Skip to content

The 32 Salesforce security checks Black Cat runs

Black Cat SSPM evaluates 32 security policies against your Salesforce configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

highInactive Admin

Deactivate or reassign admin accounts inactive for over 90 days

mediumFrozen Active User

Resolve inconsistent frozen-but-active user state by deactivating or unfreezing the account

mediumUser Never Logged In

Review and deactivate active user accounts that have never logged in to remove orphaned or stale provisioning

highExcessive Modify All Data

Remove Modify All Data permission from profiles where it is not strictly required

mediumProfile View All Data

Remove View All Data permission from profiles where broad data visibility is not required

highProfile Manage Users

Remove Manage Users permission from profiles where user administration is not a required function

mediumProfile Author Apex

Remove Author Apex permission from profiles where server-side code development is not required

infoAPI Access Review

Review and disable API access on profiles where programmatic access is not required

highPermission Set Modify All Data

Remove Modify All Data from permission sets or restrict which users it is assigned to

mediumPermission Set View All Data

Remove View All Data from permission sets or reduce the number of users it is assigned to

highPermission Set Manage Users Wide

Reduce the number of users assigned Manage Users via permission sets to 5 or fewer

mediumPermission Set API Access

Remove API access from permission sets that do not require programmatic Salesforce access

mediumLogin From Multiple IPs

Investigate users logging in from many unique IP addresses to detect credential sharing or compromise

lowActive User Without Role

Assign a role to active users for proper record visibility and sharing rule enforcement

highWeak Password Complexity

Increase password complexity requirements to enforce mixed character types

mediumPermission Set Manage Malicious Files

Restrict the Manage Malicious Files permission to a small number of assignees

mediumProfile Manage Malicious Files

Remove the Manage Malicious Files permission from profiles that do not need it

authentication

highPassword Never Expires

Set a password expiration period so that credentials are rotated regularly and compromised passwords are invalidated

mediumNo Password History

Enforce password history to prevent users from reusing recent passwords after a forced rotation

mediumWeak Max Login Attempts

Lower the maximum login attempts threshold to 5 or fewer to reduce brute-force attack exposure

lowShort Lockout Interval

Increase the account lockout duration to at least 15 minutes to slow automated brute-force attacks

mediumHigh Failed Logins

Investigate accounts with excessive failed logins and enable login IP restrictions to prevent brute-force attacks

configuration

lowUnused Permission Set

Delete or archive permission sets with no assignees to reduce configuration sprawl

data protection

highPublic Sharing Model

Restrict org-wide default sharing to Private or Public Read Only for sensitive objects

criticalExternal Access Read Write

Restrict external (community/guest) access for objects currently set to Read/Write to prevent unauthorized CRM data modification

mfa

criticalAdmin Without MFA

Enroll MFA for all admin accounts via Salesforce Identity Verification settings

highUser Without MFA

Enable MFA for all active users via Identity Verification settings

password policy

highWeak Password Policy

Strengthen the org password policy to require minimum 12-character alphanumeric passwords with 90-day expiry

session management

highHTTPS Not Required

Require HTTPS for all Salesforce sessions to prevent session token interception over unencrypted connections

highCSRF Protection Disabled

Enable CSRF protection to prevent cross-site request forgery attacks against authenticated Salesforce sessions

mediumSession Timeout Too Long

Reduce session timeout to 120 minutes or less via Session Settings

mediumNo Clickjack Protection

Enable clickjack protection for Salesforce pages via Session Settings

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial