“We Use 30 Apps.” Are You Sure?
- Martin Snyder
- 3 days ago
- 3 min read
Most organizations believe they use a few dozen SaaS apps. In reality, the number is often 10–20× higher. Here’s why that gap matters for security and compliance.
The Illusion of Knowing Your Stack
Ask any IT or security leader how many SaaS applications their organization uses and you’ll likely hear a confident answer: “Around 30.”It feels reasonable — a CRM, a file-sharing platform, HR software, a few collaboration tools.
But according to Waldo Security’s 2025 SaaS & Cloud Discovery Report, that estimate is almost always wrong.
97 % of SaaS apps are unknown to IT.
That means for every 30 apps you think you use, hundreds more operate unseen — storing data, authenticating users, and creating new attack surfaces outside your visibility.
Where the Hidden Apps Come From
Shadow SaaS isn’t built out of malice; it’s born out of convenience.Employees adopt tools to solve immediate problems — a survey tool for marketing, an AI assistant for sales, or a workflow platform for design.
Every connection — from Google Drive plug-ins to OAuth-granted AI bots — becomes a new data path into and out of the organization.And because those tools never go through security review, they rarely enforce the policies your approved stack depends on.
This pattern mirrors what CISA describes in its Secure Cloud Business Applications (SCuBA) guidance: unmanaged cloud integrations extend your perimeter far beyond your control.
What IT Doesn’t See, Compliance Can’t Prove
Visibility isn’t just a security goal — it’s a compliance requirement.Frameworks such as ISO 27001 and the NIST Privacy Framework require organizations to maintain accurate inventories of information systems and data flows.
When 93 % of SaaS apps lack any standard certification, auditors and regulators see exposure, not oversight.
Without discovery, you can’t demonstrate which vendors handle sensitive data or confirm that offboarding revokes access to all connected services.
In short: if you can’t list it, you can’t govern it.
The Multi-Cloud Problem You Didn’t Approve
Shadow SaaS often extends into full Shadow Cloud accounts — entire AWS, Azure, or GCP tenants created outside your cloud-governance pipelines.
The 2025 report found 100 % of organizations had at least one unauthorized cloud environment. Each of these environments can contain identities, data stores, and compute workloads invisible to IAM, SIEM, or compliance teams.
The CISA Zero Trust Maturity Model explicitly warns that uncontrolled cloud instances undermine both identity governance and continuous monitoring.
How “We Use 30 Apps” Turns into 300 +
Let’s break down a typical discovery snapshot from the field:
Category | Estimated | Discovered | Hidden Sources of Risk |
Productivity & Collaboration | 8 | 65 + | Browser plug-ins, AI assistants |
HR & Payroll | 3 | 20 + | Contractor portals, benefits apps |
Marketing | 4 | 90 + | Analytics tags, email automation |
Development | 10 | 50 + | APIs, open-source tools |
Cloud Infrastructure | 5 | 15 + | Unmanaged CSP tenants |
Total | ≈ 30 (expected) | 240 – 300 (actual) |
Every column labeled “Discovered” represents apps connected through OAuth, API keys, or SSO integrations — many never registered in any internal inventory.
Identity: The First Domino
Even when organizations deploy single sign-on, it often covers only a fraction of active tools.“Supports SSO” does not mean the app enforces SSO. Without mandatory configuration, users revert to basic credentials, defeating enterprise controls.
A Quick Self-Test
Run this five-minute test with your team:
Export all connected OAuth tokens from your Google Workspace or Microsoft 365 tenant.
Count unique application names.
Cross-check them with your approved vendor list.
Highlight every app lacking MFA or compliance documentation.
If the number exceeds 30, you’ve just discovered why visibility — not policy — defines your SaaS security maturity.
Building Continuous Visibility
Discovery must be continuous. Every new OAuth grant, browser extension, or cloud account changes the map of your attack surface.
Waldo Security’s SaaS & Cloud Discovery Engine provides:
Automated enumeration of SaaS and Shadow CSP accounts
Identity and OAuth risk classification
Compliance-framework mapping
Continuous monitoring for new connections
This approach aligns with modern Zero Trust principles by ensuring no application, user, or tenant is trusted by default — visibility is verified, not assumed.
Conclusion: If You Can’t See It, You Can’t Secure It
When a team says, “We use 30 apps,” what they really mean is, “We see 30 apps.” The rest live in the shadows — unmonitored, unclassified, and unprotected.
Visibility is the foundation of every compliance control, every identity strategy, and every Zero Trust program.
Start by discovering what’s really there. Then, map it, classify it, and govern it.
See how other organizations are tackling SaaS and Cloud Discovery challenges in the 2025 Waldo Security Report.
About Waldo Security
Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating Shadow IT, unmanaged identities, and OAuth risk, Waldo enables CISOs and security leaders to strengthen compliance and governance across their entire SaaS footprint.