Heading to AppExchange Security Review
Pass on the first attempt. Catch the patterns the reviewer rejects before you submit, and hand over a report that mirrors their published checklist.
For ISVsVulkro for Salesforce
AppExchange-ready.Client-ready.Audit-ready.
One Salesforce security review across code, configuration, access, connected apps, and AI agents. Pass AppExchange Security Review on the first attempt. Audit a client org without ever touching their data. Catch the weak spots behind the 2025 to 2026 Salesforce breaches before your next auditor does.
Vulkro for Salesforce sits alongside the tools Salesforce already requires, and covers the four categories code-only tools do not reach.
- Code review
- Configuration
- Access
- Connected apps
- AI agents
- AppExchange
SECTION 01 // WHO IT IS FOR
Three buying motions. One review.
Salesforce security has three very different buyers: the ISV preparing for AppExchange, the consultancy walking into a client engagement, and the in-house team that has to answer to an auditor. The same review serves all three.
Auditing a client org, on a deadline
Review the client without ever holding their data. Run the audit from your own laptop and walk into the readout with a single report you can hand to the client.
For consultanciesRunning an internal Salesforce review
Find the weak spots behind 2025 to 2026 Salesforce breaches before your next audit does. Code, configuration, access, connected apps, and AI agents in one pass.
For in-house teamsSECTION 02 // WHAT WE PICKED, ON PURPOSE
Local. Reviewer-aligned. Five categories. Tied to real breaches.
Every Salesforce security tool makes tradeoffs the vendor decided for you. Here are ours, on the front page.
01
Your code, your machine
Source code and org configuration stay on your laptop. The connection to your live org uses your own Salesforce login, so the access token stays with Salesforce. Nothing is uploaded to us. No telemetry, no AI in the loop.
02
Reviewer-aligned report
The readiness report is grouped by the same checklist your AppExchange reviewer uses. Section by section, what cleared and what still needs work. Email it to the reviewer, hand it to your client, or attach it to an internal audit packet.
03
One review, five categories
Code, configuration, access, connected apps, and AI agents in a single review. No stitching together five vendors, no learning five dashboards, no five separate invoices.
04
Tied to real breaches
Each detector maps to the weak spot behind a published 2025 to 2026 Salesforce incident: Drift, Gainsight, Loblaw, ForcedLeak, Qantas. You are catching the patterns that already cost real teams real customers.
SECTION 03 // WHAT GETS REVIEWED
Code-only tools cover one slice. We cover five.
Salesforce code scanners look at code. Posture vendors look at settings. We do both, plus access, third-party apps, and AI agents, in one review you read end-to-end.
01 // SURFACE
Code review
Apex, Lightning Web Components, Aura, Visualforce, and Flow. Catches the injection, permission, and sharing patterns that fail AppExchange Security Review and the cross-site scripting patterns that leak customer data.
02 // SURFACE
Configuration
Session policy, login IP ranges, password lockout, clickjack and forgery protection, organization-wide sharing defaults. The settings Salesforce Health Check measures, written into your readiness report instead of into your admin's memory.
03 // SURFACE
Access
Over-privileged profiles and permission sets. Dormant administrator accounts that never sign in but still hold the keys. Permission-set aggregations that quietly elevate a user. Single sign-on signature review.
04 // SURFACE
Connected apps
OAuth posture for every third-party app connected to your org, including the over-permissioned token pattern behind the Drift and Gainsight breaches. External credentials, allowed origins, and API keys hiding inside static resources.
05 // SURFACE
AI agents
Inventory of every Agentforce action in your org, plus a safety review for the class-bypass pattern (CVSS 9.4) behind the ForcedLeak vulnerability. Specifically built for AI agents that call into Apex.
06 // SURFACE
AppExchange readiness
A scan against Salesforce Well-Architected anti-patterns: SOQL inside loops, missing test classes, hardcoded record IDs, and the rest of the patterns that fail Security Review for reasons unrelated to security itself.
SECTION 04 // WHAT YOU HAND OFF
One HTML report. The same shape your reviewer expects.
Every review produces a single HTML report grouped by the same checklist your AppExchange reviewer uses. Section by section, what cleared and what still needs work. Email it to the reviewer, share it with a client, or attach it to an internal audit packet. No login required to read it, no portal to sign into.
SECTION 05 // PRIVACY BY DESIGN
Connect a live org. We never see your data.
A security tool that talks to your Salesforce org should tell you exactly what it looks at. We look at configuration, access, and connected apps: the same surface a Salesforce administrator sees. We never look at customer records.
What we look at
Your security settings, who can do what, which apps are connected, which AI agents are deployed, and the source code your team wrote. The same surface a Salesforce administrator sees in Setup.
What we never look at
Your customer records. No Accounts, Opportunities, Leads, Cases, Contacts, custom-object rows, or attachments. Your business data is out of scope by design, not by promise.
Where your Salesforce login lives
Inside your laptop's official Salesforce CLI, not with us. The connection asks the CLI to run the read; the CLI returns the answer. We never see the access token, never store it, never send it anywhere.
SECTION 06 // BUILT AROUND 2025 TO 2026 BREACHES
Most Salesforce incidents in 2025 to 2026 were not code bugs.
They were configuration. Connected apps with the wrong scope, guest users with too much read access, an AI agent calling an Apex class it should not have. Vulkro maps detectors directly to the weak spots behind the real incidents that hit real customer orgs.
Drift OAuth token theft, 700 plus orgs
A third-party assistant lost its refresh tokens; attackers replayed them straight into customer Salesforce orgs. Vulkro catches the over-permissioned Connected App that turns a vendor compromise into your incident.
Gainsight OAuth abuse, 200 plus orgs
Same vector, same year, different vendor. The same detector catches it because the underlying misconfiguration is the same. Vendor names change; the weak spot does not.
Experience Cloud guest user exposure
Loblaw and ADT had millions of records exposed because a guest-user profile could read standard objects it should never have seen. Vulkro flags the profile permission that makes the exposure possible.
ForcedLeak, the first Agentforce CVE
An AI agent could trigger an Apex class that ran without sharing checks (CVSS 9.4). Vulkro catches the class declaration, the trigger pattern, and the agent that exposes it.
ShinyHunters vishing campaigns
Google, Qantas, Allianz: tens of millions of records lifted after attackers talked someone into approving a Connected App with the wrong scope. Vulkro flags the Connected App configuration that makes the exposure worth the call.
SECTION 07 // COMMON QUESTIONS
Buyer questions, answered straight.
The six questions that come up in nearly every conversation. If yours is not here, email us and we will answer the same business day.
We are submitting to AppExchange in six weeks. Can it help?
Yes, this is the primary use case. Run a scan on your packaged source, fix what comes back as critical or high, and hand the resulting HTML report to your AppExchange reviewer. The report is grouped by the published Security Review checklist, so the reviewer can move section by section without rebuilding context.
We are a consultancy. Does the client need to install anything?
No. The audit runs on your machine. You connect to the client org with your own Salesforce login (the access token stays in your laptop, not with us), pull the metadata Vulkro needs, and produce the report from there. The client never installs or signs up for anything.
Does Vulkro see our customer data?
No. Vulkro reads your org configuration and your source code. It never queries the customer records you keep in Salesforce (Accounts, Opportunities, Leads, Cases, custom objects, attachments). Business data is out of scope by design.
How long does a review take?
A code-and-configuration review of a mid-sized org finishes in minutes, not hours. The slow part is reading the findings and deciding what to fix, which is also the only part where a human has to be in the loop.
How is this different from PMD or sfdx-scanner?
PMD is mandatory for AppExchange submission and covers code-style and a slice of code-security. Vulkro complements PMD (which keeps running alongside) and adds the four categories PMD does not reach: configuration hardening, access control, Connected Apps, and Agentforce.
How do we buy?
We are contact-priced for the first cohort. Three buying motions are covered: ISV submission, consultancy engagement, and in-house team. See pricing or email us with your scope and we will reply the same business day.
Community
Stay close to the Salesforce security work.
Subscribe on Substack or follow r/vulkro for new detectors, breach advisories, and AppExchange-readiness updates the day they ship.
Substack
Subscribe once, get two things: the weekly CVE + release digest in your inbox, and access to the live chat where in-between things land (detector ideas, weird findings, release heads-ups).
Public community at r/vulkro. Bug reports, scan-result war stories, CVE chat, AppSec questions. No email required, indexed by Google so threads stay useful.
Bug reports, install help, billing questions. One human reads every message. No web form, no chatbot, no AI summariser.
REVIEW COMPLETE // ENGAGEMENT REPORT
Review complete.0 records read.
Tell us about your Salesforce scope.
ISV submission, consultancy engagement, or in-house team: whatever the shape, we will reply with a fit, a price, and a start date. The same business day.
curl -fsSL https://dist.vulkro.com/install-sf.sh | bash