Hey HN,<p>TL;DR: We’ve launched a free version of our Shadow IT scanner to identify which SaaS apps are used in your company, who uses them, and if they have high-risk OAuth scopes.<p>Philip and I went through YC with AccessOwl in 2022. We started the company because, in our previous roles, we struggled to track all the SaaS apps, users, and granted OAuth scopes.
The Shadow IT scanner started as a small feature within AccessOwl, which manages SaaS vendors and user accounts centrally. But a standalone scanner would have made our lives so much easier in our previous roles. So, we thought, why not release it?<p>And here it is: a free, standalone Shadow IT scanner!<p>Hope you find it useful :) The Shadow IT scan helps with:<p>1. Offboarding: Employees often don’t report all the apps they sign up for, making it tough to track and secure these accounts when they leave, especially with the common SSO tax.<p>2. Security: OAuth scopes are quickly granted but rarely reviewed or removed, leading to organizations unknowingly spreading their data.<p>3. Compliance: Auditors need a list of SaaS vendors, which is hard to compile when employees sign up for tools independently.<p>Any surprises in your scan? What features would you like to see in the next version?
Looking forward to your feedback!<p>FAQ<p>What’s Shadow IT?
Unauthorized SaaS apps within an organization not centrally managed, posing security and compliance risks.<p>How does it work?
Our tool connects to your Google Workspace or M365 instance, identifies OAuth tokens granted, and maps them to known SaaS tools. Note: In this v1 version, it only detects apps using the “Sign in with Google/Microsoft” button.<p>Who is this for?
Typically IT and InfoSec teams, but in smaller companies, it may fall under the CTO.<p>Is it safe to use?
Yes, reading OAuth tokens is standard for SaaS management tools. Data extraction only occurs when you initiate a scan. AccessOwl is SOC 2 Type II audited and GDPR compliant.
What do people think about companies (even small startups) having a rule against random employees signing up for SaaSes?<p>On the one hand, such a rule sounds like stodgy company friction to "getting it done".<p>On the other hand, I see employees putting crucial information across seemingly every SaaS they'd heard of, except for the official place it's actually supposed to go. Making it inaccessible to the people who needed it, and often eventually losing the information entirely.<p>I've also seen (to pick one anecdote) newer software developers pasting the data of a very sensitive proprietary engineering model into some random developer's Web site that provided a visualization. This random Web site then spread around engineering as the standard way you visualize that model.<p>And I've seen third-party service dependencies that made no sense at all, but people were just following tutorials and StackOverflow answers they found.
This is really cool!! Always excited about increased accessibility of security tools. This used to require jumping through a bunch of hoops in the past to find out, so most companies don’t even know this is possible and therefore and even fewer made the effort to do it.
> AccessOwl calculates billing based on the number of active Slack users, excluding Single-Channel Guests and service accounts, as this is usually the closest measure to your number of active employees. The billing amount is updated prorata each month and before each payment, based on the number of users in your Slack workspace.<p><a href="https://www.accessowl.io/pricing">https://www.accessowl.io/pricing</a><p>How does pricing work if Slack is not used?
In a previous role many years ago I used a tool called Netskope which monitored Firewall traffic and it was excellent at identifying almost every web related service being used.<p>This was helpful because it would detect SaaS platforms being used that were not integrated into SSO, like PDF converters etc<p>But I really like how simple this looks to use and it looks powerful