🗞️ UNC6040 vishing detected early with AppOmni’s Threat Detection out-of-the-box. Read the blog

Zero Trust Needs a Bridge: How to Unlock Shared Signals for SaaS Now

By

Brian Soby, Chief Technology Officer, AppOmni

Zero Trust works best when every system can call out risk in real time. Zero Trust Network Access (ZTNA) verifies every connection, yet most architectures go quiet once users land inside SaaS. That silence is costly. Recent activity affecting Salesforce customers attributed to UNC6040 and ShinyHunters has clearly demonstrated this threat. The main challenge? Most SaaS applications can’t easily communicate risk or user activity back to the rest of your security stack. Without a way to share real-time signals, Zero Trust policies can’t adapt fast enough to prevent breaches. That’s where the Shared Signals Framework (SSF) comes in. When implemented in SaaS solutions, SSF can bridge this gap by allowing SaaS platforms to send standardized risk and user activity updates to your enforcement points, turning SaaS from a security blind spot into a vital source of threat intelligence. In this post, we’ll explore how organizations can unlock shared signals for SaaS today using AppOmni’s new Zero Trust Bridge® feature, enabling dynamic, responsive Zero Trust security across their entire environment. AppOmni already provides posture controls and threat detection mechanisms to protect and detect the TTPs used by UNC6040 and ShinyHunters. With the Zero Trust Bridge AppOmni can also augment your defenses by informing other Zero Trust components in your environment.

Illustration of interconnected SaaS apps and security shields, highlighting Zero Trust Bridge and shared signals for modern SaaS security

SaaS is rich in context, but poor in signals

Modern SaaS platforms hold the most valuable business data and the most nuanced indicators of risk. Yet many of these platforms do not natively support the Shared Signals Framework or user risk exchanges like CAEP (Continuous Access Evaluation Protocol) and RISC (Risk Incident Sharing and Coordination). Even when telemetry exists, it is rarely packaged into a signal that an authorization system can consume instantly. They must be derived from configuration changes and correlated behaviors. The practical result is a broken feedback loop between what happens inside SaaS and the controls that should react to it.

Meet AppOmni’s patented Zero Trust Bridge®

Our patented, new feature changes the game for shared signals in SaaS applications. As the leading SaaS security platform, AppOmni is uniquely positioned to now leverage our Zero Trust Bridge to bring SaaS applications into a dynamic and responsive security architecture. The attacks that abused OAuth and social engineering show why this matters. Zero Trust Bridge turns SaaS into an active participant in your Zero Trust program. It brings SaaS applications into a closed-loop architecture without waiting for every app to implement SSF and allows adaptive, dynamic policy enforcement across your existing controls.

In a nutshell, Zero Trust Bridge monitors updates across source applications and translates those updates into messages using application context. It then sends those messages to authorization systems that can take real actions like step-up, reauthorize, or revoke. 

Shared signals in SaaS: What’s new and why it matters

Native CAEP and RISC plus extended SSF for real-world SaaS

AppOmni supports CAEP and RISC and extends SSF with more than 350 event types. Shared Signals receivers can subscribe to granular user risk activities that go beyond what CAEP and RISC define.

Beyond configuration, into in-app activity monitoring

It is not only posture drift. AppOmni continuously monitors user activities inside SaaS applications across admins, external users, service accounts, and integrations. Zero Trust Bridge then generates the appropriate CAEP and RISC messages on the app’s behalf.

Unlock SSF today

Turn SaaS into first-class signal producers now, without waiting for vendor roadmaps. Zero Trust Bridge normalizes identities, enriches context, and emits standards-conformant signals that your systems already understand.

Inform the right enforcement points

AppOmni informs Zero Trust Policy Enforcement Points (PEPs) in real time, such as Secure Access Service Edge (SASE) platforms or your identity provider, so they can evaluate and enforce policy. AppOmni informs, and your PEPs enforce.

How AppOmni Zero Trust Bridge works at a glance

Observe: AppOmni ingests SaaS configuration, entitlements, exposure posture, admin actions, app component changes, OAuth and integration risk, and user activities.

Derive indicators: We compute signals that apps do not audit natively. Examples include SSO enforcement drift, IP allowlist changes by profile, privilege elevation, cross-app failed logins, risky OAuth scopes, anomalous device or geo, and more. Signals are mapped to a global identity and enriched with data classification and asset criticality.

Generate shared signals: We emit CAEP and RISC messages and extended SSF events (more than 350), so receivers can subscribe precisely to what matters.

Distribute to decision and enforcement points: Identity providers, SASE and ZTNA, SIEM and SOAR, and other PEPs receive high-fidelity, low-noise signals for real-time decisions and enforcement. AppOmni itself does not enforce.

Detect session hijacking with Zero Trust Bridge

Session hijacking often targets the application itself and can bypass both the identity provider and network controls. Here is a concrete example of what that would look like:

  • Threat detection and UEBA: AppOmni identifies suspicious token reuse, device or user agent mismatch, geo-improbable access, or side door login paths that indicate a likely stolen session inside a SaaS app.
  • Activate shared signals: We immediately publish the appropriate CAEP and RISC messages and extended SSF events to your receivers with the context they need. That includes who, what, where, when, confidence, and impact.
  • Your PEPs adapt: Your identity provider, SASE or ZTNA, and other PEPs consume those signals to drive step up authentication, session handling, or conditional access according to your policies. AppOmni informs, PEPs enforce.

This restores the closed loop that Zero Trust intends. Detection → Signaling → Decision → Enforcement. You do not need to wait for each SaaS vendor to natively support SSF.

Don’t wait for vendors: Enable SaaS shared signals now

  • Most SaaS platforms do not natively support SSF today.
  • Many critical user risk indicators are derived from posture and behavior rather than a single built-in audit log.
  • You need Zero Trust that adapts now, not after the next breach headline.

With Zero Trust Bridge, you unlock SSF today and turn SaaS into a rich signal source that keeps your Zero Trust fabric responsive.

Benefits of SaaS risk signaling with Zero Trust Bridge

  • Granular subscriptions to more than 350 extended SSF events for precise automation
  • Coverage of in-app user activities and configuration drift across employees, externals, and non-human identities
  • Cross-application correlation to catch patterns single apps cannot see
  • Real-time notifications to PEPs such as identity providers and SASE or ZTNA so the right systems can enforce your policies

Getting started

If you already integrate AppOmni with your identity provider or SASE or ZTNA, enabling Zero Trust Bridge is straightforward. We will help you map the highest value signals, including the extended catalog, to your existing PEPs and validate end-to-end outcomes. Zero Trust Bridge keeps your policies responsive, and it makes Zero Trust real for the layer where your data lives. SaaS finally has a voice in your shared signals ecosystem.

Request a Demo