Amir Khayat is the CEO and co-founder of Vorlon, the leader in SaaS ecosystem security. Drawing on more than a decade of experience in software engineering, customer success, and enterprise security sales leadership, Amir co-founded Vorlon to address the growing blind spots created by modern SaaS environments. He previously held leadership roles at Demisto (acquired by Palo Alto Networks) and later at Palo Alto Networks itself, where he worked closely with Fortune 500 customers on detection and response strategies.
Now, with the launch of Vorlon’s DataMatrix™ engine, Amir and his team are taking a major step forward in addressing one of the most urgent challenges in enterprise security: visibility and control over third-party SaaS integrations, machine identities, and unmonitored data flows.
citybiz spoke with Amir about the inspiration behind Vorlon, what makes DataMatrix™ different, and how the company is helping organizations take a more proactive approach to SaaS security.
What led you to start Vorlon, and how did your background shape the company’s vision?
I started my career as a software engineer, but I’ve always been interested in the bigger picture: How products are built, deployed, and experienced by customers. Over time, I moved into more customer-facing roles, including field engineering, customer success, and sales engineering leadership. That progression gave me a firsthand view of how security challenges evolve inside large organizations.
The idea for Vorlon came during my time at Palo Alto Networks. I was working closely with enterprise customers and saw that while SaaS adoption was exploding, visibility into those environments was falling behind. One experience in particular stood out—a customer was unknowingly exposing sensitive financial data through a third-party integration. That moment made it clear: the SaaS ecosystem had become a black box, and security teams needed a better way to see inside.
What problem is Vorlon solving, and how does your approach differ from traditional SaaS security tools?
Most SaaS security tools today focus on surface-level posture. They are checking for misconfigurations, unused accounts, or permission settings. While those are important, they don’t show you what’s actually happening inside your SaaS environment.
Vorlon takes a behavioral approach. We continuously monitor how applications, data, users, and machine identities interact across your SaaS ecosystem. That includes API usage, OAuth tokens, service accounts, and third-party integrations. Our platform highlights abnormal behavior, unusual data movement, and over-permissioned connections, so security teams can take immediate action.
You recently launched DataMatrix™, the engine behind your platform. What is it, and why is it such a significant advancement?
DataMatrix™ is the intelligence engine that powers Vorlon. It builds a live, algorithmic model of how your SaaS environment behaves. We ingest dozens of sources, including SaaS APIs, access logs, identity providers, and secret stores, and then correlate that data to create a unified, contextual view of your SaaS environment.
What makes this different from traditional tools is that it focuses on behavior over time. It doesn’t just flag a misconfiguration. It tells you that a token created six months ago, associated with a former employee, just accessed sensitive HR data from an unusual IP address. That kind of contextual insight is what today’s security teams need.
You’ve talked about “cracking open the black box” of SaaS. What kinds of risks are hiding in that layer today?
There are several. First, machine identities like OAuth tokens and CI/CD service accounts often have broad access and go unmonitored. If one of those is compromised, an attacker can move laterally across connected apps without triggering traditional defenses.
Second, over-permissioned third-party integrations are a huge issue. Many apps request far more access than they need, and those permissions often remain long after the app is no longer in active use. Finally, there’s shadow SaaS—tools that employees connect without security’s knowledge, often through plug-ins or browser extensions.
With DataMatrix™, we surface all of this. We give security teams a full map of their SaaS environment: what apps are connected, what data is flowing, which identities are active, and what behavior is anomalous.
You also published research showing that over 50% of SaaS apps lack consistent API logging. What does that say about the state of the market?
We analyzed 70 SaaS applications using our own platform data. The findings were stark: only 45% met the basic thresholds for API security logging, and 30% had major gaps where certain activities left no trace. Nearly half required customers to pay for advanced logging or request it manually.
This tells us that many SaaS vendors are not providing information about what’s going on with their software. And that puts the burden on customers to fill in those gaps. That’s why platforms like Vorlon—and technologies like DataMatrix—are so important. We’re giving teams the visibility their vendors aren’t providing.
Aside from visibility, how does Vorlon help teams take action when something goes wrong?
When DataMatrix detects a threat or anomaly, we don’t just raise an alert. We provide full context. That includes what happened, which identities and secrets were involved, what data was accessed, and how the behavior compares to historical norms.
From there, we offer a prescriptive remediation plan. That might mean revoking a secret, alerting an app owner, or triggering an automated response via SOAR or SIEM. In many cases, customers can resolve issues directly from the Vorlon interface in just a few clicks.
How does Vorlon change the way organizations approach third-party risk?
Most third-party risk programs are based on onboarding reviews or vendor questionnaires. But SaaS environments are dynamic. SaaS vendors frequently change their APIs without notice, employees add new integrations, and risky data flows often go unmonitored.
Vorlon gives teams continuous visibility into their entire SaaS ecosystem, including nested integrations and downstream services. And because DataMatrix maps how behavior changes over time, we can alert teams to drift, new exposures, or policy violations before they become real problems.
Finally, what advice would you offer to security leaders navigating SaaS complexity in 2025?
Don’t assume that your SaaS stack is secure just because it’s configured correctly. Look deeper. Ask yourself: What apps are connected? What data is flowing? Which tokens are active? Who’s watching the machine identities?
If you don’t have clear answers to those questions, it’s time to reassess. SaaS is no longer just a convenience layer. It’s part of your core infrastructure. And it deserves the same level of monitoring, detection, and response as your endpoints and cloud environments.
