Fivetran Agent Security Risks

Data Engineering Agents fivetran.com Tight Operators
AI RISK QUADRANT POSITION DEFENSE CONTROLS (8) ATTACK SURFACE (2.62) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
4.46
High
Attack Surface
2.62
Low
Blast Radius
4.25
Medium
Defense Controls
8
Medium
About The Agent

Fivetran is a cloud-managed data movement platform that autonomously extracts, loads, and optionally transforms data from more than five hundred configured sources into analytics destinations on operator-defined schedules. [2] The same orchestration layer manages credentials for every configured connection, runs custom Python connectors via the Connector SDK, and offers a Hybrid Deployment Agent for environments where data must not transit the vendor's infrastructure. Every sync fires without per-operation approval once the connection is active.

About the AI Risk Quadrant

Tight Operators placement reflects a narrow attack surface driven by deterministic connector logic rather than an LLM reasoning loop, combined with moderate blast radius from credential and network access, and meaningful vendor-documented defense controls including RBAC, container isolation, encryption at rest, and structured audit logging. [3] Operators inherit a well-governed platform whose residual risk concentrates in autonomous scheduling and credential breadth rather than adversarial input exploitation.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Fivetran concentrates residual risk in its autonomous scheduling model and broad credential access rather than in adversarial input channels, because the deterministic pipeline architecture eliminates most prompt-injection and reasoning-manipulation surfaces. [2]

Key Input Risks
The narrow input surface requires no additional prompt-filtering investment because all source connections require explicit operator configuration through an authenticated dashboard or API with no free-form prompt channels or marketplace-injected code paths. [5]
Key Execution Risks
Connector SDK code runs in Fivetran-managed or operator-managed container environments with no direct shell access exposed to end users. Execution isolation relies on the vendor's multi-tenant cloud boundary or the operator's own Hybrid Deployment container, both documented with SAST and SCA scanning. [7]
Key Action Risks
Configured data syncs execute autonomously on schedule without per-operation approval; operators should restrict connection-management roles via RBAC and configure alert thresholds on sync frequency changes to contain the autonomous-action surface. [9]
Key Output Risks
Data flows from sources to destinations without content-level DLP or exfiltration-pattern detection; column blocking and hashing are opt-in schema-level controls. A misconfigured or compromised connector could replicate sensitive columns to an unintended destination without triggering an output-layer alarm. [4]
Key Monitoring Risks
Structured audit trail and platform logging deliver visibility into user actions and sync events when forwarded to an external SIEM. Anomaly detection and automated incident response are not built into the platform, leaving behavioral alerting entirely to the operator's downstream tooling. [10]

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Fivetran sits in the lower-risk quadrant with vendor-documented controls materially reducing the moderate blast footprint that credential access and network connectivity create.

AIRQ Metrics

The attack surface stays in the lower band because no LLM reasoning loop or marketplace ingestion channel exists, while blast radius remains moderate and defense controls contribute meaningful mitigation. [3]

Each axis uses the same composite methodology: Attack Surface and Blast Radius scale to ten, Defense Controls sum to fifteen, and AIRQ integrates all three into a single composite.

Metric Score Comments
AIRQ Score 4.46 Operators inherit moderate residual risk from credential breadth and autonomous scheduling, materially contained by vendor-implemented RBAC, encryption, and audit controls.
Blast Radius 4.25 / 10 Credential breadth across configured connections and unrestricted outbound to destinations drive the capability band.
Attack Surface 2.62 / 10 Deterministic connectors and no LLM reasoning loop keep almost every surface at or below the midpoint band.
Defense Controls 8 / 15 Vendor-documented RBAC, container isolation, encryption, and structured logging contribute materially to risk reduction.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The pipeline processes structured data from operator-configured sources through deterministic connector logic, eliminating the free-form prompt ingestion and marketplace injection surfaces common to LLM-based agents.

Attack Surface Metrics

No surface exceeds the midpoint band; the highest-scoring surfaces reflect data ingestion breadth and automated execution rather than adversarial input channels.

Each row maps an interaction pattern to its scored exposure level and supporting evidence from vendor documentation or independent research.

Surface Score Comments
User Input 1 / 4 Single validated input channel through authenticated dashboard and REST API with no free-form prompt interface. [5]
External Data 2 / 4 Reads from operator-configured databases, SaaS APIs, and file storage with connector-specific schema validation per source type. [12]
Memory 1 / 4 Session-level sync state via incremental cursors; no cross-session persistent memory or learning loop that could be externally poisoned. [7]
Reasoning 0 / 4 No autonomous reasoning or LLM-based decision making; connector logic follows deterministic extraction rules. [5]
Planning 1 / 4 Single-step sync execution per configured connection following operator-defined schedules with no task decomposition. [7]
Tool Execution 2 / 4 Connector SDK runs operator-authored Python in managed infrastructure; no arbitrary shell or browser execution exposed to end users. [12]
Orchestration 2 / 4 Multi-step extract-process-load pipeline with scheduled automation; no self-modifying workflows or unsupervised daemon spawning. [7]
Inter-Agent 0 / 4 Standalone architecture with no agent-to-agent communication, MCP connectivity, or delegation to external agents. [5]
Output Processing 1 / 4 Structured data output to configured destinations with optional column blocking and hashing; no rich rendering or URL embedding. [4]
Configuration 2 / 4 Configuration through authenticated UI and API only; Connector SDK packages deploy from managed registry with no auto-loaded config files. [9]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Fivetran accesses sensitive customer databases and credentials during sync operations and sends extracted data to configured destinations over the network, but all input channels require explicit operator configuration rather than ingesting third-party untrusted content.

Lethal Trifecta · Partial (2 of 3)

Fivetran exhibits two of the three trifecta conditions in its documented default configuration:

  • Untrusted input — All source connections are operator-configured through an authenticated interface; no marketplace or third-party content enters without explicit setup. [5]
  • Sensitive data — Sync operations access customer database contents, API responses, and the encrypted credential store holding connection secrets for all configured sources. [6]
  • External egress — Extracted data transits to configured destinations over outbound network connections; in cloud mode data routes through Fivetran infrastructure. [7]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. Credential breadth across all configured connections and write access to analytics destinations are the primary blast vectors, bounded by container isolation and the absence of infrastructure-modification capability.

Blast Radius Metrics

No factor reaches maximum band; credential access and network connectivity carry the highest exposure within the moderate range.

Each row maps a capability the pipeline holds at runtime to the operator-owned resource it could reach if the execution boundary were breached.

Factor Score Comments
Code execution 2 / 4 Connector SDK Python runs in managed container environments scoped to data extraction logic without arbitrary shell access. [12]
File system access 1 / 4 Hybrid Deployment Agent writes only to local data and tmp directories; cloud mode has no operator file system access. [8]
Network access 2 / 4 Outbound connections reach configured sources and destinations; Hybrid Deployment allows network restriction to Fivetran endpoints. [7]
Credential access 2 / 4 Encrypted credential store holds database passwords, API tokens, and OAuth keys for all configured connections, decrypted during each sync; PCI DSS Level 1 validation covers cardholder data paths. [6] [15]
Autonomous action 2 / 4 Syncs execute on configured schedules without per-operation approval once a connection is active and unpaused. [9]
Deployment access 1 / 4 Pipeline writes to data warehouse destinations but cannot modify infrastructure, deploy services, or publish packages. [4]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The vendor publishes RBAC, container isolation, credential encryption, column hashing, and structured audit logging as default or standard-tier controls, validated through ISO 27001, SOC 2 Type II, and PCI DSS Level 1 certifications with no confirmed breaches on the Trust Center record. [1] [14] [16]

Defense Controls Metrics

Higher scores on the inverted scale indicate stronger vendor-implemented safeguards; the moderate total reflects documented controls across most components.

Each component is scored on the vendor-implemented default posture; all carry vendor-documented confidence without independent penetration-test disclosure, and third-party continuous monitoring confirms no confirmed breaches. [13]

Component Score Comments
Input Guardrails 1 / 3 TLS certificate verification and schema validation for source connections provide pattern-based input filtering without ML-based injection detection. [5]
Execution Isolation 2 / 3 Multi-tenant cloud isolation for SaaS mode and Docker or Kubernetes container isolation for Hybrid Deployment with SAST and SCA scanning of images. [7]
Action Controls 2 / 3 Hierarchical RBAC with Account, Destination, and Connection scopes enforces least privilege; no single-step bypass mechanism documented. [9]
Output Guardrails 1 / 3 Column blocking prevents replication of selected objects; column hashing anonymizes sensitive values; customer-managed keys control credential encryption. [6]
Monitoring 2 / 3 Platform Connector delivers LOG and AUDIT_TRAIL tables to the destination; external log forwarding supports CloudWatch, Splunk, and Grafana Loki. [10]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize restricting credential access breadth, enabling audit trail forwarding to a SIEM, and deploying Hybrid mode where data must not transit vendor infrastructure.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require security review of all Connector SDK packages before deployment to production destinations — counters Tool Execution exposure from custom code. [12]
  • Configuration Enable TLS certificate pinning and disable legacy connectivity methods for all database source connections — counters External Data ingestion from weakly authenticated sources. [5]
  • Engineering Integrate a schema-validation layer that rejects unexpected column types or row volumes before loading to the destination — counters External Data anomalies reaching analytics consumers. [4]

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate Hybrid Deployment for all connections handling regulated data so processing remains within the operator's network perimeter — counters network blast from cloud-transit exposure. [7]
  • Configuration Configure container resource limits and network policies in Kubernetes Hybrid Deployment to restrict outbound traffic to approved endpoints only — counters network access breadth. [8]
  • Engineering Deploy network segmentation between the Hybrid Deployment Agent and production systems using firewall rules or private networking — counters credential access blast from lateral movement. [7]

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Assign View-only or Edit Connection roles to analytics consumers and reserve Manage Destination to infrastructure owners — counters autonomous action scope from over-privileged users. [9]
  • Configuration Configure alert thresholds on sync frequency and data volume changes so anomalous connection behavior triggers operator review before sustained exfiltration occurs — counters autonomous action running unchecked during incidents. [10]
  • Engineering Build a CI/CD approval gate around Fivetran API calls that modify connection credentials or destination configurations — counters configuration surface from programmatic changes. [9]

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Establish a data classification policy mapping which source columns must be blocked or hashed before replication — counters output exposure of sensitive data to analytics consumers. [4]
  • Configuration Enable column hashing for all PII columns and block replication of credential-bearing columns at the schema level — counters credential access blast at the destination tier. [6]
  • Engineering Deploy customer-managed keys and revocation procedures so credential access can be terminated unilaterally without Fivetran cooperation — counters credential blast from vendor-side compromise. [6]

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require all Fivetran audit trail events to forward to the enterprise SIEM within the retention window mandated by compliance — counters monitoring blind spots from destination-only logging. [11]
  • Configuration Configure external log services at the account level and set alert rules for create_connection, edit_connection, and delete_connection audit events — counters action control gaps through detective controls. [10]
  • Engineering Build automated anomaly detection on AUDIT_TRAIL and LOG table data targeting off-schedule sync triggers, new destination additions, and credential rotation events outside change windows — counters autonomous action running silently. [10]

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. Fivetran Trust Center Security Responses Vendor Trust Center documenting incident response history including the Salesloft Drift token rotation and assessment status of third-party CVEs against Fivetran products.

Selected Research

  1. Fivetran Agentic AI Readiness Index Vendor research report finding only fifteen percent of organizations are fully prepared to support agentic AI in production, identifying data pipeline governance as a critical gap.
  2. Agentic Analytics Cost Squeeze Industry coverage of Fivetran positioning around open data infrastructure and AI agent data access patterns, noting that agent-driven query volumes stress closed architectures.

Vendor Documentation

  1. Fivetran Security Overview Primary vendor security page documenting encryption, compliance certifications, hybrid deployment options, and data access controls including column blocking and hashing.
  2. Fivetran Security Policy Technical security policy documenting TLS certificate verification, diagnostic data access controls, OWASP-aligned secure coding practices, and network segregation.
  3. Data and Credential Encryption Architecture documentation detailing the encrypt-decrypt pipeline for data keys and credentials using Fivetran KMS with optional customer-managed key overlay.
  4. Hybrid Deployment Model Deployment architecture documentation describing the local agent model with outbound mTLS to Fivetran orchestration, container image scanning, and private networking.
  5. Fivetran Hybrid Deployment Agent Repository Public GitHub repository containing Docker and Kubernetes deployment configurations for the Hybrid Deployment Agent with documented directory layout.
  6. Role-Based Access Control RBAC documentation describing hierarchical permission model across Account, Destination, and Connection scopes with standard and custom role definitions.
  7. Fivetran Platform Connector Monitoring documentation describing LOG, AUDIT_TRAIL, and CONNECTOR_SDK_LOG tables delivered to customer destinations for operational visibility and compliance auditing.
  8. Supported Log Services External log forwarding documentation covering CloudWatch, Splunk, and Grafana Loki integration with account-level and destination-level collection options.
  9. Connector SDK Documentation Developer documentation for building custom Python source connectors with managed deployment infrastructure and credential handling via Fivetran Secure Credentials Service.

Other Sources

  1. UpGuard Vendor Risk Report Third-party continuous monitoring report showing no confirmed data breaches and no vulnerability to legacy TLS attacks across Fivetran infrastructure.
  2. Fivetran ISO 27001 Certification Announcement of ISO 27001 certification issued by Coalfire ISO covering the Fivetran Information Security Management System across product and service operations.
  3. Fivetran PCI DSS Level 1 Validation Announcement of PCI DSS Level 1 validation for the Business Critical plan enabling cardholder data replication between PCI-validated sources and destinations.
  4. Fivetran SOC 2 Type II Vendor blog explaining the SOC 2 Type II audit scope covering sustained security controls over a six-month evaluation period for cloud data handling.