Material Security

Does your security stack tell you what your OAuth apps are actually doing in runtime? OAuth governance was built to score grants: scopes, publisher verification, tenant prevalence. That model made sense when every OAuth client was a fixed-purpose SaaS app. It doesn't survive AI agents. When the authorized client is an AI tool or agent, behavior is decided at inference time by prompts your security team never sees. Access granted to PDF tools and AI agents are the same line in your audit log. The risk profiles are not. Material's OAuth Remediation Agent was built for this gap, reading runtime activity logs to classify apps by what they actually do post-grant, not just what they were authorized to do. The signal has moved. It's not at the grant layer anymore. Read more in the comments.

Fancy Bear just broke into 284 government email inboxes. And traditional email security couldn't have seen it coming. Russia's most well-known military hacking unit spent months quietly reading the emails of Ukrainian officials at NATO-allied militaries across Romania, Greece, Bulgaria, and Serbia. Per Reuters today, 284 inboxes. Senior officials. This wasn't about delivering a payload. The inbox was the target. Traditional email security has exactly zero answer for that. It secures the door. It doesn't think about what's in the room. This is why "email security" as a category needs to evolve. The surface it’s protecting and the threats its facing have. Protecting email means understanding what sensitive content lives there, limiting who can access it, detecting when something is wrong inside an active account and being able to respond. Not just filtering what comes in. Nation state actors know this. The orgs they're targeting often don't.

Your executives receive more than three times as many email attacks as everyone else. 3.2x, from Material's own data, across real environments. More attacks means more chances for one to land. And when it does, it's not landing on a regular employee account — it's landing on an account with the broadest access, the most sensitive conversations, and the highest potential blast radius in the organization. The detection and response capability that matters most isn't at the perimeter. It's what happens after. Lean security teams already know their executives live in a different threat class. The next step is creating a security posture that addresses this reality.

In healthcare, a compromised account isn't just an IT problem — it's a regulatory and patient safety problem. Collective Health handles PHI across a complex system of SaaS apps, and they needed to ensure that data was secure–even if an attacker ever got into a mailbox. Material added a second factor to the email-as-identity layer — protecting password resets and account verification messages without disrupting legitimate user workflows. The force multiplier effect was real: better visibility, stronger authentication, and less operational toil, all from a single platform. Link in the comments 👇

Healthcare security demands that the front door is protected… but what happens when the intruder is already inside? We analyzed over 700 HIPAA breaches currently under investigation by HHS, and the results are a bit of a wake-up call for anyone relying solely on perimeter defenses. Email is involved in 1 in 5 healthcare breaches—and 85% of those are full-blown account takeovers. The industry has spent years (and a lot of budget) on gateways and MFA to stop the "phish." But once an attacker bypasses that login, they have unrestricted access to years of sensitive patient data just sitting in the inbox. One compromised account can—and has—expose hundreds of thousands of records in minutes. We’re essentially leaving the vault wide open once someone has the key to the building. At Material Security, we’re obsessed with closing that gap. We think a compromised account shouldn't automatically mean compromised data. By protecting the messages themselves, you can shrink that blast radius from "catastrophic" to "contained." If you want to see the data for yourself and see how we're rethinking the status quo, check out the full breakdown from our team below. 👇

The best security tools don't just sit in the background—they actually change the way your team works. Material applies pragmatic zero-trust principles like masking sensitive historical email content until it’s actually needed, continually auditing sensitive file access, and actively discovering and removing risky OAuth apps. It combines high-impact security with a seamless day-to-day employee experience. It turns security into a collaborative effort: automating the tedious parts of SecOps while reinforcing better habits across the entire organization, without slowing the team down. Link in the comments below 👇

Austin, you’re a tough act to follow. We had a blast this Tuesday night at the Alamo Drafthouse for our latest Security Theater LIVE event. For those of you who haven't joined us for one yet, Security Theater is our way of poking a little fun at the performative hoops we often jump through in this industry—and enjoying some of the classic hacker movies of yesteryear. The turnout was incredible, the popcorn was salty, and the takes on the security status quo were even saltier. 🍿 A few highlights: ✅ The Trivia Gauntlet: Several brave souls stepped up to test their security knowledge. Let’s just say some of those edge-case questions separated the veterans from the lucky guessers. ✅ Participation Trophies for All: Yes, we’re those people. Whether you dominated the trivia board or just nailed a square on Security Bingo, everyone walked away with a prize. Because if you’re out here fighting the good fight in the SOC every day, you’ve earned it. ✅ The "Theater" of it All: We spent the evening doing what we always do at Security Theater: enjoying food, drinks, entertaining movies, and great company. Huge thanks to everyone who came out to hang, talk shop, and challenge the way we think about protecting our mailboxes and files.

Material is proud to introduce the OAuth Threat Remediation Agent! We’re bridging the gap between the sheer volume of new AI agents and SaaS tools hitting the cloud workspace and the mathematical impossibility of manual OAuth reviews for security teams. And even if you could keep up with the requests, a permission list only tells you what an app could do, not what it is actually doing. In the cloud workspace, that distinction is the difference between a productivity win and a quiet data breach. Instead of another dashboard of static alerts, we’ve built an autonomous system that: ✅ Identifies every new connection in real time. ✅ Analyzes actual API behavior, not just the "request" screen. ✅ Revokes tokens for dormant or risky apps automatically. Security shouldn’t be a bottleneck for AI adoption or new SaaS tools. It should be the thing that makes that adoption safe. Find out more at SecureWorld Boston Booth 655, or find a link in the comments.

Boston, we need to talk about your hidden attack surface. 🏛️ If you’re heading to SecureWorld Boston next week, come find the Material Security team. Lately, we’ve been having a lot of conversations with CISOs who feel like they’ve finally “solved” phishing with FIDO2 and passkeys, only to realize the back door is wide open. Attackers aren’t just hunting for passwords anymore—they’re hunting for OAuth tokens. It’s the perfect crime: persistent, highly privileged access that survives a password reset and bypasses MFA entirely. We’re going to be at SecureWorld to do more than just talk about how to actually wrap your arms around this. Come see what’s next from Material! No theater, no "black box" AI promises—just better visibility and actual control over your cloud workspace. Details here: https://lnkd.in/ghXdc74k See you at the Hynes Convention Center!

80% of security leaders say automating OAuth management is significant or critical. So why isn’t it happening? Because most security programs are still built around the inbox—while modern attacks move far beyond it. Today, a single OAuth grant can quietly turn into persistent, API-level access… often completely outside traditional detection. And with AI agents rapidly expanding OAuth usage, that risk surface is only growing. Security needs to follow the attack chain—not just the entry point. Our latest research dives into where the gap really is 👇 https://lnkd.in/g6bjNcJK