How to detect Shadow IT ?


Discover various methods to identify unofficial applications, known as Shadow IT, used within a company

How to detect shadow IT illustration
How to detect shadow IT illustration


Matthieu BONNARD

Matthieu Bonnard


Read time

7 mn



Rather than trying to completely eliminate Shadow IT, the process of regaining control begins with identifying unofficial applications used within the company without the consent of the Information Systems Management (DSI). This approach promotes better governance and allows for the anticipation of potential problems.

Different methods and techniques to detect the use of unauthorized applications are available, and they can vary depending on the size of the company, the industry, and the sensitivity of the information processed.

In this article, we detail these methods, explain how they work, and discuss their strengths and weaknesses to help you choose the best option for your business.

Network Analysis

A technical approach involves meticulously analyzing network flows, particularly HTTP and DNS flows, with the aim of identifying the use of external web (SaaS) applications.

Some specific platforms natively perform this analysis:

  • Next Generation Firewalls (NGFW) perform this analysis and generate associated reports. Certain equipment manufacturers, such as Palo-Alto and Fortinet, have distinguished themselves in this field through their performance and expertise. However, in the era of remote work, it's important to note that a company's network flows don't necessarily pass through the corporate firewall, and it's crucial to take this reality into account when implementing these devices.

  • Proxies or CASBs (Cloud Access Security Broker) are specifically dedicated to this task. This is particularly true for CASBs which, in addition to owning features for analyzing the use of SaaS applications, offer functionalities that secure their access. These tools are essential for optimal security of data and sensitive information.

However, network analysis has its limitations. For example, it cannot detect applications used via VPNs or proxy connections. Moreover, it may not be able to detect applications used on personal devices or outside of the company's network.

SSO Portal

An increasing number of SaaS applications now offer registration and authentication via an identity federation, as demonstrated by the ubiquitous "Sign in with Google/Microsoft" buttons. These identity federations, when associated with a corporate email address, reference the originating application in the "enterprise applications". This is another method to detect SaaS applications.

This method offers a wide array of opportunities but also has its limitations. The most obvious is that it only allows the registration done via SSO to be seen. This means if a user signs up via another method, it will not be detected by this method. Despite this limitation, it remains a valuable tool in our detection arsenal.

Inventory of Installed Programs

Workstation management platforms are particularly useful tools that often allow for a detailed inventory of software installed on a computer. Thanks to this feature, it is possible to identify the presence of certain software, which can reveal the use of SaaS applications that provide native clients, like Notion, Slack, among others.

This proves particularly useful for discovering the existence of various services. For example, it can detect:

  • File sharing services, which are essential in a collaborative work environment. Notable examples include Google Drive and Dropbox.

  • Alternative video-conference and messaging applications, which allow for effective communication within the company. Popular choices include Discord and What’s App.

  • Productivity tools, which assist employees in organizing their work and boosting their efficiency. This encompasses calendar apps, to-do lists, note taking tools, and many more.

In a context where such a platform is implemented within the company, Endpoint Detection and Response systems, also known as EDR, can prove to be particularly useful. These systems can not only detect and respond to various potential threats, but they are also capable of listing the applications installed on user peripherals.

However, the inventory of installed programs has a potentially invasive aspect. Indeed, this method requires the installation of an agent on user workstations, which can be perceived as an intrusion into their privacy. Therefore, it's essential to communicate transparently with employees and to respect regulations relative to personal data protection when implementing this method.

Credit Card Transaction Analysis

The use of a SaaS application often involves subscribing to a plan. This step is usually facilitated by the fact that operational teams, which have the autonomy to subscribe to a SaaS solution, can use the company's credit card to do so. (Indeed, SEPA direct debits require a more significant commitment)

These credit card transactions can then be identified in the company's bank statements. There are platforms that exploit this data source to detect the use of SaaS applications. These platforms, known as SMPs (SaaS Management Platforms), complement this analysis with financial consolidation and associated recommendations.

Among these recommendations are:

  • Reducing the number of unused "seats" on a subscription

  • Streamlining duplicate subscriptions within the company

However, this method has a major weakness: it does not allow the identification of free applications, nor those that have been subscribed to with a personal credit card (which can occur, for example, when the employee is reimbursed through expense reports). This is a limitation to keep in mind when using these platforms.

At Freety, a 200-person company that uses several SaaS applications for its daily operations.
On the credit card statement, a monthly billing of $80 is noticed on the Marketing team's credit card. The credit card entry description indicates "Trello Inc."
This is a usage of Trello (project management) for 8 users.

Employee Surveys

It's also interesting, even essential, to directly ask the interested parties which applications they use daily in their activities. Far from wanting to conceal this information, they can provide valuable details that will complete a pre-existing list (built on the basis of the methods mentioned above) or fill out an open and detailed form.

This is an invaluable opportunity to gather additional and in-depth information, such as the criticality level of the application, their satisfaction level regarding its use, as well as the identification of the application manager.

The survey, to be effective and relevant, can be conducted periodically. An annual basis seems to be a manageable and reasonable timeline for most organizations. Furthermore, a form can be integrated into a continuous data collection process, thus allowing the continuous collection of new applications that business leaders declare throughout the year. This will maintain an up-to-date and accurate view of the company's application ecosystem.


To detect Shadow IT, several methods can be used: network flow analysis via application firewalls or proxies, inventory of programs installed on workstations, bank transaction analysis, and surveys among employees. Each method has its advantages and disadvantages, and the choice depends on the size of the company, the industry, and the sensitivity of the information processed."

Smarter way to map your applications

Smarter way to map your applications