Hybrid SaaS Discovery Model
Hybrid SaaS Discovery Model in the context of cybersecurity is an asset identification strategy that comprehensively inventories an organization's Software-as-a-Service (SaaS) use by combining external (attacker-view) and internal (operational-view) data-gathering techniques.
External Discovery Component
The external facet of the model focuses on detecting the public-facing footprint of an organization's SaaS use. This perspective is essential because it mirrors how a threat actor would perform reconnaissance to find vulnerabilities.
DNS and Web Analysis: This involves examining public DNS records, such as CNAME records, that point the organization's subdomains (e.g., support.company.com) to known third-party vendor platforms (e.g., Zendesk or Shopify). It also includes analyzing website headers and code to fingerprint specific technologies.
Open Source Intelligence (OSINT): Searching public spaces—such as code repositories, search engines, and forums—to find configuration files, leaked credentials, or direct mentions of the organization's domain alongside a SaaS provider.
Purpose: To uncover unmanaged, externally exposed assets and subdomain takeover susceptibilities.
Internal Discovery Component
The internal facet is conducted within the organization's boundary to capture sanctioned and, more importantly, unsanctioned (Shadow IT) services.
Network and Endpoint Data: This involves analyzing network traffic logs, firewall logs, and proxy records to identify the domains and services employees are accessing, as well as the volume of that communication. It also includes reviewing endpoint application inventory.
Financial and HR Data: Reviewing expense reports, procurement logs, and HR records to discover services that are officially paid for but may not be registered with the IT or security team.
Cloud Access Broker Data: Leveraging Cloud Access Security Broker (CASB) solutions to monitor and manage access to cloud services, providing a definitive list of services being used by employees.
Purpose: To gain visibility into who is using what data on which services to identify policy violations and internal control failures.
The Hybrid Advantage
The value of the hybrid model is in fusing these two complementary data sets.
An external-only scan might miss internal, sensitive SaaS platforms that have no public-facing subdomains but still host critical data.
An internal-only scan might not flag a misconfigured external-facing SaaS application, like an unmanaged marketing landing page or an exposed cloud storage bucket, as a high-risk security flaw.
By combining the two, security teams can correlate an externally exposed risk (e.g., a vulnerable CNAME pointing to an old PaaS service) with the internal owner of that service (discovered via internal CMDB or financial records), thereby achieving complete asset inventory and accelerating risk remediation.
ThreatNG's capabilities are specifically and entirely focused on the External Discovery Component of the Hybrid SaaS Discovery Model. It provides the comprehensive, attacker-view intelligence necessary for an organization to effectively correlate and manage external SaaS risks against its internal controls.
ThreatNG’s Contribution to Hybrid SaaS Discovery
External Discovery
ThreatNG’s entire operation is based solely on external, unauthenticated discovery. This directly fulfills the external component of the hybrid model by mapping the attack surface as an adversary would see it. This includes discovering exposed digital risks across the organization’s entire external digital footprint.
Investigation Modules
ThreatNG uses several modules to identify and classify external SaaS exposure systematically.
Cloud and SaaS Exposure: This is the key module, which houses SaaSqwatch (SaaS Discovery and Identification). It identifies:
Sanctioned Cloud Services.
Unsanctioned Cloud Services which is vital for detecting Shadow IT from an external perspective.
Cloud Service Impersonations.
Open Exposed Cloud Buckets of AWS, Microsoft Azure, and Google Cloud Platform.
Detailed Examples of SaaSqwatch Findings: The module identifies specific SaaS applications, covering:
Identity and Access Management, like Azure Active Directory and Okta.
Project Management, like Aha and Asana.
Communication and Collaboration, like Slack and Zoom.
IT Service Management, like ServiceNow.
Technology Stack: This module identifies nearly 4,000 specific technologies that often underpin SaaS. It details subcategories like Identity and Access Management (IAM) and Collaboration & Document Management.
External Assessment and Security Ratings
The findings are immediately converted into quantifiable risk and compliance metrics, allowing for prioritization.
Detailed Examples of Risk Assessment:
Supply Chain & Third-Party Exposure Security Rating (A-F): This rating is based directly on findings across SaaS Identification and the Technology Stack. This quantifies the risk introduced by the externally identified SaaS vendors.
Data Leak Susceptibility: This rating is derived from identifying risks such as Cloud Exposure (specifically exposed open cloud buckets) and Externally Identifiable SaaS applications.
External GRC Assessment: This provides a continuous, outside-in evaluation of Governance, Risk, and Compliance (GRC), mapping external risks directly to GRC frameworks such as HIPAA, GDPR, and NIST CSF.
Intelligence Repositories
The knowledge required for accurate SaaS identification and risk prediction is maintained in ThreatNG’s repositories.
Detailed Examples of Intelligence Support:
The DarCache Vulnerability repository integrates NVD (technical details/severity) and KEV (active exploitation), allowing ThreatNG to identify Known Vulnerabilities for the technologies identified by the Technology Stack module. This links external technology use to known security flaws.
The DarCache 8-K repository and the Sentiment and Financials module provide the necessary legal and financial context to support Legal-Grade Attribution for any discovered exposed SaaS asset.
Continuous Monitoring and Reporting
ThreatNG provides Continuous Monitoring of the external attack surface and digital risk. This ensures that new Shadow IT (Unsanctioned Cloud Services) or configuration drift in existing SaaS platforms (e.g., a newly exposed cloud bucket) is captured immediately, enabling a timely response.
Reporting Examples: The results are provided in External GRC Assessment Mappings reports (PCI DSS, HIPAA, GDPR, etc.), giving GRC teams the documentation needed to reconcile external risks with internal compliance policies.
Cooperation with Complementary Solutions
ThreatNG provides the highly accurate, external intelligence that completes the internal picture generated by other security tools in a hybrid model.
Example of ThreatNG Helping:
ThreatNG helps by detecting an exposed third-party landing page service, like Unbounce (identified via the Cloud and SaaS Exposure module), that contains an administrative email address. The Context Engine™ provides Legal-Grade Attribution by definitively connecting this exposed marketing asset to a specific, high-value campaign mentioned in public news (Sentiment and Financials).
Example of ThreatNG and Complementary Solutions Cooperation:
ThreatNG's SaaSqwatch externally identifies the Workday (ERP) platform in Cloud and SaaS Exposure and simultaneously detects a related set of compromised credentials from its Compromised Credentials repository.
A complementary Internal Discovery Solution (e.g., an internal network monitoring tool) could leverage ThreatNG’s external findings of exposed credentials. It could then immediately cross-reference the credential data (username) against its internal identity logs to verify the internal employee and trace any suspicious internal activity related to the Workday platform.
This correlation integrates external evidence of compromise (from ThreatNG) with the internal system context, providing the security team with the whole picture needed for a coordinated hybrid response.
