Lab 1 — Shadow IT Discovery

Lab 1⏱ 30 min🏢 Enterprise Tenant · Read-Only👤 Alex

Shadow IT Discovery — SaaS Security Report

Dataparity's security team has no visibility into which cloud applications employees are actually using. Alex's job is to surface that shadow IT footprint using the Zscaler SaaS Security Report — before an unsanctioned app becomes a breach vector.

🔍

Alex — Security Analyst

Enterprise Tenant (Read-Only) — Observation Mode

You are Alex. Your first task is to understand the scale of Dataparity's shadow IT problem. Every unsanctioned app in this report is a potential data exfiltration vector — especially for payroll and financial data.

🎯Reach the SaaS Security Report and review the top-level view of every cloud application observed through the Zscaler proxy — sanctioned and unsanctioned.

1. Open the SaaS Security Report — Shadow IT Overview

After logging in, you should land on the Experience Center dashboard.

Experience Center landing page — the default view immediately after login.

Click Switch to Existing Reports in the bottom-left corner.

"Switch to Existing Reports" toggle in the bottom-left corner of the Experience Center.

Analytics → SaaS Security Report

Analytics left-nav with SaaS Security Report highlighted.

You should now see the SaaS Security Report top-level view.

SaaS Security Report — top-level Applications view showing total app count, sanctioned/unsanctioned split, and Risk Index distribution.

Scroll down to the Cloud Applications table.

Cloud Applications table — full list with sanctioned vs. unsanctioned flag, Risk Index, user count, and upload/download volume per app.

This is read-only. Observe and note what stands out — do not modify any settings.

💬 Discussion

• How many unsanctioned apps can you see? Does the number surprise you?
• Which app has the highest Risk Index — is it sanctioned or unsanctioned?
• What does the upload vs. download volume tell you about how employees are using cloud apps?
• If an employee uploaded a payroll spreadsheet to an unsanctioned app, would your current controls catch it?

💡 Key Insight

Zero-touch discovery, zero agents.

Every app in this report was discovered passively as traffic flowed through the Zscaler cloud — no endpoint software, no network taps. This is the foundation that makes everything in Module 2 possible: you can only protect what you can see.

💡 Facilitator Notes

Point out the gap between what IT has sanctioned and what users are actually running. If GenAI apps (ChatGPT, Gemini, Copilot) appear in the unsanctioned list, use that as the hook for the payroll data narrative that runs through Labs 3, 4, 6, and 9.

Typical attendee reaction: surprise at the volume of apps. Let that land before moving on — it's the emotional anchor for why everything in Module 2 matters.

Transition: "Now that we can see every app, the next question is — what data is moving through them? That's Lab 3."

2. Drill Into an Unsanctioned App — App Risk Profile

Content pending.

3. App Instance Discovery — Corporate vs. Personal

Content pending.

4. Auto Discovery — What Content Is Being Uploaded?

Content pending.