What 10,000 SaaS Discoveries Taught Us About Enterprise Blind Spots

Short version: your app catalog is lying to you. After 10,000+ discovery runs, the same patterns show up: entire tenants nobody owns, OAuth apps with durable tokens, and AI tools running under personal identities. Waldo Security gives you the truth map in minutes—we discover every SaaS app, tenant, account, and OAuth grant, flag SSO/MFA gaps and risky scopes, and export audit-ready evidence. Start with Instant SaaS Discovery and keep proof tidy with the SaaS Compliance Overview.

Field Notes from 10,000+ Scans (10 fast insights)

1. Your “apps in use” number is off—by a lot. Okta’s latest Businesses at Work shows the global average finally broke 101 apps per company, and BetterCloud still observes ~106 in practice. If your catalog lists 30–40, you’re missing half the estate before you start. (Okta)
   

2. Credentials still beat configs. In the 2025 Verizon DBIR, ~88% of Basic Web App Attacks used stolen credentials. If an app allows password logins or keeps refresh tokens alive, posture checks won’t save you. Enforce SSO/MFA and hunt for non-SSO paths. (Verizon)

   
   

3. Discovery must be multi-signal, or it isn’t real. CISA’s Cloud Security TRA is blunt about the order of operations: inventory → least privilege → logging for cloud/SaaS. Identity logs alone won’t catch tenants and plug-ins that never touch your IdP. (CISA)
   

4. OAuth is your quiet SSO bypass. One user click can grant broad write scopes plus offline_access, minting long-lived refresh tokens. Microsoft Entra’s own guidance says: limit end-user consent to verified publishers and selected permissions; route the rest to admins. (Microsoft Learn)
   

5. AI multiplied identities overnight. Netskope reports 9.6 genAI apps on average per org, with ~94% of enterprises using genAI at all. Many run under personal accounts or extensions—outside SSO and your logs. (Netskope)
   

6. Duplicate tenants behave like shadow suppliers. “Pilot” becomes production in a second tenant with local passwords and public links. Your risk register rarely lists it; your IR plan doesn’t either.
   

7. Public links act like anonymous users. They aren’t “accounts,” but they’re identities with access. Every discovery project that checks link posture finds world-readable documents in at least one sensitive workspace.
   

8. Guests quietly turn into owners. Cross-tenant collaborators accumulate editor/admin roles. If no internal owner is attached, your access reviews miss them—especially after project handoffs.
   

9. Spend trails reveal what logs miss. Card charges and SaaS invoices routinely surface services with no IdP events. We see this most in GTM and Data teams (adtech, connectors, BI plug-ins).
   

10. Evidence speed correlates with lower loss. IBM’s 2025 report pegs the global average breach at ~$4.44M, with lower costs tied to faster identification and containment—which requires live inventory and streaming SaaS logs, not screenshot marathons. (IBM)
    

The 4 Biggest Blind Spots (and the fix)

1) Traffic without identity Symptom: proxy/DNS shows active SaaS domains; your IdP shows zero sign-ins. Fix: treat “egress ≠ IdP” as an incident until proven otherwise; bring the app into SSO or shut it down. (TRA’s visibility-first principle.) (CISA)

2) Password paths into “SSO-only” apps Symptom: users still authenticate with passwords where SSO is supposedly mandatory. Fix: alert on password logins to cataloged apps and flip enforcement on high-risk systems first (customer data, HR/finance, code). DBIR says this closes the most abused door. (Verizon)

3) Persistent OAuth grants Symptom: offline_access + write scopes keep syncing after password changes. Fix: in Entra, restrict end-user consent, require admin approval for high-privilege scopes, and regularly revoke idle grants. Mirror the model in Google with App access control. (Microsoft Learn)

4) Shadow AI identities Symptom: genAI tools and extensions copy text/code under personal identities. Fix: allowlist verified AI apps, bind usage to enterprise identities, and monitor domains. Netskope’s data shows this category only grows. (Netskope)

Copy/Paste: 5 Queries That Surface Blind Spots Fast

• Apps with traffic but no enterprise identity SELECT domain FROM proxy_logs WHERE domain IN known_saas EXCEPT SELECT domain FROM idp_signins;

• Password logins to SSO-catalog apps SELECT user, app FROM idp_signins WHERE app IN sso_catalog AND auth_method='password'; (Verizon)

• Persistent & privileged OAuth SELECT app, user, scopes FROM oauth_grants WHERE scopes ILIKE '%offline_access%' AND scopes ~ '(ReadWrite|mail.send|files.*write)'; (Microsoft Learn)

• Unmapped SaaS users SELECT s.user_email FROM saas_users s LEFT JOIN idp_directory d ON lower(s.user_email)=lower(d.email) WHERE d.email IS NULL;

• GenAI not tied to enterprise identities SELECT DISTINCT user FROM proxy_logs WHERE domain IN genai_app_list AND NOT EXISTS(SELECT 1 FROM idp_signins i WHERE i.user=proxy_logs.user); (Netskope)

A 30-Day, Low-Drama Plan

Week 1 — See Run discovery across identity + collaboration + DNS/proxy + spend; publish owners, SSO/MFA status, admin count, OAuth scopes, and data sensitivity. (TRA says inventory first.) (CISA)

Week 2 — Enforce Close password paths on high-risk apps; restrict Entra user consent to verified publishers and selected permissions; require admin approval for write/tenant-wide scopes. (Microsoft Learn)

Week 3 — Contain Revoke idle offline_access grants; disable public links in sensitive spaces; expire guest elevations; bind genAI usage to enterprise identities. (Google Help)

Week 4 — Prove Stream SaaS audit logs to your SIEM; ship a monthly packet with SSO coverage, admin changes, OAuth diffs, offboarding timestamps, and link/guest exceptions. (Faster ID/containment = lower breach cost.) (Baker Donelson)

Bottom Line

The biggest risks hide in what you’re not looking at: unknown services, unmanaged identities, durable tokens, and shadow AI. The fix isn’t another point tool; it’s governing usage at the SaaS layer—see everything, enforce least privilege, and keep live evidence. If you want the fast path, get your real map with Instant SaaS Discovery and keep auditors, customers, and your board confident with SaaS Compliance Overview.