Accelerate Supply Chain Investigations With Federated Data

The Salesloft breach proves traditional SOAR playbooks fail against modern supply chain attacks.  And unleashing hoards of AI agents is not a solution.

In August 2025, Salesloft suffered a major supply chain breach involving its Drift Email tool, affecting over 700 organizations, which resulted in the theft of sensitive data and API credentials.

Why it matters

• Supply chain attacks now average 26 incidents monthly.

• The recent breach compromised 700 distinct organizations.

• Attackers pivot via OAuth tokens across SaaS environments.

• AI tools waste resources without structured data queries.

The Big Picture

Supply chain breaches are massive threats because attackers exploit trusted vendors to bypass your standard perimeters.

Throwing AI Agents at the problem is not a solution, but AI can excel at pattern recognition if it is provided structured evidence.

Command Zero uses an expert question and answer methodology. The agents and the analysts work from structured questions instead of analyzing everything blindly.

These specific queries map the exact blast radius of an incident building a solid evidence foundation first.

This eliminates blast radius uncertainty completely. AI enters the picture only after a chain of evidence is established.

Go Deeper

Federated threats scatter critical evidence across dozens of disconnected platforms. Analysts waste hours switching between different security consoles.

You cannot match attack velocity by manually correlating audit logs and endpoint telemetry. Traditional security tools hit a wall here.

We solve this using a federated data model. We query identity providers, SaaS, and cloud platforms directly where data resides.

You do not wait for central data lake ingestion or deal with retention gaps. You investigate multiple systems simultaneously.

This breadth lets you track the attacker seamlessly across environments.

The Salesloft-Drift breach illustrates exactly why traditional investigation approaches fail against supply chain attacks. Threat actors exploited a chatbot integration to compromise more than 700 organizations in a single campaign.  This resulted in one of the largest SaaS supply chain breaches in history.

The attack unfolded methodically:

• Initial compromise: Attackers gained access to the company’s GitHub account, downloaded code repositories, and established persistent access through rogue workflows

• Lateral movement: Attackers pivoted into Drift’s AWS environment and harvested OAuth tokens tied to customer integrations with Salesforce, Google Workspace, and Slack.

• Mass exfiltration: Attackers extracted contacts, accounts, and critically support case content containing plaintext credentials, API keys, and cloud tokens.

A Different Approach: Evidence Before Inference

Command Zero’s approach starts with questions, not prompts. Expert investigative questions, which are both shipped with the platform and enhanced with customer domain expertise.

• Narrow before you infer. What tokens were issued to this integration? What API calls did those tokens make? Which data objects were accessed? What’s the normal baseline for this integration’s activity? These questions can be answered through direct data queries. No AI tokens required.  

• Domain expertise compounds. Organizations encode their environment-specific knowledge into custom questions. Domain expertise means investigations automatically focus on what matters for that specific environment,

• Federated access enables breadth. A federated data model queries systems directly where data resides. When investigating a suspected supply chain compromise, analysts can interrogate identity providers, cloud platforms, SaaS applications, and endpoint systems simultaneously.  

• Investigation paths follow the attacker.  Attackers pivot from code repositories to cloud infrastructure to customer environments. Question-based investigation supports this same fluidity by pivoting seamlessly between data sources as evidence accumulates.

Security organizations that continue relying on system-centric playbooks or AI-everywhere approaches will find themselves perpetually one step behind adversaries who have already learned to exploit the gaps between systems.

Facing a supply chain attack is likely. Will your investigation process will be ready when it happens.

Find out more about the Command Zero AI SOC and book a demo.

‍