The 32 Salesforce security checks Black Cat runs
Black Cat SSPM evaluates 32 security policies against your Salesforce configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Deactivate or reassign admin accounts inactive for over 90 days
Resolve inconsistent frozen-but-active user state by deactivating or unfreezing the account
Review and deactivate active user accounts that have never logged in to remove orphaned or stale provisioning
Remove Modify All Data permission from profiles where it is not strictly required
Remove View All Data permission from profiles where broad data visibility is not required
Remove Manage Users permission from profiles where user administration is not a required function
Remove Author Apex permission from profiles where server-side code development is not required
Review and disable API access on profiles where programmatic access is not required
Remove Modify All Data from permission sets or restrict which users it is assigned to
Remove View All Data from permission sets or reduce the number of users it is assigned to
Reduce the number of users assigned Manage Users via permission sets to 5 or fewer
Remove API access from permission sets that do not require programmatic Salesforce access
Investigate users logging in from many unique IP addresses to detect credential sharing or compromise
Assign a role to active users for proper record visibility and sharing rule enforcement
Increase password complexity requirements to enforce mixed character types
Restrict the Manage Malicious Files permission to a small number of assignees
Remove the Manage Malicious Files permission from profiles that do not need it
authentication
Set a password expiration period so that credentials are rotated regularly and compromised passwords are invalidated
Enforce password history to prevent users from reusing recent passwords after a forced rotation
Lower the maximum login attempts threshold to 5 or fewer to reduce brute-force attack exposure
Increase the account lockout duration to at least 15 minutes to slow automated brute-force attacks
Investigate accounts with excessive failed logins and enable login IP restrictions to prevent brute-force attacks
configuration
Delete or archive permission sets with no assignees to reduce configuration sprawl
data protection
Restrict org-wide default sharing to Private or Public Read Only for sensitive objects
Restrict external (community/guest) access for objects currently set to Read/Write to prevent unauthorized CRM data modification
mfa
Enroll MFA for all admin accounts via Salesforce Identity Verification settings
Enable MFA for all active users via Identity Verification settings
password policy
Strengthen the org password policy to require minimum 12-character alphanumeric passwords with 90-day expiry
session management
Require HTTPS for all Salesforce sessions to prevent session token interception over unencrypted connections
Enable CSRF protection to prevent cross-site request forgery attacks against authenticated Salesforce sessions
Reduce session timeout to 120 minutes or less via Session Settings
Enable clickjack protection for Salesforce pages via Session Settings