Home
Blog
AI SOC
April 7, 2026
2
min read

Accelerate Supply Chain Investigations With Federated Data

In August 2025, Salesloft suffered a major supply chain breach involving its Drift Email tool, affecting over 700 organizations, which resulted in the theft of sensitive data and API credentials. Command Zero solve this threat using a federated data model; querying identity providers, SaaS, and cloud platforms directly where data resides. We invoke AI only at the point where a chain of evidence has been established to recognize patterns and to guide the security process to a complete understanding of the threat.

No items found.
James Therrien
Lead Content Strategist
In this article
H2 Title
H3 Title
The Salesloft breach proves traditional SOAR playbooks fail against modern supply chain attacks.  And unleashing hoards of AI agents is not a solution.

In August 2025, Salesloft suffered a major supply chain breach involving its Drift Email tool, affecting over 700 organizations, which resulted in the theft of sensitive data and API credentials.

Why it matters

  • Supply chain attacks now average 26 incidents monthly.
  • The recent breach compromised 700 distinct organizations.
  • Attackers pivot via OAuth tokens across SaaS environments.
  • AI tools waste resources without structured data queries.

The Big Picture

Supply chain breaches are massive threats because attackers exploit trusted vendors to bypass your standard perimeters.

Throwing AI Agents at the problem is not a solution, but AI can excel at pattern recognition if it is provided structured evidence.

Command Zero uses an expert question and answer methodology. The agents and the analysts work from structured questions instead of analyzing everything blindly.

These specific queries map the exact blast radius of an incident building a solid evidence foundation first.

This eliminates blast radius uncertainty completely. AI enters the picture only after a chain of evidence is established.

Go Deeper

Federated threats scatter critical evidence across dozens of disconnected platforms. Analysts waste hours switching between different security consoles.

You cannot match attack velocity by manually correlating audit logs and endpoint telemetry. Traditional security tools hit a wall here.

We solve this using a federated data model. We query identity providers, SaaS, and cloud platforms directly where data resides.

You do not wait for central data lake ingestion or deal with retention gaps. You investigate multiple systems simultaneously.

This breadth lets you track the attacker seamlessly across environments.

The Salesloft-Drift breach illustrates exactly why traditional investigation approaches fail against supply chain attacks. Threat actors exploited a chatbot integration to compromise more than 700 organizations in a single campaign.  This resulted in one of the largest SaaS supply chain breaches in history.

The attack unfolded methodically:

  • Initial compromise: Attackers gained access to the company’s GitHub account, downloaded code repositories, and established persistent access through rogue workflows
  • Lateral movement: Attackers pivoted into Drift’s AWS environment and harvested OAuth tokens tied to customer integrations with Salesforce, Google Workspace, and Slack.
  • Mass exfiltration: Attackers extracted contacts, accounts, and critically support case content containing plaintext credentials, API keys, and cloud tokens.

A Different Approach: Evidence Before Inference

Command Zero’s approach starts with questions, not prompts. Expert investigative questions, which are both shipped with the platform and enhanced with customer domain expertise.

  • Narrow before you infer. What tokens were issued to this integration? What API calls did those tokens make? Which data objects were accessed? What’s the normal baseline for this integration’s activity? These questions can be answered through direct data queries. No AI tokens required.  
  • Domain expertise compounds. Organizations encode their environment-specific knowledge into custom questions. Domain expertise means investigations automatically focus on what matters for that specific environment,
  • Federated access enables breadth. A federated data model queries systems directly where data resides. When investigating a suspected supply chain compromise, analysts can interrogate identity providers, cloud platforms, SaaS applications, and endpoint systems simultaneously.  
  • Investigation paths follow the attacker.  Attackers pivot from code repositories to cloud infrastructure to customer environments. Question-based investigation supports this same fluidity by pivoting seamlessly between data sources as evidence accumulates.

Security organizations that continue relying on system-centric playbooks or AI-everywhere approaches will find themselves perpetually one step behind adversaries who have already learned to exploit the gaps between systems.

Facing a supply chain attack is likely. Will your investigation process will be ready when it happens.

Find out more about the Command Zero AI SOC and book a demo.

James Therrien
Lead Content Strategist

Continue reading

AI SOC
Highlight

RSAC 2026: AI SOC Claims Finally Meet Operational Reality

Command Zero spent the week in working sessions with SOC leads and detection engineers. The consistent pressure point was the same: federated, source-agnostic access is the operational requirement.
James Therrien
Apr 1, 2026
2
min read
AI SOC
Highlight

San Francisco, We’re Coming for You: Meet Command Zero During RSAC 2026

The Command Zero team is heading to San Francisco for the 2026 RSA Conference to discuss the future of security operations, cyber investigations, and agentic AI. If you are arriving early, catch Co-Founder and CTO Dean De Beer at BSidesSF on Saturday discussing the evolving AI reality for blue teams. On Monday, Co-Founder and CEO Dov Yoran will speak at the AGC Partners Cybersecurity Conference about the operational impact of AI. Beyond the show floor, we also recommend checking out the Sentra Women in Security documentary premiere, the Consortium networking party, and the Insight Partners ScaleUp Club event. We look forward to connecting in the city!
James Therrien
Mar 18, 2026
2
min read
AI SOC
Highlight

The AI SOC Prototype Trap: Why 95% of Custom Implementations Fail

While we often see impressive prototypes built in days, the reality of deploying them into production is far messier. But teams constantly underestimate the engineering required for complex context assembly from millions of log entries and the necessary reliability verification. Furthermore, operational costs can scale unpredictably. One of the biggest threats is the "hero developer" problem. When the single AI expert leaves, the custom system quickly degrades and gets abandoned. With eCrime breakout times dropping to just 48 minutes, organizations simply cannot afford to debug failing homegrown tools. Ultimately, investing in a proven platforms like Command Zero provides a much better result than exhausting the SOC’s limited engineering capacity.
Eric Hulse
Mar 16, 2026
4
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All