18 Jul, 2025

Shadow Vendors, Unmasked

Shadow Vendors, Unmasked

👀 Shadow Vendors, Unmasked

Why we built real-time OAuth monitoring and what we found

You probably know what’s on your sanctioned app list. You probably don’t know what your users are actually connecting to.

Today, we’re launching Shadow Vendor Monitoring, a new capability in Inocula that gives you real-time visibility into OAuth based applications, over-permissioned vendors, and high risk behavior that bypasses procurement entirely.

It started, as many things do, with a spreadsheet that didn’t match reality.

🛠 What we built

OAuth is one of the most common attack surfaces in modern orgs—and one of the least audited. Our new Shadow Vendor Monitoring module:

  • Detects all OAuth-connected apps, even those not sanctioned by IT
  • Flags over-permissioned or high-risk vendors based on scopes, install count, and vendor maturity
  • Tracks experimentalist users, the employees who love trying every new app (and exposing your workspace in the process)
  • Shows full account-to-scope mapping so you can see exactly what was granted, when, and by whom

You also get a revocation button. One click. No waiting for a ticket to clear.

📦 The Google Takeout Incident

One of the first test runs of this feature caught something we weren’t expecting.

An employee, on their way out of the company, had authenticated Google Takeout using their work account. Nothing malicious. Just a simple attempt to download “their stuff.”

What they didn’t realize (and what security hadn’t seen) was that Takeout was granted access to:

  • All calendar entries
  • Every email
  • Drive contents
  • And even third-party connected app data

They didn’t end up exporting anything—but they could have.

I wish this would have existed back then, it would have made finding that issue so much simpler.

It wasn’t a breach. But it would’ve been one, in a different story. That’s the line we’re trying to catch, before it gets crossed.

🧪 Who’s experimenting on your infrastructure?

One surprising finding: the average experimentalist user had 14 app installs, including several with calendar, email, and contacts permissions.

We don’t say this to point fingers. These users aren’t malicious, they’re curious. But they’re exposing sensitive data to vendors with zero vetting and no visibility from security.

So we built a Top Experimentalist view that shows exactly who’s connecting what, when, and with what scopes. You can drill in, review, and respond.

🧠 Scopes matter. Context matters more.

Not all apps are dangerous. But many are noisy. And some look safe… until you see what they’ve been granted:

  • Read access to every calendar event
  • Full contact directory exports
  • Mailbox metadata collection
  • Persistent session tokens

Shadow Vendor Monitoring doesn’t just show you apps. It gives you context that matters - down to the last authenticated user and the specific Google scopes they approved.

⛓ It’s not about blocking, it’s about seeing

We didn’t build this to stop innovation. We built it so you could see what’s actually happening and make better, faster decisions about risk.

You can’t manage what you can’t see. Now you can.

🔗 Explore Shadow Vendor Monitoring

📞 Book a demo

💬 Have feedback? We’re listening.

See what attackers would steal—before they get the chance

Built for devs. Loved by startups. Ready when you are.

Request early access today
sales report