What we detect
      Back to home
      1. Knowledge Base
      2. Getting Started
      3. What we detect

      Detecting New and Unapproved SaaS Tools

      Detecting New and Unapproved SaaS Tools

      CultureAI helps you detect when employees use new, unrecognised, or unapproved SaaS tools — giving you the visibility and control you need to manage shadow IT, reduce exposure, and prevent risks like poisoned tenant attacks.

      These detections are powered by browser telemetry and identity-based login analysis, helping you stay ahead of SaaS-related threats before they escalate.

      What We Detect

      New SaaS App Detection

      We detect when a user logs into a SaaS app that has never been accessed before by anyone else in your organisation.

      This helps you:

      • Catch early signs of shadow IT

      • Identify risky trial usage of unknown tools

      • Prevent poisoned tenant or fake service logins

      Example: A user logs into ai-generator-x.com — a domain not seen before in your organisation. A "New SaaS Tool" risk is raised and flagged for review.

      Unapproved SaaS Tool Detection

      Even if a SaaS app is already in use, CultureAI can raise a risk when a user logs into an app that has been explicitly marked as unapproved in your SaaS app settings.

      This helps you:

      • Enforce security policies consistently

      • Reduce use of tools that don’t meet compliance or risk requirements

      • Catch usage that’s been previously reviewed and disallowed

      Example: You’ve marked dropbox.com as unapproved in the platform. A user logs in — CultureAI flags this as an “Unapproved SaaS Tool” risk.

      How Detection Works

      • CultureAI’s browser extension monitors credential-based logins to SaaS platforms

      • It checks the domain or app name against your organisation’s known SaaS tool list

      • If the app is new or marked as unapproved, a risk is raised

      • Each risk is tied to the user, app, domain, and login context

      Managing SaaS App Approvals

      You can manage SaaS tool approvals directly within the Behaviours → SaaS → Logged into unapproved software section of the platform:

      1. View a list of all SaaS apps detected across your organisation

      2. Mark apps as Approved, Unapproved, or leave as Neutral

      3. CultureAI will automatically:

        • Raise risks for unapproved apps when used

        • Suppress risks for approved apps (if relevant)

        • Raise “New SaaS Tool” risks when first-seen tools are used

      Responding to SaaS Tool Risks

      You can configure Playbooks to respond automatically when SaaS-related risks are detected. Example interventions:

      • Notify users via Slack or Teams if they log into an unapproved app

      • Route new tool usage to IT or procurement for review via Jira or ServiceNow

      • Display browser banners to nudge toward approved alternatives

      Example Scenarios

      Scenario Detection Raised
      A user logs into a domain never seen before New SaaS Tool
      A user logs into an app marked “Unapproved” Unapproved SaaS Tool
      A previously new app is marked “Approved” No further risk raised
      A user logs into an app with no status No risk until reviewed or approved/unapproved manually
       

      Best Practices

      • Regularly review newly detected apps in the Behaviours section

      • Approve or unapprove tools based on security/compliance policy

      • Use interventions to guide user behaviour toward sanctioned tools

      • Consider pairing this with identity provider data to validate user access rights

      Need help managing your SaaS app list or configuring responses?

      Reach our to our customer success team.