blog post cover

Shadow IT Discovery Methods

Table of contents

The digital landscape is vast and filled with numerous SaaS apps - some authorized, others forgotten about, and others that companies are unwittingly paying for without actual use. It's a challenge akin to setting out on an uncharted voyage: knowing there's a land out there but not quite sure where or how to find it.

According to the CSA's findings, 58% of companies believe their existing SaaS security solutions protect only 50% or even less of their SaaS applications. The shortfall in coverage cannot be resolved through manual audits and cloud access security brokers (CASB) alone, as these measures are inadequate for safeguarding businesses against SaaS security breaches.

SaaS Security

Navigating the Digital Seas: Decoding Shadow IT Discovery Methods

Enter a suite of tools that promise to find these hidden apps for you. But discovering these apps is only half the journey. The crucial question is how these tools identify them and what happens next.

Think of it as the age of exploration. Many set sail searching for new lands, but only a few, like Columbus, made notable discoveries. The difference? The correct route and understanding of the destination. Understanding the methods to detect these 'hidden lands' is just as pivotal.

Which method suits best for your journey? This article breaks down various discovery methods, shedding light on their workings. As for choosing? That's a map only you can draw. Whether you aim to be the wanderer or the explorer, understanding the tools at your disposal is the first step. Let’s delve into these methods and set you on your way.

SaaS App Discovery Methods
Shadow IT Discovery Methods

1. Machine Learning

Machine Learning resides at the confluence of computer science and artificial intelligence, embodying a fusion of their most advanced capabilities. It harnesses complex algorithms and nuanced data processing to emulate the human learning process, adapting seamlessly to new information streams. Just as the human mind refines its understanding through experience and exposure, machine learning systems iteratively refine their analyses, reaching a level of precision that evokes parallels with human cognition.

Suggested Reading: AI in  Cybersecurity

Machine Learning introduces a dynamic, flow-based approach in the realm of system analysis. Analyzing patterns and predicting behaviors offers profound insights and a holistic view of system interactions.


Machine learning is a powerful but imperfect tool. While adept at parsing large datasets, its effectiveness depends on the quality of its training data, risking overfitting and potential blind spots.

The "black box" nature of deep learning can obscure its decision-making, posing challenges for IT validation. Moreover, the ever-changing software landscape necessitates regular model updates, and ML's computational demands can strain resources. Recognizing these limitations is vital for effective ML deployment in SaaS discovery.

2. Network Monitoring

Network monitoring oversees a computer network for failures or abnormalities and analyzes network performance.  In the context of SaaS discovery, it identifies apps based on traffic patterns, domains, IPs, ports, and protocols. The network monitoring method is based on the following points:

  • Traffic Analysis: Every SaaS application an employee uses communicates with its server, which requires sending and receiving data over the network. Network monitoring tools capture and analyze this traffic to identify patterns characteristic of specific SaaS applications.
  • Domain and IP Recognition: Most SaaS applications have unique domain names or IP addresses associated with their servers. Observing which domains and IP addresses a company's devices connect to makes it possible to identify the applications in use.
  • Data Volume Metrics: The amount and frequency of data being sent to or received from a specific domain can provide insights into the type of application being used. For instance, frequent, high-volume data transfers indicate a cloud storage solution, while sporadic, low-volume transfers point to a specialized industry-specific tool.
  • Port Analysis: Many applications, including SaaS ones, use specific ports to communicate. Monitoring which ports are open and have active data transfers can give additional hints about the kind of application in use.
  • Protocol Analysis: By examining the protocols in use, such as HTTP, HTTPS, FTP, etc., network monitoring tools can deduce the kind of service or application being accessed.
  • Deep Packet Inspection (DPI): Advanced network monitoring solutions might employ DPI to examine a network packet's data part (and possibly the header) as it passes an inspection point. This deep inspection can reveal application-specific signatures, further enhancing the accuracy of SaaS app discovery.


When using specific network diagnostic tools, various implications can be considered. These tools may cause network latency due to resource-intensive processes and may not capture traffic from devices outside the corporate network, leading to blind spots. Additionally, the sheer volume of network traffic data in larger setups can be overwhelming without proper filtering. 

3. Browser Extensions

Browser extensions enhance web browsers with added functionalities. They are often deployed to monitor new SaaS applications, collecting data from extensions installed on company devices. Analyzing this data reveals SaaS application usage patterns. Browser extensions stand out in SaaS discovery, recording real-time employee SaaS adoption. The immediacy of the browser also offers an avenue to guide users toward more secure SaaS usage.

Resmo capitalizes on this by integrating with Google Workspace and browser extensions to document SaaS logins. This dual integration furnishes richer, nuanced data. Here's how it unfolds: Resmo's admin performs a straightforward setup for SaaS Discovery, pinpointing organizational employees. These identified employees receive a one-click browser extension installation invitation. Upon installation—compatible with both Chrome and Edge—Resmo begins tracking SaaS logins, presenting findings on the SaaS Discovery dashboard.


To use browser extensions, they must be installed on every device that needs them. However, privacy concerns associated with this method of discovery need to be addressed. Ensuring that a browser extension only collects and shares information related to SaaS application usage, not any unrelated browser activity is crucial. 

4. Integration with SSO (Single-sign-on) and IDP (Identity Providers) Platforms

Integration with SSO platforms, APIs, and Identity Providers (IDPs) offers a strategic approach to SaaS discovery. Leveraging API connections provided by SaaS vendors, organizations can detect user activity and application usage. SaaS security companies use this methodology to pinpoint misconfigurations, vulnerabilities, and potential misuse. Some platforms even extend APIs for remediation. However, the venture into API-based discovery presents challenges, including the need for detailed setup, integration by IT, and often costlier enterprise licenses.

Beyond APIs, Single-sign-on (SSO) and Identity Providers (IDPs) provide another dimension to the discovery process. They map out;

  • Application users
  • Users' respective departments
  • Hierarchy within users and even the nature of the application itself.

SSO, in particular, emerges as a robust method to track and regulate SaaS usage. It is a centralized gateway, granting companies control over approved SaaS applications.

Yet, SSO's effectiveness is limited to known, integrated applications, excluding those accessed outside its framework. The financial aspect of SSO also becomes a concern; enterprise SaaS licenses associated with SSO can be thrice as expensive as standard ones.


Despite its potential, this integrated approach has limitations. API methods differ from newly emerging SaaS solutions, primarily focusing on known entities. Also, while SSOs and IDPs offer control, they don't guarantee comprehensive application coverage. Moreover, the unfamiliarity of an average non-technical employee with SSO or social logins poses an additional challenge. Absent these login methods, crucial data sources remain untapped, leaving potential application usage undetected.

5. Email Analysis

By scrutinizing the contents and metadata of corporate emails, this approach aims to identify patterns and references to SaaS platforms that employees might be using. It's particularly beneficial in detecting SaaS subscriptions or account activations that typically send welcome or confirmation emails to users upon registration.


However, the email analysis method is full of challenges. One predominant issue is the surge of false positives. The modern corporate email inbox is inundated with marketing emails, newsletters, and promotional content. Differentiating genuine SaaS-related emails from this barrage can be tedious and error-prone. Additionally, the scope of discovery is limited to employees who utilize their official email addresses for SaaS registrations. Furthermore, only some SaaS platforms are proactive in their email communications. Many platforms might only send occasional emails or none, making them invisible to this method.

6. Native Integration with SaaS Apps

Leveraging native integrations through SaaS vendor-provided API connections is an increasingly adopted method for SaaS discovery. Such API-driven approaches facilitate the detection of users, their activities, and the overall usage of applications. Many SaaS security solutions also employ this strategy to pinpoint misconfigurations, vulnerabilities, or potential misuse of SaaS platforms. Some even offer the ability to use APIs for remedial actions.

However, this method has its caveats. API-driven SaaS discovery necessitates technical setup and integration, often demanding IT intervention. Native integrations might entail additional costs, especially if an enterprise license is required. Furthermore, its efficacy must improve when identifying newer, unrecognized SaaS solutions. Though API integrations offer insight into configurations and potential risks, their utility can be limited in capturing a comprehensive inventory of all SaaS applications.


Considering its nature, native integration primarily serves as a supplementary discovery method and may not completely unearth all shadow SaaS apps. Yet, it remains invaluable for unearthing a significant portion of them. As emphasized earlier, mere discovery isn't the zenith; it's imperative to comprehend and contextualize the findings. Without a well-charted course of action, the discovery journey risks culminating in mere sightseeing, devoid of actionable insights.

Resmo extends its capabilities by harnessing native integrations with over 100 SaaS tools, complemented by browser extensions available for Safari, Chrome, and Firefox. This combination aids in detecting SaaS usage patterns, logins, and even instances of Shadow IT.

SaaS Discovery
Resmo SaaS Discovery

7. Agents 

Agents are installed on individual devices and are most helpful in managing hybrid applications with an installed software component and an online version. Hybrid applications often have tiered pricing, and accessing the software on-premises and in the cloud comes at a cost. Agents can help you determine if there are opportunities to downgrade users from a more expensive tier to a less expensive tier based on their usage patterns.


As with SSO and API connectors, agents aren’t helpful in discovering shadow SaaS. Additionally, their time-to-value is longer than other methods due to their implementation requirements.

8. Cloud Access Security Brokers (“CASBs”)

Initially developed to mediate the connection between endpoint devices and SaaS services, Cloud Access Security Brokers, or CASBs, have evolved significantly. Defined by Gartner, CASBs function either on-premises or in cloud environments. They serve as security policy enforcement points between cloud service users and providers, injecting enterprise security measures whenever cloud-based resources are accessed.

CASBs have garnered attention for their adeptness at detecting and regulating access to SaaS platforms. Their operational capability stems from their scrutiny of network traffic, data obtained from endpoint agents, or a combination of both. Given their inherent access to network connections, CASBs can swiftly identify SaaS platforms.

A significant advantage of CASBs over traditional web proxies is their foundational design geared towards SaaS identification, making data analysis more streamlined. Yet, challenges persist, primarily due to the overwhelming volume of data they produce. Differentiating between a conventional website and a SaaS platform can be intricate, leading to many alerts. Consequently, security analysts often need help with an influx of false positives.

Moreover, their effectiveness is contingent on managed devices or the device's presence on the corporate network.


Despite their capabilities, CASBs possess inherent limitations. Their most pronounced drawback is their inability to detect SaaS interactions when users are off the corporate network. Given the surge in remote working patterns and geographically dispersed employees, this limitation presents a considerable challenge, potentially leaving vast areas of digital activity undetected.

9. Expenses / Accounts Payable

Tapping into expense or accounting systems can shed light on SaaS applications for which subscriptions have been acquired. Such integrations are crucial not only for overseeing costs but also for optimizing subscription expenses. Organizations can avail of volume discounts or streamline redundant SaaS vendors by consolidating users.

Some vendors in the market extend their services to negotiate subscription fees with SaaS providers, adding further value. However, this detection method has its limits. It's mainly geared towards SaaS solutions for which employees pay subscription bills. Most SaaS offerings operate on a free tier or adopt a freemium model. Such applications remain undetected by this method, given that they don't necessitate upfront payment.


Relying on financial records for SaaS discovery is challenging. Firstly, the data derived from spending and procurement systems often needs more uniformity, necessitating human intervention for precise interpretation. Additionally, free or inaccurately expensed applications still need to be discovered, leading to potential gaps in the SaaS overview. Furthermore, such records need to provide insights into actual application usage. Thus, distinguishing a valuable application from a redundant, unused software expenditure becomes arduous.

10. Web Proxy

Web proxy solutions are primarily designed to safeguard employees' online activities by scrutinizing their web destinations. Their core functionality revolves around evaluating potential risks associated with visited sites. Depending on the risk assessment, web proxies can limit access, such as thwarting attempts to reach known phishing or malware-laden websites. While web proxy data can be repurposed for SaaS discovery, it isn't their innate specialty.

Harnessing this data for SaaS discovery necessitates exhaustive analysis, often coupled with significant manual intervention. Their effectiveness dwindles when SaaS platforms are accessed from personal devices or outside the company's network infrastructure. Furthermore, many web proxy tools demand the installation of endpoint agents. Some of these agents might not be compatible with specific SaaS applications, leading to potential conflicts and disruptions.


When used as a SaaS discovery tool, web proxies come with inherent challenges. The data they provide is not inherently tailored for SaaS discovery, making it a labor-intensive method requiring meticulous filtering and analysis. Web proxies are significantly less effective when monitoring off-network devices or personal gadgets, creating blind spots. Endpoint agent requirements compound the challenges, especially when compatibility issues arise, causing potential disruptions in accessing specific SaaS platforms.

Wrap Up

There are numerous methods for SaaS app discovery, and while each has its merits, they also come with their own set of drawbacks and blind spots. In practice, many organizations employ a combination of these methods to address the gaps left by any single technique.

Resmo SaaS Discovery stands out by amalgamating browser and API data, guaranteeing precise detection without the risk of false positives. With Resmo's Shadow IT App Discovery, organizations can comprehensively track all SaaS applications – including free tiers and trials – allowing them to sail away to the hidden lands and bolster their security.

Ready to embark on this journey? Explore Resmo SaaS Discovery now!

Keep Discovering:

Continue Reading

next article

17 Best SIEM Tools to Try in 2024

Sign up for our Newsletter