked from download until scanning confirms it is safe. EzProtect performs full payload scanning, combining signature detection against known threats, behavioral analysis for zero-day attacks, and true file type detection that examines actual file content regardless of what the extension claims. For EzProtect customers, the detection problem is solved.

Argus by EzProtect is the accountability layer that picks up where detection ends. When EzProtect catches a threat, the detection signal flows into Salesforce Data Cloud, which creates an incident record in Argus. Argus then drives the incident through a structured response lifecycle based on NIST SP 800-61, the industry standard for incident handling, with named human ownership at every step. Argus implements this as a workflow so Anika does not need to know the framework to follow it. Argus lives in EzProtect’s environment and protects the customer’s Salesforce org from outside it, with no access to customer business data.

Every milestone has a named Author who does the work, a Reviewer who checks it, and an Approver who signs off. The Author can never approve their own work. Before any Reviewer sees the evidence, Argus’s AI evaluates whether it meets audit-grade standards. SLA-driven escalation ensures nothing stalls silently. An immutable audit trail builds itself while the response is happening.

Anika’s workload does not increase. It becomes structured. The documentation that used to be an afterthought, or that never happened at all, becomes a by-product of doing the work. And when Rachel sits down with the auditor 90 days later, the record is already there.

Detection is solved. Nobody owns the resolution. That is the problem Argus was built to fix.

But knowing the gap exists is only the first step. The harder question is what a system that closes it actually looks like when someone on Anika’s team is staring at a milestone in Argus for the first time. What does Anika actually see on her screen? What happens when James is in a meeting and his approval deadline is approaching? What happens when the blast radius check finds the same file hash in another application? Part 2 answers those questions by walking the same trojan scenario through Argus, including the escalation that fires when James cannot respond in time and the system routes around him without penalizing anyone.

Let’s close your team’s accountability gap. EzProtect catches threats across your Salesforce environment with full payload scanning. Argus ensures someone owns, documents, and proves the response. Book an Argus demo to see both layers working together on a real Salesforce detection.

Frequently Asked Questions

Why does the average breach take 241 days to resolve despite better detection tools?

Detection tools have improved dramatically, but they only solve the first step. The 241-day average breach lifecycle persists because there is no system enforcing what happens after an alert fires: who investigates blast radius across other Salesforce applications, who verifies containment with evidence, who documents the response in a way that survives an audit. In most organizations, these steps happen informally or not at all. Argus by EzProtect closes this gap by driving every EzProtect detection through a structured response lifecycle with named ownership, AI-validated evidence, and an immutable audit trail. (IBM 2025 Cost of a Data Breach Report)

What is the accountability gap in incident response?

The accountability gap is the space between detecting a security threat and proving it has been fully resolved with documented, independently-reviewed evidence. Most organizations have capable detection tools and capable response teams, but nothing in between that assigns named ownership to every step, validates the quality of the evidence collected, prevents self-approval, and produces an immutable record. Argus by EzProtect fills this layer for Salesforce environments, picking up where EzProtect’s detection ends and enforcing accountability through every phase of the incident lifecycle until the record is locked and audit-ready.

What happens after a virus scanner catches a threat in Salesforce?

When EzProtect catches a malicious file or URL in Salesforce, it blocks access and quarantines the threat before any internal user can reach it. What should happen next is a structured investigation: confirming the same threat has not appeared in other registered Salesforce applications through a different path, verifying that no internal user accessed the file before it was blocked, documenting the response with evidence at every step, and closing the incident with a defensible record. Argus by EzProtect automates this accountability layer, turning every EzProtect detection into a managed incident with named human ownership, phase-gated progression, and an audit trail that builds itself while the work is happening.

How much does a data breach cost on average?

The global average cost reached $4.44 million in 2025, with US organizations averaging $10.22 million. Organizations that resolved breaches in under 200 days spent $1.88 million less on average. Speed of response, not just detection, is the primary cost driver organizations can control. Argus by EzProtect is designed to compress the post-detection response window by enforcing structured, evidence-backed resolution with SLA-driven escalation that ensures nothing stalls silently. (IBM 2025 Cost of a Data Breach Report)