Independent and vendor-neutral. Every figure on this site is either a source-cited published statistic or a reader-controlled bounded calculation. No vendor averages presented as fact.

ShadowITCost

Last verified April 2026

Method 1 of 4

CASB and Network Analysis for Shadow IT Discovery

How Cloud Access Security Brokers and network log analysis surface SaaS traffic from managed devices. Strong on on-network coverage, blind on personal devices and home networks.

What this method covers

A CASB (Cloud Access Security Broker) or network analysis approach observes SaaS traffic at the network layer on managed devices and managed egress points. The tool inspects DNS queries, HTTPS handshakes, and in some deployments, API traffic, and matches observed destinations against a database of known SaaS applications. The output is a usage inventory: which cloud services are being accessed, from how many devices, how often, and what data volumes are involved.

In a shadow IT discovery context, this method answers the question: what SaaS apps are our managed devices actually using that we have not catalogued? It is the technical counterpart to SSO gap analysis (which asks what apps are connected to our IdP) and expense audit (which asks what apps we are paying for). CASB sees apps that users connect to but may not pay for directly, including free tiers and personal accounts used on managed devices.

Typical coverage and blind spots

Coverage estimate on managed-device populations with consistent network egress: 60 to 85 percent of the visible SaaS portfolio. This is a practitioner heuristic, not a measured figure. Variance is driven by the share of employees using managed versus personal devices, whether home-network SaaS access routes through a managed VPN, and the sensitivity of your CASB's app catalogue to regional or niche tools.

The principal blind spots: personal devices not enrolled in your management framework, SaaS access from home networks when the device is not on a managed VPN, personal accounts accessed on managed devices through non-federated browser profiles, mobile-only SaaS access in BYOD programs, and tools users actively use to avoid the managed channel (personal hotspots, unapproved VPNs). These gaps are the reason CASB is layered with SSO gap, expense audit, and survey.

Deployment effort

For discovery (log collection and parsing) the deployment timeline is typically weeks. Log sources, forwarder installation, catalog mapping, and a first usable dashboard are achievable in four to eight weeks in mid-market environments. For enforcement (blocking, DLP, conditional access), the timeline extends to months because of stakeholder engagement, exception handling, and policy refinement.

If shadow IT discovery is the only goal, starting with your existing DNS logs (from your managed resolver or egress firewall) plus a SaaS domain lookup table is a lower-cost first step. A spreadsheet join between DNS hit counts and a known-SaaS-domain list surfaces the most-accessed shadow apps with no new tool spend. A full CASB becomes justified when you layer DLP, ZTNA, or in-line enforcement on top of discovery.

Tool examples and affiliate disclosure

Major CASB vendors include Netskope, Zscaler, Microsoft Defender for Cloud Apps (bundled in the Microsoft Defender / E5 stack), Palo Alto Prisma Access, Cisco Umbrella, Forcepoint, and Cloudflare Gateway. This site does not endorse a specific vendor. The tools overview page covers the CASB category and when the spend is justified relative to alternatives. Where affiliate links appear they are disclosed there.

What output you get

A CASB or well-run network analysis produces a SaaS usage inventory with columns that typically include: app name, app category, user count, device count, data volume, first-seen date, last-seen date, risk score (vendor-assigned from their catalog). For a discovery output fit for the consolidated shadow app registry, merge this inventory with the SSO gap output and the expense audit output, de-duplicating by app name. The discovery methods overview page has the consolidated registry template.

Honest sequencing

CASB is method three or four in the sequence for most mid-market organizations, not method one. Start with SSO gap (data you already own), add expense audit (finance data you already own), layer CASB or network analysis after you have a baseline and an investment case for the tool.

Method 2

SSO gap analysis ->

Method 3

Expense audit ->

Method 4

Browser plus survey ->

Frequently asked questions

What is a CASB?+
A Cloud Access Security Broker is a security control that sits between managed users or devices and the cloud services they use. CASBs observe SaaS traffic, apply policy (block, monitor, require step-up auth, apply DLP), and produce a usage inventory. The inventory is what matters for shadow IT discovery. Major CASBs include Netskope, Zscaler, Microsoft Defender for Cloud Apps, Palo Alto Prisma Access, and Cisco Umbrella.
Do I need a full CASB or is DNS log analysis enough?+
For shadow IT discovery alone, DNS log analysis on your managed network egress plus a SaaS domain lookup table will surface most commonly-used SaaS apps at a fraction of the cost of a full CASB. A full CASB is warranted when you have other use cases (inline DLP, ZTNA, API-based data inspection, compliance requirement for in-line control). If discovery is the only goal, start with DNS logs.
What does CASB miss?+
Personal devices not enrolled in your management framework. Home network traffic when the device is not on a managed VPN. Personal accounts on managed devices where the browser profile is not federated. SaaS apps accessed only from mobile. Tools where the user deliberately uses a different network or device. These gaps are why you layer CASB with SSO gap analysis, expense audit, and survey.
How long does CASB deployment take?+
The discovery capability (log collection and parsing) is often live within weeks. Applying enforcement policy (blocking, DLP, conditional access) typically takes months because of stakeholder engagement, exception handling, and policy refinement. For a discovery sprint, the log collection phase is sufficient. Enforcement is a separate governance workstream.
How do CASB coverage claims relate to the 60 to 85 percent figure on this site?+
The 60 to 85 percent range reflects practitioner experience on managed-device populations. Vendor-published CASB coverage claims are typically higher (90 percent plus) but are often measured against their own definition of the addressable market. The honest number depends on your actual managed-device share of total employee app access. If most of your workforce uses managed devices on managed networks for SaaS, higher. If significant SaaS access happens from personal devices or outside the managed network, lower.
Does CASB help with shadow AI specifically?+
Partially. CASBs are adding generative-AI-specific discovery and policy features, typically surfacing categories like 'AI assistant', 'image generation', 'code generation'. The discovery is useful. The policy enforcement depends on whether your CASB inspects AI prompts and outputs at the content level, which is still an evolving capability. For shadow AI discovery, CASB plus browser extension inventory plus an amnesty survey gives a more complete picture than CASB alone.