Modern enterprises run on SaaS. Hundreds (often thousands) of apps power every org, with novel tools popping up constantly, in every corner of the business. SaaS adoption happens fast, and it happens right at what we call the “workforce edge”—it is almost entirely employee-led, and there is no central gatekeeper, which leaves security and IT teams scrambling to keep up.
‍
That’s where SaaS discovery tools come in, with lofty promises to reveal the shadow IT lurking in your environment.
‍
But with a growing market and a maze of vendor claims, how do you separate real visibility from misleading fluff? Let’s cut through the noise and break down the most common SaaS discovery methods, so you can find the right fit for your organization.
‍
SaaS discovery is the process of identifying and cataloging all cloud-based software applications used within an organization. This includes apps that are procured and sanctioned by IT as well as “shadow SaaS”—the long tail of apps that your employees experiment with and adopt without going through a formal IT process.
‍
Not unlike the asset discovery and inventory systems developed for enterprise networks of yore, the purpose of SaaS discovery is to create a comprehensive system of record of all SaaS assets in use across your organization. But, instead of assets like servers, workstations, and installed software, a SaaS asset inventory captures third-party SaaS vendors, apps and instances, user accounts, authentication and entitlement data, integrations across apps, and other critical SaaS resources and data.
‍
Effective SaaS discovery can help you answer important questions like:
While DIY SaaS discovery (an old-fashioned spreadsheet and lots of hunting and gathering) can get you part of the way there, an automated SaaS discovery solution can fill in important gaps and help you save significant time and resources.
‍
Having a comprehensive and reliable SaaS inventory is an important precursor to multiple critical functions:
The consequences of incomplete SaaS tracking can be significant: Former employees may retain access to sensitive systems long after departure, unused licenses continue to drain budgets, redundant applications proliferate across teams, and critical security configurations go unmonitored. Organizational changes such as a merger or acquisition can further exacerbate those challenges. Without a comprehensive system of record, organizations struggle to properly manage their SaaS ecosystem, leading to increased costs, security risks, and operational inefficiencies.
‍
“Nudge has paid for itself in the time that it has given me back. And to be frank, I wouldn't have found a lot of the things that Nudge identified—things like supply chain breaches that companies often keep quiet about.”
—Ronald J. Llewellyn III, Manager of Information Technology, Wallace Plese + Dreher
‍
No single discovery method solves for every identity governance use case. Understanding the strengths and limitations of each approach can help organizations determine which solution will best meet their goals for ongoing SaaS security and governance.
‍
‍
Despite the array of SaaS discovery solutions on the market, one of the most common approaches to discovering SaaS use DIY-ing it. Often, this involves painstakingly compiling information by reaching out to individual department heads, searching through expense reports, reviewing onboarding documentation, and combing through various wikis and knowledge bases—only to realize that information has become outdated almost immediately as new apps are added or removed.
‍
The obvious benefit of managing SaaS discovery manually is avoiding the expense of adding another tool to your IT inventory, but it carries steep hidden costs. It’s an overwhelming and ineffective process that leaves significant gaps in visibility and control.
‍
This method leverages API connections with platforms like Google Workspace or Microsoft 365 to reveal apps connected to your identity infrastructure, including access granted to third-party SaaS integrations through OAuth. IdP integrations can also provide a complete list of IdP users and groups, including insight into user roles, privileges, password strength, and MFA status. Plus, API access unlocks opportunities for automation as well as deep visibility into IdP configurations and security settings, which means some providers (like Nudge Security) can enable SaaS security posture management for your IdP.
‍
That said, this method isn’t sufficient as a standalone discovery approach. It only shows you what’s connected through your IdP—meaning it misses apps signed up with personal email addresses, apps authenticated through social sign-ons, or any username/password-based accounts outside your identity infrastructure.
‍
This makes it a strong component of SaaS discovery but not a silver bullet. For broader visibility, IdP integrations should be paired with other methods that surface activity happening outside of the IdP.
‍
Similar to IdP integrations, SSO connections with providers like Okta, Google SSO, Entra ID, OneLogin, or Ping Identity help identify apps configured for centralized authentication. API integrations with SSO platforms can provide high-fidelity information about apps provisioned through your authentication system, including accounts, user roles, and login activity. Plus, these integrations can also enable automation capabilities such as revoking app access along with SSO access during employee offboarding.
‍
While these integrations offer valuable insight into managed app activity (i.e. the apps IT already knows about), this method has no visibility into the apps that have not been onboarded to SSO and can lead to a false sense of security.  Many organizations believe that all their SaaS is behind SSO, the stark reality is that only 30-40% of apps ever get onboarded. Unfortunately, not all apps  even support SSO, while others charge an SSO tax that forces you into a higher pricing tier to access this functionality.
‍
Typically categorized as SaaS Security Posture Management or SSPM, direct API connections with specific SaaS apps can provide detailed visibility into user access, permissions, activity, account statuses, app-to-app integrations, and app configurations. Out of all the discovery methods on this list, integrations with SaaS vendor APIs offer the deepest insights into a particular app’s SaaS usage and configurations, as well as potentially unlocking automation capabilities.
‍
If you’re looking for depth, API integrations are invaluable. Direct app integrations appeal to a promised-land vision of connecting, monitoring, and controlling all the SaaS in your environment from one central location. Ahhh, just like the good old days of exclusively on-prem security. So what’s the catch? Unfortunately, there are several.
‍
The first fundamental challenge is that vendors that offer only this approach don't provide any real "discovery" of SaaS apps. In order to take advantage of app integrations, organizations need to know what SaaS exists in their environments—a SaaS discovery catch 22. Many SSPM vendors rely primarily on app integrations (the “bring your own list” approach), leaving security and IT teams with no real discovery beyond the apps they already know about.
‍
Actual SaaS discovery based on vendor API integrations is limited to surfacing SaaS-to-SaaS integrations with apps connected via this method —that is, if the individual vendor APIs even enable that functionality. SaaS vendor APIs are frustratingly inconsistent, which is one reason you’ll notice major variations in integration functionality from app to app. Some SaaS APIs enable deep visibility and automation, whereas others give you only basic insight into users and roles.
‍
Adding insult to injury, most vendors’ app libraries are limited to a few dozen or a few hundred, apps. For some perspective, Nudge Security has discovered well over 50,000 unique apps across our customers’ environments. Clearly, not everything in your environment can possibly be managed and secured via a direct API connection.
‍
Additionally, relying only on this approach means you'll have to spend significant time and effort configuring API connections for each app you want to manage before you can derive any insights or value from the solution. And, you'll need to keep up with adding new connections as new apps are adopted by your org and supported by your SSPM vendor. Given the hockey stick adoption rate of SaaS apps (not to mention GenAI), this approach quickly becomes untenable at scale.
‍
This approach analyzes corporate email communications for evidence of SaaS usage—things like welcome emails, password resets, billing notifications, MFA prompts, and security alerts. Secure API connections to email systems scan for app-related messages, identifying services users have signed up for based on communication patterns. Some solutions limit themselves to email headers, but others (like Nudge Security) go deeper by also parsing message content and PDF attachments to extract actionable insights.
‍
Email discovery offers unparalleled coverage across a wide range of apps and account types, including those authenticated with usernames/passwords, federated SSO, OAuth, or even social sign-ons. It’s also one of the only methods that works retroactively, uncovering SaaS usage from before the solution was even deployed. Additionally, this method does not require any prior knowledge of an app’s existence—which is especially helpful for discovering new, shiny AI tools that keep popping up overnight.
‍
The biggest limitation? Email discovery can’t detect SaaS activity tied to personal email accounts. If someone uses their Gmail or iCloud address to sign up for a tool, that won’t appear in a corporate inbox—and won’t be detected unless paired with another method like browser extensions.
‍
Still, email-based discovery is one of the most powerful and scalable ways to uncover the long tail of shadow IT across your organization.
‍
Browser-based discovery monitors app usage directly through a browser extension deployed to corporate devices. Extensions installed in corporate browsers can detect SaaS web visits, account signups, login activity, authentication methods, password strength, app usage patterns, file sharing, and other rich behavioral insights.
‍
Unlike other methods of discovery, browser extensions deliver granular user activity data for a wide range of apps. Paired with business context from a broader range of sources, these browser-level insights can be powerful—not to mention the potential for engaging users with realtime browser-level interventions.
‍
As a SaaS discovery method, however, browser extensions have significant limitations. Solutions relying solely or primarily on browser insights require observation of the activity to report it. Â This means that as a prerequisite for discovery you will need to perform universal deployment across all endpoints and browsers, and then wait. Â SaaS usage is often periodic with employees only accessing apps during certain job functions or time of year (think HR reviews or end of year analysis, partner driven projects, etc). Â And while browser extensions can offer robust activity after installation, their only potential window into historical SaaS activity comes from browser history data, a low-fidelity source for SaaS discovery.
‍
As you consider solutions that include browser extensions, be sure to get specific about product functionality to make sure you understand the true value. For example, many browser extensions identify SaaS activity based on domain visits rather than actual login data, offering extremely limited security-relevant information. Others only offer support for a specific set of SaaS domains, limiting their utility for SaaS discovery and other essential use cases.
‍
This method mines financial systems, expense reports, and procurement tools for telltale signs of SaaS usage—things like vendor payments, credit card charges, invoices, and purchase orders. It’s especially helpful for identifying paid tools that may not show up through other discovery techniques, such as those signed up with personal email addresses or used outside federated identity providers.
‍
The primary strength here is financial traceability. If your company is paying for something, it will eventually leave a breadcrumb in a bank statement or procurement platform—and tools that ingest this data can flag services for further investigation.
‍
However, this method comes with big caveats. First, it doesn’t offer real-time visibility. There’s usually a delay between purchase and data availability, especially with monthly expense reports or delayed transaction records. Second, it only tells you what’s been paid for—it won’t catch free-tier usage or trials, which often make up a significant portion of shadow IT. And finally, it lacks user-level attribution, so you may know what was purchased but not who is using it.
‍
In short, financial discovery is best used as a backstop or complementary method rather than your primary source of SaaS visibility.
‍
These approaches rely on capturing user traffic—either via desktop agents installed on individual devices or network-level monitoring through firewalls, VPNs, or Cloud Access Security Brokers (CASBs). The goal is to detect and log access to SaaS domains, providing visibility into what apps employees are using based on their web traffic.
‍
In theory, this can offer broad and continuous SaaS discovery. But in practice, these methods face serious headwinds in modern work environments. Desktop agents are intrusive, difficult to deploy at scale, and often resisted by users. Network monitoring depends on traffic routing through corporate infrastructure—something that’s increasingly rare in remote and hybrid work settings. Even with full deployment, modern SaaS apps (with dynamic URLs, shared CDNs, and encrypted traffic) make accurate detection challenging.
‍
CASBs in particular were designed for legacy, perimeter-based security models and often struggle in decentralized, BYOD-heavy organizations. They may flag access to well-known apps like Dropbox or Slack, but they miss smaller tools and lack the granularity to understand account types, user roles, or security configurations.
‍
These approaches still have their place—especially in tightly controlled environments or when layered with DLP and threat detection—but for agile, scalable SaaS discovery across a remote workforce, they’re often too blunt an instrument.
‍
Nudge Security takes a unique and comprehensive approach to SaaS discovery that overcomes the limitations of traditional methods. Our patented technology combines multiple discovery methods, with email-based discovery at its core, to provide unmatched visibility into your SaaS environment. Here are the ways this method stands out from the rest:
Most importantly, Nudge Security's discovery capabilities serve as the foundation for a complete SaaS security solution that helps organizations manage their entire SaaS attack surface, from discovery through governance.
‍
“Nudge Security is the way to find out what applications your employees are actually using, and that's just not addressed completely by any other solution.”
—Jesse Kriss, Head of Security, Watershed
Learn how Watershed uses Nudge Security for SaaS attack surface management →
‍
Effective SaaS discovery is crucial for modern organizations managing complex cloud environments. Because each discovery method has its strengths and limitations, organizations should carefully evaluate their specific needs, infrastructure, and work environment when selecting a SaaS discovery solution.
‍
The ideal solution should not only discover SaaS applications but also provide actionable insights that enable better security decisions, streamline governance, and support the organization's broader security and IT objectives. As the SaaS landscape continues to evolve, robust discovery capabilities will become increasingly critical for maintaining security and operational efficiency.
‍
By understanding the various discovery methods available and their respective trade-offs, organizations can make informed decisions about which approach—or combination of approaches—best suits their needs. Remember that SaaS discovery is not a one-time exercise but an ongoing process that requires continuous monitoring and adaptation to keep pace with the dynamic nature of modern work environments.
