Skip to content
SFHound

SFHound

Surface every Salesforce attack path — Profiles, Permission Sets, Role Hierarchies, OAuth apps, and field-level permissions — in BloodHound's graph UI.
Get started View on GitHub

Why SFHound?

Salesforce’s layered permission model — Profiles, Permission Sets, Permission Set Groups, Role Hierarchies, Sharing Rules, and Connected Apps — creates complex, overlapping access vectors that are nearly impossible to audit manually.

SFHound collects that data once and maps it as a typed property graph, giving you BloodHound’s shortest-path engine to answer questions like:

  • Which users can read or modify every record in the org regardless of sharing rules?
  • Which identities can authorise OAuth Connected Apps that communicate outside the org?
  • Who can deploy Apex code, change profiles, or restructure the role hierarchy?
  • What is the blast radius of a compromised service account?

Attack path analysis

Discover privilege escalation chains through Profile assignments, nested Permission Set Groups, and system permission edges — rendered as shortest-path queries in BloodHound.

IAM audit layer

Enumerate every Profile, Permission Set, Role, Public Group, and Queue assignment in a single graph. Spot misconfigurations without writing hundreds of SOQL queries.

Object & field permissions

Map CRUD access and Field-Level Security across all standard and custom SObjects. Find every identity that can read SSN__c or delete Opportunity records.

OAuth attack surface

Trace which Profiles and Permission Sets grant CanAuthorize to Connected Apps, and audit the admins who created them.

BloodHound-native output

Emits a BloodHound OpenGraph JSON file. Load it with auto-ingest or drag-and-drop. All edges carry AbuseInfo, RemediationInfo, OPSEC, and MITRE ATT&CK references.

Quick start

Terminal window
# 1 — Clone and install
git clone https://github.com/Khadinxc/sfhound.git
cd sfhound/sf-opengraph
pip install -r requirements.txt


# 2 — Configure your Connected App credentials
cp config.yaml.example config.yaml
# edit config.yaml ...


# 3 — Run the collector
python sfhound.py --auto-ingest
Full Quickstart guide →

What’s in the graph?

11 node types

SFOrganization · SFUser · SFProfile · SFPermissionSet · SFPermissionSetGroup · SFRole · SFGroup · SFQueue · SFConnectedApp · SFSObject · SFField

40+ edge types

Assignment edges, system permission edges (ModifyAllData, AuthorApex …), CRUD edges, FLS edges, group membership, role inheritance, and OAuth authorization.