Incident Response AppOmni’s Marlin AI Brings Autonomous Investigation to SaaS Security Marlin AI automatically analyzes SaaS misconfigurations, investigates related activity across enterprise environments, and recommends remediation steps — while stopping short of fully autonomous corrective action. By Kevin Townsend | May 26, 2026 (10:00 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Securing software-as-a-service (SaaS) apps is hard. The standard cybersecurity controls are not designed for SaaS. The difficulty is the software doesn’t belong to the user and usually runs on somebody else’s infrastructure. Standard cybersecurity products are designed to operate on software owned by the user and housed on the users’ infrastructure. SaaS providers attempt to maintain security inside their apps, but they cannot control how they are used. Usage varies from user to user and is fundamentally governed by how the app is configured. This configuration is the only native security available to SaaS users, and misconfiguration is the primary and most common source of insecurity. “The legal team might be using one (or more) SaaS apps, HR, financial and engineering something else – everyone across the company is using different tools, perhaps 100 different tools,” suggests Melissa Ruzzi, senior director of AI at AppOmni. Each one will have a different configuration, generally set by the user. “That’s what makes SaaS so interesting,” she continues (probably including ‘interesting ‘ in the purported ‘Chinese sense’), “because the configuration is where all the security actually lies.” The SaaS threat surface is already huge and constantly expanding, with more users and more company departments using more SaaS apps. If downloaded and run locally, this is not always with the knowledge of the IT and security departments, possibly creating shadow SaaS that often includes shadow AI. AppOmni is one of the cybersecurity firms offering specialized assistance. It provides a SaaS security posture management (SSPM) platform, aiding visibility into, control over, and reduced breach risk from SaaS apps. But it simply gets harder through the growing size and complexity of the threat surface. Advertisement. Scroll to continue reading. This is not a problem unique to SaaS security. Security firms, including AppOmni, are turning to AI to improve the efficiency and effectiveness of their service. In December 2023, AppOmni introduced AskOmni, an AI-powered SSPM assistant designed to answer, in natural language, user queries on anything arising from the platform. Marlin AI On May 26, 2026, AppOmni launched Marlin AI , designed to allow as much autonomy in addressing the issues discovered by the platform as possible. AskOmni and Marlin work hand-in-hand. “Marlin investigates and analyzes issues, and does a bunch of things,” explains Ruzzi. “If you have any questions about what it has done, you can just AskOmni.” Marlin examines all the different configurations used by different users across all the SaaS apps used by different companies. Marlin’s context is drawn from the years of SaaS expertise accumulated by AppOmni – so it can automatically detect potentially worrying configuration settings. “Let’s say it finds an unenabled MFA in a configuration,” comments Ruzzi. “That’s a problem in itself. But how dangerous is that problem?” Marlin looks further, because the urgency of the problem depends on other factors. “Have you been doing mass downloads from a weird IP under a weird VPN… So, now you must look into everything else that is happening across the platform.” Normally, all of this work is performed manually by a human analyst, and that takes time. Marlin does it automatically, but it goes further. Users wish to know what to do rather than just be told ‘this missing MFA could lead to a breach’ – Marlin does this; it recommends a course of remedial action. An expanding issue with all new AI solutions is does it, or could it, take the autonomy of fault detection to an autonomy of automatic fault correction. The answer for Marlin is nuanced. Actions inside the AppOmni platform can be automated. It may report a benign issue and effectively provide the user with a button. “You click the button, and ‘boom’, Marlin does everything for you,” explains Ruzzi. But it is different when the required action goes beyond the platform. “Let’s say we find a misconfiguration on your Salesforce,” she continues. “Consider the level of access Marlin would require making changes automatically. That’s a line we don’t cross, because customers are not generally happy to give a third party, us, admin rights to their data.” Could Marlin perform autonomous action? Yes. Does it? No; at least not yet. “We’d love to be able to do it, but customers aren’t ready to accept it – and I don’t see that changing. If it does change, we’re ready, and yes, we’ll do it.” What Marlin does provide, however, is a greater level of information on its investigations. It provides graphs that allow the user to take a deep dive into the data concerned. Related : Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches Related : Reco Raises $30 Million to Enhance AI SaaS Security Related : CSA Unveils SaaS Security Controls Framework to Ease Complexity Related : Thousands of SaaS Apps Could Still Be Susceptible to nOAuth Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Kevin Townsend Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility AI-Powered App Attacks Are Faster, More Frequent and Harder to Stop 1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks Mythos Proves Potent in Vulnerability Discovery, Less Convincing Elsewhere Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’ Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 Malware Build Application Firewalls Aim to Stop the Next Supply Chain Attack Latest News Iranian APT Targets Aviation, Software Companies With Updated Tools 185,000 Likely Impacted by 7-Eleven Data Breach Anthropic Expands Claude’s Enterprise Security Governance With 28 New Integrations Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment Watch on Demand: Threat Detection & Incident Response Summit – All Sessions Available Open Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker Images Lithuania Suspects Foreign Involvement in Data Leak of Over 600,000 National Register Entries Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the Move Joe Chen has become Chief Technology Officer at Trellix. Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO. SecureAuth has named Mark van Oppen as Chief Revenue Officer. More People On The Move Expert Insights Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email