The Five Red Team Findings Every SaaS Company Repeats

Red team reports rarely surprise security veterans. The exotic zero-day is a movie trope; the real findings are boring, repeated, and almost always preventable. Across our last two years of engagements, five findings appeared in the overwhelming majority of reports.

1. Stale credentials with production access

The most common initial foothold is not a phishing payload — it is a credential that should not exist: a contractor's account that was never offboarded, a CI token with admin scope committed to an internal wiki, a service account password unchanged since 2021.

Close the gap: inventory every credential that can reach production, set expiry on all of them, and make offboarding a same-day automated process rather than a quarterly cleanup.

2. Internal services that trust the network

Once inside the perimeter, lateral movement is usually trivial because internal APIs skip authentication entirely. The assumption that "only our services can reach this" fails the moment any single workload is compromised.

Close the gap: require service-to-service authentication everywhere, even for internal traffic. Short-lived mTLS certificates or workload identity (SPIFFE, cloud IAM) make this manageable without hand-rotating secrets.

3. Over-permissioned cloud roles

We routinely find Lambda functions with s3:* on every bucket and CI runners that can assume administrator roles. Attackers do not need to escalate privileges when the application already has them.

Close the gap: run a least-privilege audit on your top ten most-used IAM roles. Cloud-native tools (IAM Access Analyzer, Policy Sentry) will draft the minimal policy from actual usage logs — the work is hours, not weeks.

4. Logging that exists but alerts no one

Most victims have the evidence of compromise sitting in their logs. What they lack is anyone — human or machine — looking at it. During engagements we frequently operate for days inside environments with comprehensive logging and zero detections fired.

Close the gap: pick five high-signal events (impossible-travel logins, new IAM principals, security-group changes, mass data egress, disabled audit logs) and wire them to a channel someone actually reads. Five good alerts beat five hundred ignored ones.

5. The forgotten subdomain

Marketing sites, demo environments, and acquisition leftovers running outdated frameworks remain the easiest external entry point. They share cookies, OAuth apps, or DNS with production — so "it's just the old landing page" is rarely true.

Close the gap: continuous external attack-surface monitoring. Enumerate your subdomains the way an attacker would (it takes one afternoon with open-source tooling) and decommission or patch everything you find.

The pattern behind the pattern

None of these findings require advanced attackers, and none of the fixes require a security team of twenty. What they require is ownership: someone whose job it is to close the loop. That is the real value of a red team engagement — not the report, but the forcing function.

If you have never had an adversarial assessment, or your last one is gathering dust, talk to our red team. The first conversation is free, and we promise the report will be shorter than this post's fix list.