One missing WHERE clause. Every tenant's data.
30% of SaaS security incidents involve multi-tenancy isolation failures.
Most start with a missing filter.
SELECT * FROM documents WHERE status = 'active' - without AND tenant_id = ? - returns every customer's documents. One query, one missing clause, complete isolation failure.
Join the waitlistSource: Analysis of disclosed SaaS security incidents and SOC 2 Type II audit findings.
Multi-tenancy isolation.
The failure mode no one reviews for.
A missing tenant_id filter is invisible in code review.
Multi-tenancy isolation failures are the leading cause of cross-tenant data exposure in B2B SaaS. The root cause is almost always a database query or API handler that accesses a tenanted table without filtering by tenant_id. OWASP API3:2023 Broken Object Property Level Authorization covers this class of failure.
OWASP API Security Top 10, API3:2023 (OWASP Foundation, 2023)
SOC 2 Type II requires immutable audit logs for every data access.
SOC 2 Type II CC6.1 requires logical access controls on all systems containing sensitive data. CC7.2 requires security events to be logged and monitored. For SaaS companies, this means every read and write of customer data must be logged with user ID, tenant ID, operation, resource, and timestamp.
AICPA Trust Services Criteria, CC6.1 and CC7.2 (AICPA, 2017, updated 2022)
Sequential integer IDs make tenant enumeration trivial.
IDOR on SaaS resource APIs becomes trivially exploitable when IDs are sequential integers. An authenticated user in tenant A increments the resource ID by one and retrieves a resource belonging to tenant B. OWASP API1:2023 Broken Object Level Authorization is the top API security risk.
OWASP API Security Top 10, API1:2023 (OWASP Foundation, 2023)
Tenant isolation at the code level.
Not just at the architecture level.
Missing tenant filter
- Hyrax's scanner detects queries that access tenanted tables without a tenant_id constraint
- Fixes add the missing filter and migrate to ORM-level automatic tenant scoping
- Governance rules enforce the pattern going forward
SOC 2 audit logging
- Audit workflow detects data access paths that lack logging calls for sensitive resource access
- Fixes add structured audit log events with user ID, tenant ID, resource type, and operation
- Governance rules enforce audit log coverage on all endpoints that access customer data
IDOR on resource APIs
- Hyrax detects API endpoints that retrieve tenant-scoped resources without visible ownership validation
- Fixes enforce UUID IDs and server-side tenant membership check before return
- Every tenant-scoped resource endpoint is in scope
What SOC 2 Type II requires
at the code level.
| Criterion | What it mandates | Hyrax |
|---|---|---|
| CC6.1 | Logical access controls on all systems with sensitive data | Authorization checks on every API endpoint |
| CC6.3 | Role-based access with least-privilege enforcement | Detects endpoints without role restrictions |
| CC7.2 | Security events logged and monitored | Adds audit log events to data access paths |
| CC8.1 | Change management - all changes authorized and tested | Every fix is a PR with finding, diff, test results |
| A1.2 | Multi-tenancy data isolation | Detects missing tenant_id filters |
Source: AICPA Trust Services Criteria (AICPA, 2017, updated 2022).
Common questions
from SaaS engineering teams.
Hyrax's governance layer provides consistent, automated enforcement that auditors look for. Every PR is timestamped evidence of controls operating throughout the observation period.
ORM-level tenant filtering is the correct architecture. The risk is gaps: raw SQL queries that bypass the ORM, reporting queries outside the filter scope. Hyrax scans for these gaps.
Penetration testing is periodic and runs against deployed systems. Hyrax scans source code continuously - before deployment. It catches issues before production.
Hyrax scans source code logic, not runtime behavior. It detects authorization gaps regardless of flag state - a feature behind a flag will eventually be fully rolled out.