Global organizations face multiple security challenges, including a sprawling SaaS landscape, data breaches, and compliance failures. They are further challenged by the complexity around shadow SaaS, genAI apps, and AI agents. Obsidian SaaS Security addresses human-to-SaaS, SaaS-to-SaaS, and AI agent-to-SaaS interactions, which can help organizations manage risk, improve governance, and support scalable SaaS operations. The platform can also strengthen security, reduce audit and compliance costs, mitigate the risk of audit penalties, reduce compliance effort, and drive operational efficiency gains.
Obsidian SaaS Security is a software-as-a-service (SaaS) security platform that provides organizations with visibility and control across their SaaS environments, including user activity, application integrations, and AI-driven access. As the use of SaaS and AI expands, the platform can help enterprises protect sensitive data, detect and respond to misuse and anomalous behavior in real time, and reduce security and compliance risk. Obsidian Security commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying Obsidian SaaS Security.1 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Obsidian SaaS Security on their organizations.
192%
Return on investment (ROI)
$4.1M
Net present value (NPV)
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed four decision-makers in senior security roles with experience using Obsidian SaaS Security at their organization. For the purposes of this study, Forrester aggregated the experiences of the interviewees and combined the results into a single composite organization, which has 10,000 employees and revenue of $9 billion per year.
“We are no longer in the dark. Obsidian SaaS Security gives us valuable insight into SaaS applications and their configurations. With Obsidian, we can see information quickly and make decisions in a timely manner.”
SaaS security engineer, financial services
Interviewees said that prior to using Obsidian SaaS Security, their organizations had limited visibility across SaaS platforms; no centralized security tooling; manual posture checks and audits; and near-miss incidents and misconfigurations that posed a high risk of data breaches and compliance failures. However, prior attempts yielded limited success because they didn’t address rapidly emerging threats, leaving the organizations unable to properly address complex real-time security issues they faced. This led to logs that were siloed and difficult to interpret, ongoing misconfigurations, and manual audits and posture checks that were time-consuming and error-prone, making threat detection nearly impossible and increasing risk exposure.
Interviewees said that after the investment in Obsidian SaaS Security, their organizations experienced significant risk reduction, improved visibility and security posture, near-real-time attack detection, improved control over the sprawling SaaS landscape, automated SaaS compliance, greater operational efficiency, and cost savings. Key results from the investment include strengthened security, reduced audit and compliance costs, avoided audit penalties, operational efficiency gains, and avoided labor costs.
20%
Reduction in breach risk
Key Findings
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
Strengthened security. By leveraging the Obsidian SaaS Security platform, the composite organization reduces the likelihood of a SaaS-related breach by 20%. The solution provides actionable posture findings with prescriptive remediation and delivers an inspection of human and non-human SaaS identities and integrations, reducing integration risks by surfacing and analyzing connections to core SaaS. Obsidian SaaS Security enables the organization to reduce its attack surface, preventing phishing and credential theft and reducing cloud breach risk. The strengthened security is worth more than $1.3 million to the composite organization.
Avoided labor costs. The composite organization saves on labor because it avoids incurring development and engineering costs associated with building and deploying supplementary tooling needed to effectively manage identity threat detection and response, SaaS security posture management, and identity threat prevention. The composite organization scales its SaaS and AI adoption while avoiding hiring several security experts. These avoided labor costs are worth $2.2 million to the composite organization.
Avoided audit penalties. The composite uses the platform to close posture gaps and discover and highlight every app in the environment while identifying app-to-app authentications. Obsidian SaaS Security also helps the organization meet National Institute of Standards and Technology (NIST) requirements for SaaS while also aligning to other frameworks, including International Organization for Standardization (ISO) and PCI. Avoided audit penalties are worth $2.4 million to the composite organization, over the three years.
Reduced audit and compliance costs. Obsidian SaaS Security provides the composite organization with continuous visibility into SaaS environments (including applications, integrations, and SaaS pathways), which standardizes and simplifies the organization’s audit processes, reduces the organization’s audit risk, and helps it avoid audit penalties. By identifying misconfigurations, undocumented applications, and SaaS-to-SaaS authentications, the composite organization closes compliance gaps proactively rather than during audit cycles. These reduced audit and compliance costs are worth $67,000 to the composite.
Operational efficiency gains. WithObsidian SaaS Security, the composite organization efficiently manages security operations and processes — including monitoring for threats, responding to incidents, assessing vulnerabilities, and managing user access and permissions — while saving 25% of the security team’s time. Operational efficiency gains are worth $234,000 to the composite organization.
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:
Improved security visibility and administrative control. Interviewees said the Obsidian SaaS Security platform is user-centric, intuitive, and easy to use, which allows the composite organization to promptly identify and address any potential threats and mitigate vulnerabilities. The platform also consolidates visibility across the composite’s entire SaaS environment, enabling it to manage permissions and excessive privileges, prevent SaaS configuration drift, surface shadow SaaS inventory, and detect SaaS Spear phishing and token compromise activity.
Reduced operational complexity and administrative effort. Interviewees said the solution is easy to deploy and maintain, so the composite organization deploys it swiftly and integrates it into its overall security infrastructure in a short amount of time with minimal ongoing maintenance. This allows its security team to focus its efforts on security strategy.
Enhanced vendor partnership and strategic alignment. The composite organization receives support from a technical account manager (TAM) and Obsidian engineers who help ensure the platform operates effectively and is aligned with the organization’s strategic objectives.
Greater organizational agility during business change. By leveraging Obsidian SaaS Security, the composite organization engages in business change that reconciles evolving conditions in the cybersecurity space. The solution supports changes in operating models and security processes as the organization prepares for emerging risks.
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
Obsidian SaaS Security cost. Over the three years, the composite organization pays a total of $1.4 million to Obsidian, which includes subscription fees and technical support.
Internal effort costs. The composite organization requires two months for integration and configuration, including larger and more complex SaaS platforms. Over three years and including ongoing internal management, it incurs internal effort costs of $756,000.
The financial analysis that is based on the interviews found that a composite organization experiences benefits of $6.2 million over three years versus costs of $2.1 million, adding up to a net present value (NPV) of $4.1 million and an ROI of 192%.
Key Statistics
192%
Return on investment (ROI)
$6.2M
Benefits PV
$4.1M
Net present value (NPV)
<6 months
Payback
Benefits (Three-Year)
[CHART DIV CONTAINER]
Strengthened security
Avoided labor costs
Avoided audit penalties
Reduced audit and compliance costs
Operational efficiency gains
The Obsidian SaaS Security Customer Journey
Drivers leading to the Obsidian SaaS Security investment
Interviews
Role
Industry
Region
Number of employees
SaaS security team lead
Manufacturing
Global
190,000
VP of information security
Biotechnology
North America
600
Chief information security officer
Healthcare
Global
45,000
SaaS security engineer
Financial services
Global
6,500
Key Challenges
Forrester interviewed four representatives with experience using Obsidian SaaS Security at their organizations, and the interviewees noted that prior to using Obsidian SaaS Security, their organizations had limited visibility across SaaS platforms, no centralized security tooling, and manual posture checks and audits. Prior solutions did not identify misconfigurations across the organizations’ entire SaaS estates, provide controls within and across apps, or deliver holistic assessments of vulnerabilities and security threats. Facing near-miss incidents and a sprawling SaaS estates, risk and threat detection was nearly impossible, resulting in high risk of data breaches and compliance failures.
Interviewees noted how their organizations struggled with common challenges, including:
Lack of visibility across SaaS apps. Interviewees shared how their organizations had minimal visibility into SaaS environments. They noted that because security teams do not own SaaS applications, they were not privy to every application, configuration, integration, identity, and activity within and across their organization’s SaaS landscape. A VP of information security at a biotechnology company told Forrester: “The biggest challenge for our organization was visibility. We had a number of SaaS apps in our environment, and we had zero visibility into how these applications were accessing and interacting with our SaaS systems. Integration was a nightmare.” A chief information security officer at a healthcare company shared: “Our organization has several SaaS applications, but we could not clearly see which ones were actually being used, who had access to what across tenants and applications, or what security controls were in place. We had no simple way of monitoring app permissions, which left blind spots everywhere.”
No centralized security tooling. Prior solutions did not offer holistic assessments of vulnerabilities and security threats. Prior security information management (SIM) tools were ineffective for SaaS due to high log volumes and integration complexity, and the organizations could not identify shadow SaaS applications or how they were integrating with core SaaS applications. A SaaS security team lead at a manufacturing company told Forrester: “We wanted to assess our vulnerabilities and measure our overall risk as more SaaS applications were integrated with one another. But the solution we had did not allow us to conduct a full assessment of our SaaS estate and the connections between applications.” A SaaS security engineer at a financial services company shared: “Our organization could not detect misconfigurations across our SaaS apps. And we could not monitor integrations across apps. We were very concerned about shadow SaaS applications.”
Risk of breaches and compliance failures. Near-miss incidents and misconfigurations posed high risk of data exfiltration, ransomware, and costly regulatory fines. A SaaS security team lead at a manufacturing company told Forrester: “We had a near-miss incident with one of our large SaaS platforms that could have been very costly. After the incident, we realized that we needed to invest in a new solution that would help strengthen our SaaS security program.” A chief information security officer at a healthcare company shared: “We could not look for vulnerabilities in our SaaS applications. We felt that we had some gaps, but we could not identify them. We were worried that we were going to get breached.”
Manual, resource-intensive processes. To a large degree, posture checks and audits were performed manually. These processes were time-consuming and error prone. A SaaS security team lead at a manufacturing company told Forrester: “Identity threat detection and response was very challenging for us. It was a manual process that required several hours, and it still left us exposed to potential breaches.” A VP of information security at a biotechnology company shared: “Monitoring activity, detecting anomalies, and remediating issues was a time-consuming, manual process. Audit preparation also relied heavily on manual tasks, increasing both labor costs and the risk of human error.”
Limited in-house expertise. Interviewees shared that their organizations had limited in-house knowledge of and expertise with the various SaaS applications they were integrating into their SaaS estates. A chief information security officer at a healthcare company told Forrester: “As we integrated new SaaS applications into our business operations, we recognized increasing risk and complexity in how these systems connected and shared access. Gaining visibility into these integrations without relying on deep, application-specific expertise became a critical requirement as hiring security experts for each SaaS application and AI platform would’ve been prohibitively costly.” A SaaS security engineer at a financial services company shared: “We did not have the in-house expertise required to build a robust and effective SSPM (SaaS security posture management) program. We recognized that we needed to close an existing knowledge gap that prevented us from establishing a sophisticated security operation.”
Solution Requirements/Investment Objectives
The interviewees searched for a solution that could:
Improve visibility across the entire SaaS environment.
Provide continuous monitoring and threat detection.
Enable faster response to incidents.
Help enforce security policies and standards.
Measure posture versus frameworks.
Improve compliance.
Reduce the risk of failing audits and certifications.
Enhance operational efficiency.
Enable business agility.
“Obsidian gives us the ability to correlate across SaaS platforms and gain immediate insights about critical SaaS-specific risks. Obsidian is worth its weight in gold.”
SaaS security team lead, manufacturing
Composite Organization
Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:
Description of composite. The global, $9 billion composite organization uses an enterprise business model. The composite has 10,000 employees, a large customer base, and strong presence both online and offline. It operates in multiple countries, which requires continuous monitoring and threat detection. It uses dozens of SaaS applications and has thousands of endpoints.
Deployment characteristics. The organization deploys Obsidian SaaS Security to monitor and manage enterprise SaaS applications. The deployment includes enabling identity threat detection and response (ITDR), SaaS security posture management (SSPM), and identity threat prevention (ITP) capabilities across supported SaaS environments. The organization integrates the solution with vendor APIs to identify access misuse and overreach and to detect anomalous access and suspicious behavior. The composite uses the platform to map SaaS configurations and activities to compliance frameworks, automate evidence collection, show what each vendor API permits, identify publicly exposed and plain text data, monitor encryption and sharing settings, and enforce AI usage controls.
KEY ASSUMPTIONS
Global organization
$9 billion in revenue
10,000 employees
Enterprise business model
Analysis Of Benefits
Quantified benefit data as applied to the composite
Total Benefits
Ref.
Benefit
Year 1
Year 2
Year 3
Total
Present Value
Atr
Strengthened security
$526,660
$526,660
$526,660
$1,579,980
$1,309,725
Btr
Avoided labor costs
$882,000
$882,000
$882,000
$2,646,000
$2,193,403
Ctr
Avoided audit penalties
$950,000
$950,000
$950,000
$2,850,000
$2,362,509
Dtr
Reduced audit and compliance costs
$27,081
$27,081
$27,081
$81,243
$67,346
Etr
Operational efficiency gains
$94,068
$94,068
$94,068
$282,204
$233,933
Total benefits (risk-adjusted)
$2,479,809
$2,479,809
$2,479,809
$7,439,427
$6,166,916
Strengthened Security
Evidence and data. Interviewees said the Obsidian SaaS Security platform provides continuous visibility into activity, configurations, and integrations across their organizations’ SaaS environments, which enhanced their overall security postures, improved visibility, and reduced SaaS-related risks. They said that with earlier detection of misconfiguration and exposure paths and being able to remediate faster, their organizations reduced the likelihood of a SaaS-related breach and the risk of exposure to a breach by 20%. This improved security effectiveness and enabled teams to proactively address risk in a timely manner.
A SaaS security team lead at a manufacturing company told Forrester: “Since deploying Obsidian, we have significantly reduced our attack surface. It has been a very low effort to remediate critical-level risks that we have identified through the solution.”
A VP of information security at a biotechnology company shared: “Obsidian gives us a clear, holistic view of where real risks exist across our SaaS environment. It helped us prevent misconfigurations and stop potential data exfiltration before it became a larger incident.”
A chief information security officer at a healthcare company shared: “As our organization has grown, we have consumed more SaaS. As we have added new SaaS applications into our operations, we have connected them to Obsidian. The solution has instantly exposed misconfigurations we were not aware of. We have been able to remediate them right away, reducing our attack surface and risk.”
A SaaS security engineer at a financial services company told Forrester, “Obsidian reduced our attack surface and risk exposure.”
$3M
Annual breach costs prior to using Obsidian SaaS Security
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization has annual revenue of $9 billion.
The composite organization’s annual breach costs prior to using Obsidian SaaS Security are $3,098,000.2
The platform reduces the composite’s risk of exposure to a breach by 20%.
Risks. Potential risks that can impact this benefit include:
The extent to which the organization leverages Obsidian SaaS Security for identity threat detection and response, SaaS security posture management, and identity threat prevention.
The specific goals and activities of the organization to manage threat detection and response, security posture management, and identity threat prevention.
The annual revenue of the organization.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.3 million.
“Obsidian’s monitoring and detection capabilities delivered several critical detections for our team. Obsidian’s monitoring proficiency is priceless.”
VP of information security, biotechnology
Strengthened Security
Ref.
Metric
Source
Year 1
Year 2
Year 3
A1
Annual breach costs prior to using Obsidian SaaS Security
Forrester research
$3,098,000
$3,098,000
$3,098,000
A2
Reduction to risk exposure of a breach with Obsidian SaaS Security
Interviews
20%
20%
20%
At
Strengthened security
A1*A2
$619,600
$619,600
$619,600
Risk adjustment
↓15%
Atr
Strengthened security (risk-adjusted)
$526,660
$526,660
$526,660
Three-year total: $1,579,980
Three-year present value: $1,309,725
Avoided Labor Costs
Evidence and data. Interviewees explained that the Obsidian SaaS Security platform enabled their organizations to avoid incurring development and engineering costs associated with building and deploying supplementary tooling necessary to effectively manage identity threat detection and response, SaaS security posture management, and identity threat prevention. As a result, interviewees’ organizations avoided hiring security experts and scaled SaaS and AI adoption without corresponding increases in headcount.
A SaaS security team lead at a manufacturing company told Forrester: “If we did not have Obsidian, we would have needed to hire data scientists to normalize the data from all the different platforms, senior engineers and architects to build detection logic, and additional staff to handle day-to-day security operations. Obsidian allowed us to avoid building and staffing that entire capability.”
A VP of information security at a biotechnology company shared: “Our team does not have expertise in every SaaS application. Without Obsidian, scaling SaaS adoption securely would have required hiring security experts for each platform just to ensure configurations and access were handled correctly.”
A chief information security officer at a healthcare company shared: “We have a small number of subject matter experts in our organization, but not for every SaaS platform. And as we have expanded our operations and added more SaaS, we would have needed to hire several security experts. Without Obsidian, that headcount would have grown.”
A SaaS security engineer at a financial services company told Forrester: “Obsidian has enabled our organization to avoid incurring additional labor costs. In the absence of Obsidian, we would have needed to hire senior engineers to build API, scripts, and detection pipelines and dashboards, as well as junior engineers to support configurations and audit preparation.”
“In the current environment we are in, my organization would not be able to detect threats with standard tooling. We need a solution that works natively in the cloud and covers the entire SaaS estate [both inside the applications and across their connections]. We are fortunate to have Obsidian.”
Chief information security officer, healthcare
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
By leveraging Obsidian SaaS Security, the composite organization avoids hiring seven FTEs: three senior security engineers with extensive experience building detection pipelines, API, and scripts and four junior engineers/specialists who support security priorities and handle day-to-day operations.
The avoided FTEs would have spent three years building the tooling needed to manage identity threat detection and response, SaaS security posture management, and identity threat prevention.
The average fully burdened annual salary (including benefits and taxes paid by the organization) for an FTE is $140,000.
Risks. Potential risks that can impact this benefit include:
The number of additional FTEs the organization needs to build tooling for managing identity threat detection and response, SaaS security posture management, and identity threat prevention.
The amount of time required to build tooling.
The average fully burdened salary for an FTE.
Whether or not the resulting in-house tooling yields a minimum viable product that offers the same tools and functionality of Obsidian SaaS Security.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2.2 million.
Avoided Labor Costs
Ref.
Metric
Source
Year 1
Year 2
Year 3
B1
Avoided FTE hires as a result of Obsidian SaaS Security
Composite
7.0
7.0
7.0
B2
Security team average fully burdened salary
Composite
$140,000
$140,000
$140,000
Bt
Avoided labor costs
B1*B2
$980,000
$980,000
$980,000
Risk adjustment
↓10%
Btr
Avoided labor costs (risk-adjusted)
$882,000
$882,000
$882,000
Three-year total: $2,646,000
Three-year present value: $2,193,403
Avoided Audit Penalties
Evidence and data. Interviewees said the Obsidian SaaS Security platform improved their organizations’ visibility and helped them avoid incremental audit penalties. They explained that it closed posture gaps and helped them discover and highlight every app in their environment while also allowing them to identify app-to-app authentications. Obsidian SaaS Security helped the interviewees’ organizations meet NIST requirements for SaaS, while also aligning to other frameworks, including ISO and PCI.
A SaaS security team lead at a manufacturing company told Forrester: “Obsidian is a one-stop shop. It leverages vendors’ documentation for best practices as well as standards such as NIST and ISO, connecting these to the Obsidian platform. Obsidian helped us identify misconfigurations and provided specific instructions on how to fix them in the platform without having to contact the SaaS vendor, saving us valuable time.”
A chief information security officer at a healthcare company shared: “By integrating security posture rules and frameworks into the solution platform, Obsidian helped us monitor our risk management and cybersecurity readiness. We have been able to ensure regulatory compliance.”
A SaaS security engineer at a financial services company told Forrester, “Obsidian helped us identify open risk and protected us from being in a compromised position.”
“Obsidian has provided consistent posture management functionality. We appreciate the phishing detection and prevention capabilities that Obsidian has built into the in-browser analysis. [This allows] us to have greater visibility into shadow SaaS and genAI apps.”
VP of information security, biotechnology
Modeling and assumptions. Based on the interviews, Forrester assumes the following the composite organization avoids $1 million in incremental audit penalties with Obsidian SaaS Security.
$2.4M
Avoided audit penalties over three years
Risks. Potential risks that can impact this benefit include:
The extent to which the organization leverages Obsidian SaaS Security to manage compliance risk.
The specific goals and activities of the organization to manage compliance.
The ways the organization leverages Obsidian SaaS Security to make strategic decisions about compliance.
Results. To account for these risks, Forrester adjusted this benefit downward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2.4 million.
Avoided Audit Penalties
Ref.
Metric
Source
Year 1
Year 2
Year 3
C1
Avoided audit penalties
Composite
$1,000,000
$1,000,000
$1,000,000
Ct
Avoided audit penalties
C1
$1,000,000
$1,000,000
$1,000,000
Risk adjustment
↓5%
Ctr
Avoided audit penalties (risk-adjusted)
$950,000
$950,000
$950,000
Three-year total: $2,850,000
Three-year present value: $2,362,509
Reduced Audit And Compliance Costs
Evidence and data. Interviewees said Obsidian SaaS Security platform provides continuous visibility into their organizations’ SaaS environments — including applications, integrations and SaaS pathways — and that this helped their organizations standardize and simplify their audit processes, reduce audit risk, and avoid audit penalties. By identifying misconfigurations, undocumented applications, and SaaS-to-SaaS authentications, the organizations closed compliance gaps proactively rather than during audit cycles. This improved readiness helped the organizations align more consistently with regulatory and industry frameworks (e.g., NIST, ISO, PCI), which reduced the likelihood of negative audit findings, remediation delays, and associated penalties.
A SaaS security team lead at a manufacturing company told Forrester: “Since we started using Obsidian, we have been able to save over 250 hours preparing for audits. With the Obsidian platform and its reporting capabilities, we have simplified the entire audit preparation process and reduced manual, error-prone effort.”
A chief information security officer at a healthcare company shared, “Obsidian helped us respond much more quickly to inquiries about why we are not passing an ISO or SOC 2 (system and organization controls 2) order and significantly shortened the time it takes to remediate identified issues.”
A SaaS security engineer at a financial services company told Forrester: “Obsidian allows our team to work more efficiently towards regulatory compliance. We now spend significantly less time preparing for audits.”
90%
Reduction in audit preparation time
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization has one audit per year.
Before using Obsidian SaaS Security, the composite organization spent an average of 300 hours preparing for an audit.
Obsidian SaaS Security reduces the composite’s audit preparation time by 90%.
The audit preparation cost per internal employee per hour is $67.
Prior to using Obsidian SaaS Security, external auditors spent an average of 300 hours per year conducting audits.
Obsidian SaaS Security reduces external auditor time by 20%.
The external audit consultancy cost per hour is $200.
“As our organization moves towards ISO compliance, Obsidian’s platform has played a key role in helping our team prepare for audits. Obsidian has saved us countless hours by identifying required controls, existing gaps, and what needs to be remediated, allowing us to stay compliant and avoid issues during regulatory reviews.”
VP of information security, biotechnology
Risks. Potential risks that can impact this benefit include:
The extent to which the organization leverages Obsidian SaaS Security to manage compliance risk.
The extent to which the organization leverages Obsidian SaaS Security to manage audits.
The specific goals and activities of the organization to manage compliance and prepare for audits.
The way the organization leverages Obsidian SaaS Security to make strategic decisions about compliance management and audit preparation.
The number of audits each year.
The cost of dedicated internal resources.
The cost of external audit consultancy.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $67,000.
Reduced Audit And Compliance Costs
Ref.
Metric
Source
Year 1
Year 2
Year 3
D1
Average time spent preparing for audits (hours)
Composite
300
300
300
D2
Internal employee audit preparation time reduction due to Obsidian SaaS Security
Interviews
90%
90%
90%
D3
Internal employee audit preparation cost per hour
Composite
$67
$67
$67
D4
Reduction in internal audit costs
D1*D2*D3
$18,090
$18,090
$18,090
D5
Average external auditor time spent conducting audits (hours)
Composite
300
300
300
D6
Auditor time reduction due to Obsidian SaaS Security
Interviews
20%
20%
20%
D7
Hourly external audit consultancy costs
Composite
$200
$200
$200
D8
Reduction in external consultancy costs
D5*D6*D7
$12,000
$12,000
$12,000
Dt
Reduced audit and compliance costs
D4+D8
$30,090
$30,090
$30,090
Risk adjustment
↓10%
Dtr
Reduced audit and compliance costs (risk-adjusted)
$27,081
$27,081
$27,081
Three-year total: $81,243
Three-year present value: $67,346
Operational Efficiency Gains
Evidence and data. Interviewees explained that Obsidian SaaS Security helped their organizations become more efficient by allowing them to automate manual tasks, providing centralized data and reporting insights, and simplifying workflows. This saved time and led to increased productivity.
A SaaS security team lead at a manufacturing company told Forrester: “Obsidian has made our detection, diagnosis, and decision-making faster. Our mean time to resolution has gone from 22 days to 1.75 days.”
A VP of information security at a biotechnology company shared: “We no longer spend time writing detections or maintaining detection pipelines. Those capabilities are already built into the Obsidian platform, which allows us to focus on other, more strategic areas of our security program.”
A chief information security officer at a healthcare company said: “Obsidian reduced the need to build and maintain detection pipelines. The solution streamlined our workflows. Our team can now focus on other critical security priorities.”
A SaaS security engineer at a financial services company told Forrester: “We used to perform several tasks manually. Since we adopted Obsidian, tasks that were previously manual are now largely automated. This has allowed us to respond more efficiently and rapidly to fast-moving attacks while also reducing the likelihood of human error.”
“Organizations that rely on several SaaS applications are likely to face major security gaps. Without a solution like Obsidian, it is challenging to identify and understand your risk exposure, let alone detect, prevent, and respond to threats and attacks effectively.”
Chief information security officer, healthcare
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization’s security team is comprised of eight FTEs, including senior engineers, junior engineers, and specialists.
Each FTE spends 6 hours daily on security operations and tasks impacted by Obsidian SaaS Security.
Obsidian SaaS Security saves 25% of this time.
The fully burdened average hourly salary for a security team member is $67.
The organization recaptures 50% of productivity because not all hours gained from efficiency translate into additional work being completed.
25%
Time saved on security operations and tasks
Risks. Potential risks that can impact this benefit include:
The extent to which the organization leverages Obsidian SaaS Security to manage security operations and tasks.
The number of resources (FTEs) the organization dedicates to security.
The amount of time spent on security operations and tasks.
The percentage of time saved with Obsidian SaaS Security.
The fully burdened average hourly salary for a security team member.
Productivity capture rate.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $234,000.
Operational Efficiency Gains
Ref.
Metric
Source
Year 1
Year 2
Year 3
E1
Security team FTEs
Composite
8.0
8.0
8.0
E2
Daily time a security team FTE spends on security tasks impacted by Obsidian SaaS Security (hours)
Composite
6
6
6
E3
Percent of time saved with Obsidian SaaS Security
Interviews
25%
25%
25%
E4
Total team time efficiency gains (hours)
E1*E2*E3*260
3,120
3,120
3,120
E5
Average fully burdened hourly salary for a team member
Composite
$67
$67
$67
E6
Savings from increased efficiency
E4*E5
$209,040
$209,040
$209,040
E7
Productivity capture
Forrester methodology
50%
50%
50%
Et
Operational efficiency gains
E6*E7
$104,520
$104,520
$104,520
Risk adjustment
↓10%
Etr
Operational efficiency gains (risk-adjusted)
$94,068
$94,068
$94,068
Three-year total: $282,204
Three-year present value: $233,933
Unquantified Benefits
Interviewees also identified the following additional benefits that delivered value to their organizations but were not formally quantified:
Improved security visibility and administrative control. Interviewees said the Obsidian SaaS Security platform is easy to use, and that it allows their organizations to promptly identify and address potential threats while mitigating vulnerabilities. They said the platform enables their organizations to manage permissions and excessive privileges, prevent SaaS configuration drift, surface shadow SaaS inventory, and detect SaaS spear phishing and token compromise. A SaaS security team lead at a manufacturing company told Forrester: “We have found Obsidian’s platform easy to use. It is polished and intuitive.” A VP of information security at a biotechnology company shared: “Obsidian’s platform connects SaaS applications, endpoints, and identity data. [This provides] valuable insights that are easy to interpret and act upon.” A chief information security officer at a healthcare company said: “With Obsidian, we can see integrations, SaaS activity logs, API keys and tokens, permissions, and configurations. The platform provides an identity-centric dashboard that is straightforward and easy to navigate.”
Reduced operational complexity and administrative effort. Interviewees said their organizations deployed the solution quickly and integrated it into their overall security infrastructures in a short amount of time. They also noted the solution requires minimal ongoing maintenance, which allows security teams to focus their efforts on executing security strategy. A VP of information security at a biotechnology company told Forrester: “Deploying Obsidian was easy. We spent a bit of time on the posture integration side, but overall, the process was swift.” A chief information security officer at a healthcare company shared: “We have been able to deploy Obsidian in multiple regions globally. Deployment and ongoing maintenance have both been relatively effortless.”
Enhanced vendor partnership and strategic alignment. Interviewees said their TAMs and Obsidian engineers quickly respond to support inquiries, and they explained this helps ensure the platform operates effectively and is aligned with the organization’s strategic objectives. A SaaS security team lead at a manufacturing company told Forrester: “Obsidian’s technical support and engineering teams have been truly amazing. Their responsiveness, fast turnarounds on feature requests, and proactive engagement with our team have been truly impressive.” A chief information security officer at a healthcare company shared: “Obsidian’s technical support team is outstanding. Whenever we’ve had a question or issue, they have been readily available to help.”
Greater organizational agility during business change. Interviewees said that leveraging Obsidian SaaS Security allows their organization to engage in business change that reconciles evolving conditions in the cybersecurity space. They noted the solution supports changes in operating models and security processes as organizations prepare for emerging risks. A SaaS security team lead at a manufacturing company told Forrester: “My organization understands how the cybersecurity landscape continues to evolve and how AI will play a greater role in cybersecurity. Obsidian functionality that addresses non-human SaaS identities and integrations and shadow AI will continue to be important for the organization as we engage in continued business change.” A SaaS security engineer at a financial services company shared: “Obsidian has helped my organization identify security processes that were not conducive to high organizational performance. Obsidian has supported our efforts to improve how we operate, which has had a positive impact across the business at large.”
“Obsidian’s technical support team is impressive. They are knowledgeable, technical, and receptive to feedback. We can always count on them to be there for us.”
SaaS security engineer, financial services
Flexibility
The value of flexibility is unique to each customer and use case. There are multiple scenarios in which a customer might implement the Obsidian SaaS Security platform and later realize additional uses and business opportunities, including:
Compliance with regulatory frameworks. Interviewees said it’s challenging to keep pace with expanding SaaS estates while meeting multiple regulatory frameworks and that this leads to slow audits, incomplete evidence, and delayed deployments. They noted that Obsidian SaaS Security provides a centralized system that aligns SaaS configurations with industry standards. They also said the solution maps SaaS configuration and activity to compliance frameworks, automates evidence collection, and monitors what each vendor API permits.
Management of excessive access, shadow SaaS and AI usage, and identity gaps. Interviewees explained that expanding SaaS and AI usage increases the likelihood of excessive privileges, unmanaged applications, and identity gaps that raise the risk of account abuse. But they noted the Obsidian SaaS Security platform discovers shadow SaaS and AI, detects risky authentication patterns (e.g., multifactor authentication bypass, direct logins), highlights overprivileged and inactive accounts to support enforcing least privilege, and reduces identity-driven risk.
Visibility into SaaS integrations and third-party connections. Interviewees saidSaaS-to-SaaS integrations and third-party connections expand attack surfaces and make it difficult to identify which integrations are risky or how breaches disseminate through interconnected services. They said the Obsidian SaaS Security platform maps all SaaS integrations, scores risk based on scope and usage, establishes behavioral baselines, and enables rapid investigation with normalized logs and end-to-end audit trails.
Detection and response to account compromise and takeover attacks. Interviewees explained that account takeover attacks and insider misuse often bypass traditional email and web defenses by leveraging SaaS identities and sessions, while insider misuse is challenging to detect without context. They said the Obsidian SaaS Security platform detects anomalous access and suspicious behavior in near-real time, blocks compromised credentials and sessions, and accelerates investigation and remediation with identity-focused logging, alert context, and guided response workflows.
Browser extension security. Shadow SaaS and AI sprawl increase organizations’ attack surfaces. But interviewees said the Obsidian SaaS Security platform enhances browser-level awareness by analyzing SaaS and AI usage and preventing account takeovers from web-originated attacks. They said the solution detects, warns, or blocks users from submitting credentials to malicious websites and that it applies flexible controls to monitor or block access to risky SaaS and genAI apps.
AI agent security and governance. As organizations adopt AI agents that act autonomously across SaaS applications, managing access, permissions, and behavior becomes increasingly complex. Interviewees noted the Obsidian SaaS Security platform identifies nonhuman identities, monitors agent activity and permissions, assesses risk across agent-to-SaaS interactions, and provides visibility into how AI agents access data and take action across the SaaS environment.
“My organization values Obsidian’s ability to address multiple security challenges — from managing access risk to securing SaaS configurations and supply chains and detecting identity-based threats across our environment.”
SaaS security team lead, manufacturing
Analysis Of Costs
Quantified cost data as applied to the composite
Total Costs
Ref.
Cost
Initial
Year 1
Year 2
Year 3
Total
Present Value
Ftr
Obsidian SaaS Security cost
$0
$546,250
$546,250
$546,250
$1,638,750
$1,358,443
Gtr
Total internal effort costs
$55,200
$281,750
$281,750
$281,750
$900,450
$755,871
Total costs (risk-adjusted)
$55,200
$828,000
$828,000
$828,000
$2,539,200
$2,114,314
Obsidian SaaS Security Cost
Evidence and data. Interviewees said their organizations pay ongoing subscription fees to Obsidian and that the amount is based on the number of apps and users. Subscription fees include technical support and access to ITDR, SSPM, and ITP. Pricing may vary. Contact Obsidian for additional details.
Modeling and assumptions. Based on the interviews, Forrester assumes the composite organization pays $475,000 in subscription fees in Years 1 to 3.
Risks. Potential risks that can impact this cost include:
The size and scope of the deployment.
Whether or not the organization uses value-added data services.
Results. To account for these risks, Forrester adjusted this cost upward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.4 million.
Obsidian SaaS Security Cost
Ref.
Metric
Source
Initial
Year 1
Year 2
Year 3
F1
Obsidian SaaS Security subscription cost
Composite
$0
$475,000
$475,000
$475,000
Ft
Obsidian SaaS Security cost
F1
$0
$475,000
$475,000
$475,000
Risk adjustment
↑15%
Ftr
Obsidian SaaS Security cost (risk-adjusted)
$0
$546,250
$546,250
$546,250
Three-year total: $1,638,750
Three-year present value: $1,358,443
Total Internal Effort Costs
Evidence and data. Interviewees reported their organizations needed internal resources to configure Obsidian SaaS Security and require resources to support the platform on an ongoing basis. They told Forrester it took approximately two months to integrate and become acquainted with the solution and its capabilities.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization requires two FTEs to integrate and configure Obsidian SaaS Security.
It takes the organization two months to configure the solution and become acquainted with its functionality and capabilities.
The average fully burdened monthly cost of one FTE who works on configuration is $12,000 ($140,000 annually).
The composite needs 1.75 FTEs to support the solution on an ongoing basis.
The average fully burdened annual cost of an FTE who supports the solution is $140,000.
Risks. Potential risks that can impact this cost include:
The complexity of the deployment.
The size and scope of the deployment.
The number of FTEs needed to integrate and configure the solution.
The number of FTEs needed to support the solution.
The fully burdened cost of a resource.
Results. To account for these risks, Forrester adjusted this cost upward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $756,000.
“Maintaining and supporting Obsidian is quite simple and straightforward.”
Chief information security officer, healthcare
Total Internal Effort Costs
Ref.
Metric
Source
Initial
Year 1
Year 2
Year 3
G1
FTEs needed to initially configure solution
Interviews
2.0
G2
Configuration time (months)
Interviews
2.0
G3
Fully burdened monthly cost of an FTE
Composite
$12,000
G4
Initial deployment costs
G1*G2*G3
$48,000
G5
FTEs who support Obsidian SaaS Security on an ongoing basis
Interviews
0
1.75
1.75
1.75
G6
Fully burdened cost of an FTE
Composite
$140,000
$140,000
$140,000
G7
Total ongoing costs
G5*G6
$0
$245,000
$245,000
$245,000
Gt
Total internal effort costs
G4+G7
$48,000
$245,000
$245,000
$245,000
Risk adjustment
↑15%
Gtr
Total internal effort costs (risk-adjusted)
$55,200
$281,750
$281,750
$281,750
Three-year total: $900,450
Three-year present value: $755,871
Financial Summary
Consolidated Three-Year, Risk-Adjusted Metrics
Cash Flow Chart (Risk-Adjusted)
[CHART DIV CONTAINER]
Total costsTotal benefitsCumulative net benefitsInitialYear 1Year 2Year 3
Cash Flow Analysis (Risk-Adjusted)
Initial
Year 1
Year 2
Year 3
Total
Present Value
Total costs
($55,200)
($828,000)
($828,000)
($828,000)
($2,539,200)
($2,114,314)
Total benefits
$0
$2,479,809
$2,479,809
$2,479,809
$7,439,427
$6,166,916
Net benefits
($55,200)
$1,651,809
$1,651,809
$1,651,809
$4,900,227
$4,052,602
ROI
192%
Payback
<6 months
Please Note
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in Obsidian SaaS Security.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Obsidian SaaS Security can have on an organization.
Due Diligence
Interviewed Obsidian Security stakeholders and Forrester analysts to gather data relative to Obsidian SaaS Security.
Interviews
Interviewed four decision-makers at organizations using Obsidian SaaS Security to obtain data about costs, benefits, and risks.
Composite Organization
Designed a composite organization based on characteristics of the interviewees’ organizations.
Financial Model Framework
Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Case Study
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Total Economic Impact Approach
Benefits
Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.
Costs
Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.
Flexibility
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.
Risks
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
Financial Terminology
Present value (PV)
The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PVs of costs and benefits feed into the total NPV of cash flows.
Net present value (NPV)
The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
Return on investment (ROI)
A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
Discount rate
The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
Payback
The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.
Appendix A
Total Economic Impact
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
Appendix B
Endnotes
1 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
2 Cumulative breach costs are computed using the composite organization’s revenue or number of employees as an input to a regression analysis of reported total cumulative costs for all breaches for organizations that experienced at least one breach in the past 12 months. Base: 1,740 global security decision-makers from organizations that have experienced a breach in the past 12 months. Source: Security Survey, 2025, Forrester Research, Inc.
[CONTENT]
Disclosures
Readers should be aware of the following:
This study is commissioned by Obsidian Security and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Obsidian SaaS Security.
Obsidian Security reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
Obsidian Security provided the customer names for the interviews but did not participate in the interviews.
Consulting Team:
Byron Ramirez
Published
March 2026
The Total Economic Impact™ Of Obsidian SaaS Security
This study is commissioned by Obsidian Security and delivered by Forrester Consulting.
PDF