Shadow IT
Related service Cybersecurity
DEFINITION
Shadow IT is any software, SaaS subscription, AI tool, browser extension, browser script, or automation that staff brought into the company without IT or security knowing, to make their own work easier. It is not malicious, just fast: marketing puts the launch doc in Notion, sales uses Apollo instead of the CRM, an engineer pastes source code into ChatGPT for debugging, customer success schedules with Calendly. Concrete SaaS-sprawl risks: 1) regulated data (PII, customer financials, source code) ends up on a third-party server with no DPA and no DPIA. 2) When an employee leaves, their SSO account is revoked, but the shadow tool they signed up for with their personal Gmail stays. 3) A SOC 2 or NIS2 audit cannot close with an unknown SaaS list. Fix: SaaS discovery (Torii, Productiv, or Workspace and Entra logs) plus a fast, simple approval flow (slow approval gets bypassed) plus a catalogue of pre-approved alternatives.
- Threat model→
A structured exercise that walks the system's actors, attack surface, risks, and controls. Day one of every DField project · before any code.
- Penetration test (pentest)→
Manual + tooled attack simulation that reveals what an attacker could achieve. We deliver findings as PRs in your repo, not an 80-page PDF.
- DevSecOps→
Security as a continuously-running CI step (SAST, DAST, SCA, IaC scan), not an annual project. Runs against every push; every sprint closes at least one security bug.
- MFA (Multi-factor auth)→
Two or more factors (TOTP, WebAuthn, biometric) beyond a password. Table-stakes in SaaS today · enterprise procurement disqualifies you without it.
- SOC 2→
A US audit framework for confidentiality, integrity, availability, and privacy controls. For SaaS, the Type II audit (6-12 months of observation) is the standard enterprise baseline.
- ISO 27001→
International standard for Information Security Management Systems (ISMS). Often preferred in Europe instead of or alongside SOC 2. 3-year certification cycle.
- 0102 Jun 2026H1 2026 in review: what changed for EU software teams→
- 0214 May 2026The EU AI Act in practice: a 2026 guide for AI teams→
- 0314 May 2026The 2026 smart contract security checklist before you ship→
- 0414 May 2026GDPR, NIS2, AI Act, MiCA: which EU rules hit your software?→
- 0509 May 2026EU AI Act for Hungarian startups: 2026 founder's guide→
- 0609 May 2026Cybersecurity audit cost in Hungary · 2026 benchmarks→
- 0706 May 2026LegalTech Due Diligence 2026: What to Check→
- 0830 Apr 2026Smart contract audit pricing in 2026: €4k vs €15k vs €60k→