Security Insights

Security Insights turns the question "is our org secure?" into a dashboard you can actually read. It scans permissions across every profile, permission set, and permission set group, and surfaces the accounts and combinations that put the org at risk — with the source of each finding attached so you can act on it.

Posture score

At the top is a single posture score, broken into the dimensions that matter:

• Compliance risk — how many sensitive permissions are granted, and to whom.
• Audit risk — who can change configuration (Customize Application, Author Apex, Manage Users).
• Data risk — who can read and export records at scale.

The score is a starting point, not a grade — its job is to point you at the findings below.

God-mode detection

A "god-mode" user can read or change nearly everything. Security Insights flags every user who holds one or more of: Modify All Data, View All Data, Modify All Metadata (Customize Application), Author Apex, Manage Users, or object-level View All / Modify All on critical objects. Because these permissions accumulate silently across profiles and permission sets and groups, the scan checks every source and reports the cumulative effect.

For background on why this matters, see How to find every god-mode user in your org.

Toxic combinations

Some permissions are dangerous only together. Security Insights highlights toxic combinations such as:

• Modify All Data + data export — edit everything, then walk out with it.
• View All Data + API access — bulk-download every record programmatically.
• Customize Application + Author Apex + Manage Users — change config, run code in any context, and create users: a backdoor.

Blast radius

For each high-privilege account, Security Insights estimates blast radius — the scope of damage a compromised or misused account could do, measured in objects and records reachable. A contractor with Modify All Data has a blast radius equal to your entire database; the dashboard makes that visible instead of theoretical.

Source-attributed findings

Every finding names the exact grant behind it — which profile or which permission set confers the permission. That is the difference between "this user is over-permissioned" and "remove the Data Admin permission set from this user." You fix the source, not the symptom.

Beyond permissions

Security Insights also reviews connected apps (third-party access into the org) and field-level analytics (which sensitive fields are broadly readable), rounding out the picture beyond record and object permissions.

Related reading

• Permission Chain — trace any single permission to its source.
• Persona Simulator — preview a user's effective access before and after a change.
• Org Health — broader org checkups, including permission debt.