Prep time
1-2 hours*
Run time
1-2 weeks*
Importance
High
Category
Discovery
Why It Matters:
Application discovery is the critical first step that makes every other play possible. Efforts to drive cost saving, compliance efforts, app contract renewals, and rationalization will all depend on a full inventory of all your applications.
How Many Apps Should I Discover?
According to our research, the number of applications your company uses is influenced by the number of employees. Based on our SaaS Benchmarks Report we found the following data:
| Company Size | Average App Count |
| Up to 100 Employees | 324 |
| 100 – 500 Employees | 485 |
| 500 – 2000 Employees | 781 |
| 2000 – 5000 Employees | 1,079 |
| 5000+ Employees | 1,174 |
These figures are intended as a general reference point and should be used to adjust your expectations. In practice, many IT professionals discover about three times as many applications as they initially anticipated.
These applications typically fall into three categories:
- Sanctioned with Expected Use: Familiar IT-owned tools that are well understood and integrated within the organization.
- Sanctioned with Unexpected Use: Known applications that may have multiple contracts, more licenses than expected, or are being used in ways not originally intended.
- Unsanctioned (Shadow IT): Tools acquired outside of the IT approval process, often adopted by specific departments or individual employees without formal oversight.
Who Should be Involved?
Primary: IT, or Operations to lead the discovery process.
Secondary: Finance to review software spend, Procurement to improve vendor relationships, Department heads to validate findings, Security to audit usage for compliance and data risks.
What Tools are Needed?
A SaaS Management Platform (SMP) will perform full app discovery by integrating with your core apps. Try a 14-day trial of Torii’s Discovery Engine to see for yourself.
Without an SMP, you will need access to some or all of the following tools:
- Network Monitoring Tool (Firewall, Proxy Servers, Traffic Analyzer), Identity and Access Management, Cloud Access Security Broker, etc. We’ll provide a more complete list in Step 1 below.
- Spreadsheet to record findings
- Survey Tool for employee feedback
Why Do We Need Multiple Data Sources?
No single data source will tell a complete (or accurate) story. Within Torii, our Discovery Engine cross-checks multiple sources to determine the truth behind app uses. Without multiple sources, your result will contain significant biases, blindspots, and inaccuracies. While anomalies or discrepancies will always exist, you’ll suffer far fewer by cross-checking multiple inputs.
Steps for Successful Full SaaS Application Discovery
Step 1: Gather Data Sources
Identify where to find information about SaaS usage:
With a SaaS Management Platform:
A SaaS Management Platform like Torii is designed to connect to your core applications and centralize all of your data into one place. Typically, you will want to connect to the following sources:
- Your Identity Provider (IDP)
- Your Single Sign-On (SSO)
- Your Mobile Device Management (MDM)
- Your core SaaS tools (Slack, Salesforce, Microsoft, etc.)
- Your expense software
- Your contract management software
- Deploy Torii’s Browser Extension (Optional)
Without a SaaS Management Platform (Manual Discovery):
Without a SaaS Management Platform, you will need to spend more time manually identifying all the possible sources of data. Use this list to help you get started:
- Network Monitoring Tools: Logs of outgoing network traffic to SaaS-related domains (e.g., Palo Alto, Fortinet, Zscaler, Wireshark).
- Identity and Access Management (IAM): Connected applications, user authentication logs, and SSO activity (e.g., Okta, Azure AD, Google Workspace Admin).
- Cloud Access Security Broker (CASB): SaaS applications accessing sensitive data or unauthorized APIs (e.g., Netskope, Microsoft Defender, McAfee MVISION).
- Endpoint Detection and Response (EDR): Applications installed on endpoints and unusual app activity (e.g., CrowdStrike, SentinelOne, Carbon Black).
- Unified Endpoint Management (UEM): A list of applications installed on employee devices (e.g., Microsoft Intune, Jamf, ManageEngine).
- Expense Management Tools: Recurring charges or subscriptions tied to SaaS tools (e.g., Expensify, SAP Concur, Brex).
- Email Activity: SaaS-related emails such as sign-up confirmations, invoices, or app invites (e.g., Gmail, Outlook, Proofpoint).
- Collaboration Tools: Bots, integrations, or links to unauthorized SaaS tools (e.g., Slack, Teams, Zapier).
- Contract Management Software: Records of SaaS agreements and renewal schedules (e.g., DocuSign CLM, Ironclad, Conga).
- Survey Tools for Employee Feedback: Insights on tools employees use that may not be officially approved (e.g., Google Forms, Typeform, Microsoft Forms).
- Core SaaS Tools: Integrations and third-party app connections (e.g., Slack, Salesforce, Microsoft 365).
Step 2: Conduct Discovery
Begin collecting and validating data, and store it within a system of record:
With a SaaS Management Platform: [2-4 hours]
- Automated Discovery:
- Within a few hours of connecting your core applications, Torii will automatically scan and identify all SaaS apps used within your organization.
- The apps will be visible in a centralized, filterable list that displays all your business applications, allowing easy access to crucial information like costs, status, and usage patterns.
Without a SaaS Management Platform (Manual Discovery): [1-2 weeks]
- Review Network Infrastructure Tools:
- Check proxy server logs. These tools log all web traffic and can help you identify SaaS application domains.
- Review firewall logs, similarly, firewalls monitor incoming and outgoing network traffic, these can reveal SaaS services.
- Use Network Monitoring tools/Intrusion Detection Systems as another means of monitoring network traffic.
- Review Expense and Credit Card Reports:
- Analyze financial documents to identify recurring charges or one-time payments associated with SaaS subscriptions.
- Look for expenses categorized under software, subscriptions, IT services, or any unfamiliar vendors.
- Survey Department Leads:
- Reach out to team managers and department heads to gather information about the SaaS tools their teams are utilizing.
- Request details on officially sanctioned tools as well as any unofficial applications adopted to meet specific needs.
- Interview Employees:
- Conduct interviews or distribute surveys to employees to uncover additional shadow IT tools not reported by department leads.
- Encourage transparency by assuring employees that the goal is to enhance support and security, not to penalize unauthorized usage.
- Compile Data into a Spreadsheet (System of Record):
- Create a centralized spreadsheet to document all discovered SaaS applications. Be sure to include information such as:
- Application Name
- Department/Team Using the Application
- Purpose/Functionality
- Cost
- Download your copy of our application discovery template
- Create a centralized spreadsheet to document all discovered SaaS applications. Be sure to include information such as:
By systematically collecting this information, you establish a foundational system of record that captures all SaaS applications in use across your organization. This centralized record is crucial for effective management, cost optimization, compliance adherence, and mitigating security risks associated with shadow IT.
Step 3: Categorize and Analyze Findings
After gathering and verifying data, the next step is to classify applications by their status and determine which ones require further action. This phase helps streamline your remediation process—deciding which applications are officially sanctioned, which need additional review, and which should be discontinued. It also ensures you know who to follow up with to gather more details, locate missing contracts, or clarify usage.
With a SaaS Management Platform:
- Assign Application Statuses:
- Use Dropdown: In Torii, you can set each application’s status with ease by using built-in dropdown options like Sanctioned, In Review, Needs Closure, or Needs More Info.
- Centralized Visibility: Quickly see all apps and filter them by their status in one place. This enables you to focus on the most critical applications first—such as those with unclear ownership or costly contracts.
- Engage with Users and Owners:
- Follow up with Users: Torii includes user lists for each app so you can reach out for more information.
- Identify App Owners: Torii allows you to assign app owners for each app—this can include special visibility and actions to help that user better manage the application.
- Identify and Locate Contracts:
- Contract Integration: Torii integrates with key contract management tools, making it simple to see if a contract exists for each discovered app.
- Follow Up on Missing Contracts: If an application is missing a contract or terms-of-service documentation, mark it as In Review and immediately flag it for a follow-up action. Torii can help you note this, ensuring nothing gets overlooked.
Without a SaaS Management Platform (Manual Approach):
- Update Your Spreadsheet:
- Add a Status Column: Manually categorize each application as Sanctioned, In Review, Needs Closure, or Needs More Info.
- Include a Priority Column: Assign a priority level (High, Medium, Low) to focus your efforts. Start with the apps that pose the greatest risk or cost to your organization.
- Identify Missing Contracts:
- Manual Document Search: Refer to your contract management software or file repositories (e.g., shared drives, email archives) to find related contracts.
- Document Status in the Spreadsheet: If no contract is found, mark that app as In Review and note in the comments column that you need to source this document.
- Engage with Teams and Users:
- Reach Out to Department Leads: Since you don’t have a built-in user directory tied to each application, revisit your previous surveys and interviews. Identify who mentioned the app and contact them via email or chat.
- Follow Up for More Details: Ask relevant stakeholders for information on why the app is used, how integral it is to their workflow, and who should be considered the owner or administrator.
- Prioritize and Schedule Follow-Ups:
- Set Calendar Reminders: Without automated alerts, you’ll need to rely on personal reminders. Add calendar events or tasks for key follow-up dates (e.g., a week to find a missing contract or two weeks to confirm app ownership).
- Iterative Review: Continue to refine your spreadsheet as you gather more information. Update the status column once you have clarity or have taken necessary action.
Step 4: Validate and Share Findings
After categorizing and prioritizing your SaaS applications, confirm the accuracy of your data and share it with stakeholders. Whether you’re using Torii or a spreadsheet, the goal is to ensure everyone can act on reliable, transparent information.
- Validate Data: Cross-check application details—like ownership, costs, and compliance—against contract documents, expense reports, and user directories.
- Create Reports: Summarize key insights (e.g., top spend, renewal schedules, security risks) for different stakeholders based on what is relevant to them. Focus on high level takeaways and visuals to ensure they understand the most important points.
- Share with Stakeholders: Provide access to the data via shared views, links, or brief presentations. Notify relevant teams (Security, Procurement, Legal, Finance, Department Heads) so they understand the tools in your ecosystem.
- Collect Feedback and Refine: Encourage questions and feedback from stakeholders. Update your records to correct inaccuracies, add missing details, and ensure everyone has the most current information.
Step 5: Establish Ongoing Management and Governance
Moving forward, implement a continuous process for monitoring and managing your SaaS ecosystem.
- With a SaaS Management Platform:
- Enable automated alerts to notify relevant teams whenever a new application is discovered.
- Deploy in-the-moment user questionnaires to gather context on new apps and their intended use.
- Schedule periodic reviews to reassess application portfolios, costs, and security needs.
- Without a SaaS Management Platform (Manual Approach):
- Set up calendar reminders or manual alerts to review expense reports, network logs, and employee surveys at regular intervals.
- Conduct periodic check-ins with department leads to confirm ongoing app usage and compliance.
- Keep your spreadsheet updated as new applications emerge, ensuring nothing goes unnoticed.
Key Outcomes
- Complete Inventory: A clear, centralized view of all SaaS applications both sanctioned and shadow IT.
- Better Decision-Making: Accurate data on costs, usage, and compliance informs strategic actions.
- Stronger Governance: Reduced shadow IT and ongoing oversight improve security and efficiency.
By establishing a repeatable discovery and review process—either automated through a platform like Torii or managed manually—you ensure transparency, drive smarter spending, strengthen security, and maintain sustained control over your SaaS environment.
Try a 14-day trial of Torii’s Discovery Engine to uncover your software.
