Product — Shadow IT
You can't secure what you don't know about
Sudory discovers unapproved vendors and services across your organization. Every app flows through a compliance ledger — discovered, reviewed, approved — with policies enforcing each step.
Discovery
Start outside, move in
Five layers of discovery that deepen as trust grows. Start with DNS — no credentials needed. Add OAuth and email scanning when users log in. Connect integrations for full visibility.
DNS & HTTP scanning
Third-party scripts, tracking pixels, CDN origins, and embedded services appear in DNS records and HTTP responses. No credentials needed — works from day one.
OAuth claim inspection
When users log in, Sudory inspects their identity tokens for third-party app grants. Every OAuth authorization your employees made becomes visible.
Email subject matching
SaaS tools send receipts, trial expirations, and onboarding emails. Sudory matches email subjects against known vendor patterns to surface tools IT never approved.
Integration APIs
Connect Google Workspace, Slack, or GitHub to discover installed apps, authorized bots, and OAuth grants your teams added without approval.
SBOM analysis
Software Bill of Materials reveals every dependency in your stack. Sudory matches packages to vendors and surfaces supply chain risks.
Lifecycle
Every app has a paper trail
Discovered services flow through the compliance ledger like transactions. Each state change is recorded, timestamped, and policy-checked.
01
Discovered
Scanners find a new app or service. It enters the ledger as a debit in assets:apps:discovered. The clock starts — temporal policies track how long it sits here.
02
Reviewed
A human reviews the discovered app. Flow policies enforce that every app must pass through review — you can't skip straight to approved. Role policies restrict who can review.
03
Approved or rejected
The app moves to approved (sanctioned) or gets flagged for removal. Separation policies ensure the reviewer and approver are different people. The balance settles.
Enforcement
Four policies, one workflow
Shadow IT discovery isn't just a list — it's a policy-enforced workflow. Balance, flow, temporal, and role policies work together to close the loop.
Balance
Zero shadow IT
Require zero apps in the shadow-it account. Any undiscovered app that enters the ledger creates an immediate policy violation.
assets:apps:shadow-it max: 0
Flow
Review before approval
Every discovered app must pass through security review before it can be approved. Per-item correlation tracks each app individually.
discovered → review → approved
Temporal
30-day triage SLA
Discovered apps must be reviewed within 30 days. FIFO tracking catches the oldest untriaged app first.
assets:apps:discovered max 30 days
Role
Reviewer authorization
Only security team members can approve vendors. An intern clicking "approve" is a policy violation — caught before it enters the ledger.
only: reviewer, ciso
For MSPs
Shadow IT visibility across your portfolio
Your clients don't know what their employees installed. You can show them — and turn that visibility into a managed service.
Discover across clients
Scan every client domain from outside. No agents, no access needed to start. Surface shadow IT across your entire portfolio in minutes.
Vendor overlap detection
See which vendors appear across multiple clients. Identify shared risk exposure and negotiate better terms from a position of visibility.
Client onboarding in minutes
Enter a domain, run a scan, get results. As clients grant integration access, coverage deepens from DNS-level discovery to full app inventory.
Find out what's running on your domain
Enter a domain and see what services are visible from the outside. Third-party scripts, embedded widgets, CDN origins — discovered in seconds.