top of page
Search

Three Queries to Find Your Top 10 Risks Today


You don’t need a new tool to find your biggest SaaS and cloud risks — just the right queries. Here are three you can run today to surface your top 10 exposures.


Start with What You Already Have

Every organization already has the data needed to uncover its riskiest SaaS and cloud exposures — it’s just fragmented across identity providers, cloud logs, and OAuth tokens. The key is knowing what to ask.


  • 97 % of SaaS apps are unknown to IT.

  • < 1 % of SaaS accounts enforce MFA.

  • 100 % of organizations have at least one unauthorized AWS, Azure, or GCP account.


These blind spots exist not because the data isn’t there — but because no one’s querying it.

Here are three quick, high-impact queries you can run today to reveal your Top 10 Risks.


Query 1: Find All OAuth Tokens with File or Inbox Access

Objective: Identify integrations that could silently exfiltrate data.

OAuth tokens often outlive users, persist across deprovisioning, and bypass MFA. They’re one of the most common causes of “ghost access” incidents — lingering connections that continue syncing after an employee departs.


Example query (for Microsoft 365 or Google Workspace):

WHERE oauth_scope CONTAINS "drive" OR oauth_scope CONTAINS "mail"
AND last_activity > 0
ORDER BY last_activity DESC
LIMIT 10

This query lists your top active OAuth connections with access to files or inboxes — the exact category the CISA Secure Cloud Business Applications (SCuBA) framework calls out as high-risk.


If you find any apps you don’t recognize, revoke access immediately and document them for governance follow-up.


Query 2: List All SaaS Accounts Without MFA

Objective: Identify identities most likely to be compromised.

Even though MFA is one of the simplest and most effective security controls, fewer than 1 % of SaaS accounts enforce it organization-wide.


Example query (for Okta, Entra ID, or custom IAM):

WHERE mfa_enrolled = false
AND app_type = "SaaS"
ORDER BY last_login DESC
LIMIT 10

Each account here represents a potential entry point into your organization’s data — especially if the SaaS app integrates with email, file storage, or messaging.


For Zero Trust maturity, every SaaS and cloud connection should have enforced MFA as defined by the CISA Zero Trust Maturity Model.


Query 3: Surface All Cloud Accounts Without Known Owners

Objective: Reveal the unmanaged infrastructure behind Shadow CSP environments.

Cloud sprawl isn’t limited to SaaS — many organizations discover entire AWS, Azure, or GCP accounts that no one officially owns. These “orphaned” tenants frequently host outdated credentials, unencrypted data, or workloads without logging.


Example query (for AWS Config or CSPM tools):

WHERE owner_tag IS NULL
AND resource_type = "account"
ORDER BY creation_date ASC
LIMIT 10

Each result here deserves immediate review. If your governance system can’t assign ownership, the account falls outside compliance scope — meaning it also falls outside your visibility.


This exact issue is what drives the 100 % Shadow CSP rate reported in Waldo Security’s 2025 findings.


What These Queries Reveal

Together, these three simple queries expose the patterns behind most modern SaaS and cloud security incidents:

  1. Persistent tokens that outlive users.

  2. Weak authentication across SaaS accounts.

  3. Unowned cloud environments operating in the dark.


Each finding connects back to one truth: you can’t enforce compliance or Zero Trust on what you can’t see.


From Queries to Continuous Discovery

Once you’ve run these initial searches, automate them. Visibility shouldn’t be a one-time exercise — it should evolve with every new app, identity, and cloud service.

Waldo Security’s SaaS & Cloud Discovery Engine transforms these ad hoc checks into continuous visibility by:

  • Mapping every SaaS and Shadow CSP account

  • Flagging unmanaged OAuth and identity connections

  • Correlating risk findings with compliance frameworks like NIST Privacy Framework and ISO 27001

  • Updating findings dynamically as new connections appear


Conclusion: The Questions Define the Visibility

You don’t need another dashboard to start improving SaaS security — you need better questions. The three queries above can surface your riskiest connections within minutes, and they work with data you already have.

The difference between compliance confidence and hidden exposure often comes down to who’s asking — and what they’re asking for.

👉 See how other organizations are tackling SaaS and Cloud Discovery challenges in the 2025 Waldo Security Report.


About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating Shadow IT, unmanaged identities, and OAuth risk, Waldo enables CISOs and security leaders to strengthen compliance and governance across their entire SaaS footprint.


Comments

bottom of page