Go back

See It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and More

Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.

Product
July 2, 2026
5m read
5m read
5m listen
5m watch
5m watch
See It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and MoreSee It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and More
speakers
speakers
speakers
authors
James Juran
participants
No items found.
share

Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.

The big news this month has been the rollout of Material’s OAuth Remediation Agent, along with a data report on findings from our early beta participants. But that’s not all the team has been building. We’re continuing to sharpen and refine our detection engine with surgical updates that make Material faster, safer, and easier to run even as the coverage area provided by the platform expands.

OAuth Remediation Agent is generally available

Material’s OAuth Remediation Agent is now in the hands of customers. It gives security teams real-time visibility into every OAuth app connected to their Google Workspace environment, with the ability to automatically classify risk and revoke access for malicious or unwanted connections, with no manual investigation required. 

This new capability expands Material’s security surface area coverage to encompass not just what’s stored within the cloud workspace, but what’s connected to it. With the explosive growth of AI apps, companies must know what AI is being used and what it’s able to access. 

If you haven't already, you can learn more about the OAuth Remediation Agent here.

OAuth Risk Report 

Our inaugural OAuth Risk Report highlights a growing governance gap: 91% of AI applications in production appeared only in the last 16 months, often authorized by individuals without IT oversight. This sprawl is compounded by dormant access, with nearly half of all apps showing no activity for 90 days, and offboarding gaps where sensitive grants persist even after an employee leaves. The report also reveals that one in four apps holds restricted scopes, including deceptive tools designed to impersonate legitimate services. Check out the full report here.

To address these risks, June’s updates to the OAuth Remediation Agent focus on granular control and visibility. Admins can now perform per-user token revocation and view account-specific scopes to see exactly what each user authorized. We’ve also streamlined the workflow so that accepting a classification automatically resolves the underlying issue, and added filtered CSV exports to simplify audits of client IDs, classifications, and response statuses.

Smarter, more resilient threat detection

Material’s power lies not just in the breadth of security coverage across the cloud workspace, but in the accuracy and actionability of the threats it surfaces. That’s why behind the scenes, Material's detection engine got several meaningful upgrades this month.

Email remains a key entry point for attackers, with new exploits threatening unwary employees. That’s why we added a new detection for a recently reported abuse of Microsoft infrastructure used to send spam and phishing links. Material also catches phishing delivered through the Demio webinar platform, a vector security teams have seen used in active campaigns. Both detections are actively protecting our customers, with no extra configuration needed. This is just part of an ongoing series of tuning improvements across impersonation, infrastructure abuse, account takeover, and bulk-mail detection.

We’re also making it easier for analysts to investigate issues. This happens thanks to a combination of the right positive signals along with better visibility within the platform. An example of an insightful new detection is one that now fires when a user clicks a defanged phishing link but is stopped before reaching the actual malicious destination. This gives security teams a low-noise way to measure how often protections are actually working, separate from cases where a user bypasses a warning.

On the search and investigation side, several aspects of the platform received updates. A new search field lets teams query specifically for messages caught by Email Bomb Protection, making it easier to scope the full extent of a mail-bomb attack. We also improved load time and scannability on Issues pages, so key content like sender reputation loads almost instantly and repetitive actions are summarized (e.g. “removed 7 messages” vs. listing every individual event).

Another aspect of Material’s detection engine is its deep ability to understand context. This is especially vital when it comes to cleaning up attacks on the calendar, a resource employees need to rely on to organize their workdays. When Material automatically removes a malicious calendar event during phishing cleanup, it checks the event's authoritative organizer first. Events created by the mailbox owner, their aliases, or trusted internal users are skipped. The fix is resilient to spoofed invite details, so automated remediation no longer risks deleting a real meeting by mistake.

Security Effectiveness Is in the Details

A solid detection engine is more than the sum of its parts, it can be measured in the way it ties together those individual signals. Material is continuing to build effective capabilities, detections, and automated remediations that build on each other, driving more effective security with less toil.

Frequently Asked Questions

Find answers to common questions and get the details you need.

No items found.

Related posts

Our blog is your destination for expert insights, practical tips, and the latest news in technology. Stay informed with our regular updates and in-depth articles. Join the conversation and enhance your understanding of the tech landscape.

blog post

See It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and More

Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.

James Juran
5
m read
Read post
Podcast

See It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and More

Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.

5
m listen
Listen to episode
Video

See It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and More

Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.

5
m watch
Watch video
Downloads

See It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and More

Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.

5
m listen
Watch video
Webinar

See It, Close It: Agent Enhancements, New Detections, OAuth Risk Report, and More

Material’s June included new detections, workflow improvements, updates to the OAuth Threat Remediation Agent, and the industry’s first real-world OAuth Risk Report.

5
m listen
Listen episode
blog post

What the Updated HIPAA Security Rule Means for Email Risk Assessments

A guide for auditors, HITRUST assessors, and HIPAA compliance consultants.

Material Team
10
m read
Read post
Podcast

What the Updated HIPAA Security Rule Means for Email Risk Assessments

A guide for auditors, HITRUST assessors, and HIPAA compliance consultants.

10
m listen
Listen to episode
Video

What the Updated HIPAA Security Rule Means for Email Risk Assessments

A guide for auditors, HITRUST assessors, and HIPAA compliance consultants.

10
m watch
Watch video
Downloads

What the Updated HIPAA Security Rule Means for Email Risk Assessments

A guide for auditors, HITRUST assessors, and HIPAA compliance consultants.

10
m listen
Watch video
Webinar

What the Updated HIPAA Security Rule Means for Email Risk Assessments

A guide for auditors, HITRUST assessors, and HIPAA compliance consultants.

10
m listen
Listen episode
blog post

The Composio Breach: One token, 10,242 doors

One compromised Gmail token gave attackers a skeleton key to 10,000+ customer credentials — and it's the same OAuth playbook security teams keep underestimating.

Rajan Kapoor
7
m read
Read post
Podcast

The Composio Breach: One token, 10,242 doors

One compromised Gmail token gave attackers a skeleton key to 10,000+ customer credentials — and it's the same OAuth playbook security teams keep underestimating.

7
m listen
Listen to episode
Video

The Composio Breach: One token, 10,242 doors

One compromised Gmail token gave attackers a skeleton key to 10,000+ customer credentials — and it's the same OAuth playbook security teams keep underestimating.

7
m watch
Watch video
Downloads

The Composio Breach: One token, 10,242 doors

One compromised Gmail token gave attackers a skeleton key to 10,000+ customer credentials — and it's the same OAuth playbook security teams keep underestimating.

7
m listen
Watch video
Webinar

The Composio Breach: One token, 10,242 doors

One compromised Gmail token gave attackers a skeleton key to 10,000+ customer credentials — and it's the same OAuth playbook security teams keep underestimating.

7
m listen
Listen episode
blog post

The Open Engine: Smarter Detection Explanations and API v1

Material's May updates make the detection engine more legible for every analyst, and give technical teams the programmatic access to put that intelligence to work outside the UI.

James Juran
5
m read
Read post
Podcast

The Open Engine: Smarter Detection Explanations and API v1

Material's May updates make the detection engine more legible for every analyst, and give technical teams the programmatic access to put that intelligence to work outside the UI.

5
m listen
Listen to episode
Video

The Open Engine: Smarter Detection Explanations and API v1

Material's May updates make the detection engine more legible for every analyst, and give technical teams the programmatic access to put that intelligence to work outside the UI.

5
m watch
Watch video
Downloads

The Open Engine: Smarter Detection Explanations and API v1

Material's May updates make the detection engine more legible for every analyst, and give technical teams the programmatic access to put that intelligence to work outside the UI.

5
m listen
Watch video
Webinar

The Open Engine: Smarter Detection Explanations and API v1

Material's May updates make the detection engine more legible for every analyst, and give technical teams the programmatic access to put that intelligence to work outside the UI.

5
m listen
Listen episode
Privacy Preference Center

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

New