• Product

    Product Overview

    Discover, secure and manage AI agents & NHIs

    Learn more

    CAPABILITIES

    Discover

    Maintain real-time inventory of all AI agents, MCP servers, and NHIs, with context to understand risk and business usage.
    Secure

    Identify and remediate AI agents and NHIs with excessive privileges, vulnerable configurations, abnormal activity, and policy violations.
    Deploy — powered by ACP (Agent Control Plane)

    Provision secure-by-design AI agents with short-lived credentials, just-in-time, precisely scoped access, and policy at creation.

    Supported environments

    Astrix logo: five black and white interlocking loops, symbolizing secure non-human identity and NHI Management leadership.
    A vibrant, ribbon-loop logo in blue, green, yellow, orange, and pink. Astrix: the leader in NHI security and service account protection.
    Astrix, the leading NHI Security platform, expertly manages the security of non-human identities. Alt text: Black silhouette of a featureless cat inside a circle, resembling the GitHub logo.
    Astrix, the leading NHI security platform, ensures robust protection and management for non-human identities.
    Astrix is the leading platform in NHI Management and Service Account Security. *Alt Text: A white ship's wheel symbol inside a blue hexagonal shape, representing leadership in non-human identity security.*.
    A geometric logo with interlocking shapes in red, green, blue, and yellow on a transparent background representing Astrix. Astrix: The leading platform for NHI Management and service account security solutions.
    Astrix, the leading NHI security platform, showcases a blue gradient abstract shape akin to a stylized mountain on white background.
    Blue circular icon with antennae, stylized non-human face; Astrix: the leading NHI Management and service account security platform.
    Astrix is the leading NHI Security platform, providing top-tier service account and non-human identity management solutions.
    Astrix: the leading NHI security platform, safeguarding non-human identities and service account integrity.
    Astrix: Leading platform for NHI Management and service account security.
    Astrix: The leading NHI Security platform, ensuring robust service account and non-human identity protection. Alt text: Blue Windows logo with four rectangles forming a window shape on a transparent background.
    more
  • Use Cases

    AI AGENTS

    Discovery and Governance for AI Agents
    Discovery & Governance for AI Agents

    Set policy to resolve hygiene issues, reduce attack surfaces and prevent compliance violations.

     Agentic Threat Detection & Response (ATDR)
    Access & Lifecycle Management for AI Agents

    Manage AI agents and their NHIs from provisioning to decommissioning.

     Agentic Access & Lifecycle Mgmt
    Agentic Threat Detection & Response (ADR™)

    Detect and respond to threats such as compromised credentials and out-of scope agent actions.

    non-human identities

    NHI Discovery & Governance

    Control and enforce policies across your NHI attack surface.
    NHI Lifecycle Management

    Manage NHIs from provisioning to decommissioning.
    Non-Human ITDR

    Detect and respond to suspicious NHI activity & 3rd party breaches.
    Secret Management

    Centralized secret management across vaults & cloud.
    Third-Party Risk Management

    Discover and assess third-party apps & vendors accessing your environment
  • Company

    COMPANY

    About Us

    The industry leader in AI Agent and Non-Human Identity security
    Careers

    The latest job opportunities

    Partners

    Explore partnership opportunities
    News

    Company announcements and press
    Contact Us

    Ask us anything
    The NHI Security Conference

    Watch the sessions on-demand

    Customer Stories

    Astrix is the leading NHI Security platform, safeguarding non-human identities in service account environments. Alt text: Astrix logo with a focus on securing non-human identities and service accounts.
    Workday

    HRTech

     A red sphere with white bands, symbolizing secure NHI Management by Astrix, the leader in NHI and service account security.
    Xerox

    Technology

     Orange HubSpot logo on a light background. Astrix is the leading platform for NHI Management and service account security.
    HubSpot

    Tech - CRM

     Astrix: The leading platform for NHI Management, securing non-human identities and service accounts efficiently. Alt Text: A stylized lowercase blue letter "b" with an orange dot above the upper right curve on a transparent background, representing Astrix, the leading NHI Security platform.
    Boomi

    Technology

     Astrix is the leading platform in NHI Management and service account security, safeguarding your non-human identity assets.
    BigID

    Cybersecurity

     Astrix: Leading NHI Security Platform with Advanced Non-Human Identity Management.
    Workato

    Technology

     Astrix is the leading platform for NHI Management and service account security. Alt text: A black Celtic knot design, showcasing a circular pattern with interconnected loops and swirls.
    Mercury

    Digital Banking

     Astrix's logo: A blue-striped triangular play button with overlapping shapes, embodying our leadership in NHI security. Alt text: Blue-striped triangular play button logo with overlapping shapes, symbolizing three-dimensionality and Astrix's NHI security expertise.
    Pagaya

    Fintech

     Dark green geometric logo with two diamonds forming a hexagon. Atrix: The Leading NHI Security Platform.
    RevMed

    Biotech

     Astrix's blue geometric house icon symbolizes excellence as the leading NHI Security platform.
    Guesty

    Tech - Real Estate
    More customer stories
  • Learn

    Resources

    AI agent & NHI glossary

    Resources

    Blog

    The latest on AI agent & NHI threats, products stories and more
    Events

    Meet Astrix at industry leading events
    Videos

    Watch on-demand sessions and expert insights

    News

    The latest company announcements and press
    Customer Stories

    How our customers secure their NHIs with Astrix
    Whitepapers

    Latest reports and whitepapers about NHI security
    Explore all

    AI agent & NHI glossary

    Agentic AI

    What is Agentic AI and related NHI risks
    Model Context Protocol

    Core concepts, functional components, and technical capabilities
    Service Accounts

    What are they & common vulnerabilities

    Machine Credentials

    How attackers exploit them & how to prevent it

    OAuth Tokens

    The risks they pose & how to secure them
    Non-human identities

    Definition, common use, and why they're important to secure
    Explore all

    WHAT’S NEW

    Meet Astrix’s AI Agent Control Plane (ACP)
    Astrix’s Agent Control Plane (ACP): Secure AI Agents from Day One
    NHI Governance for AI Agent Security in the Age of ChatGPT-5
    AI Agent Governance at Scale with NHI Security: Case Study
Book a demo

Lessons from the GTIG Advisory on the Salesforce OAuth Token Breach

Oleg Mogilevsky September 2, 2025
Diagram of Salesforce linked to DocuSign, customers, and apps—Astrix leads in NHI security for service account integrations.

On August 26, 2025, Google Threat Intelligence Group (GTIG) issued an advisory on a campaign targeting Salesforce instances.
The threat actor, UNC6395, used stolen OAuth tokens from the Salesloft Drift app to access Salesforce organizations, export data, and hunt for high-value secrets like AWS keys and Snowflake tokens. Because this was a classic abuse of non-human identities (NHIs), traditional security controls like MFA were completely bypassed. 

In this quick response, we’ll break down:

  • What happened in the attack.
  • Why this is a critical wake-up call for NHI security.
  • Actionable recommendations for what to do now.

What happened: Campaign rundown

According to the GTIG advisory, the data-theft campaign ran from August 8–18, 2025. Here’s a summary of the attack:

  • Attack Vector: The threat actor, UNC6395, gained access using compromised OAuth tokens tied to the Salesloft Drift third-party application.
  • Execution: They systematically exported large volumes of data from corporate Salesforce instances. Their primary goal was credential harvesting—searching the exfiltrated data for secrets like AWS access keys and Snowflake tokens to use in follow-on attacks.
  • Evasion: The actor attempted to cover their tracks by deleting query jobs, but GTIG confirms that the relevant Salesforce logs remain intact for investigation.
  • Response: On August 20, Salesloft and Salesforce revoked all Drift access tokens. Salesforce has also removed the Drift application from its AppExchange pending further investigation. GTIG notes this was not a vulnerability in the core Salesforce platform itself.

The NHI attack vector explained

At its core, this attack abused non-human identities (NHIs)—the OAuth tokens and API credentials that connect applications.
Once the tokens were stolen, the threat actor operated silently, without needing to bypass MFA or interact with a user. This gave them a direct, trusted path to exfiltrate data and hunt for even more high-value NHIs, such as cloud infrastructure keys. The GTIG advisory specifically calls this out, urging customers to check for GCP service-account keys stored within Salesforce objects—another major NHI risk.

Threat actors now actively target NHIs because they are persistent, often have high-level privileges, and are deeply integrated across the modern enterprise stack. This campaign is a textbook example of that trend.

What to do now and how Astrix can help 

The GTIG advisory is clear: “Organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps.”

Here are the immediate actions your security team should take:

  • Review salesforce logs: Immediately review your Salesforce logs for any unusual queries or bulk data exports, especially between August 8–18, 2025.
  • Revoke and rotate: Revoke any suspicious OAuth tokens associated with Salesloft Drift and other third-party applications. Implement a regular rotation policy for all credentials.
  • Audit third-party integrations: Conduct a thorough audit of all third-party applications connected to your Salesforce instance. Enforce the principle of least privilege, ensuring that each application has only the permissions it absolutely needs to function.
  • Hunt for exposed secrets: If you suspect you may have been a victim of this campaign, it’s critical to hunt for any leaked secrets within the potentially exfiltrated datasets.
  • Talk to an Expert: The most important step you can take is to talk to an expert to help ensure all NHIs related to this incident are identified and secured. The Astrix team can help you gain visibility into your NHI landscape, identify and remediate risks, and implement a comprehensive NHI security program.

Secure your NHI attack surface 

Navigating the aftermath of an incident like this is complex. Identifying every NHI related to this breach, validating logs for Indicators of Compromise, and hardening your overall security posture requires specialized expertise.

The Astrix team is here to help. We provide the visibility and control needed to secure your entire NHI landscape. If you use Drift with Salesforce or are concerned about your exposure from third-party integrations, talk to our team today. We’ll help you move fast to identify risk and secure your environment.

Learn more

Identity: The Missing Link in Agentic AI Security – Astrix Named in New Gartner® Report

Oleg Mogilevsky
Oleg Mogilevsky 15 Jan, 2026

Securing AI Agents at Scale: What’s New in Astrix

Oleg Mogilevsky
Oleg Mogilevsky 14 Jan, 2026

900K Users Compromised: Malicious AI Chrome Extensions Steal ChatGPT and DeepSeek Conversations

Alon Berger
Alon Berger 6 Jan, 2026

33 Arch Street Boston, MA 02110, USA

© 2026 Astrix Security. All rights reserved.