UNDER THE HOOD
How Mapit detects your business SaaS
2 May 2026
2 min read
How Mapit still maps around 95% of your SaaS without losing sight of your employees' privacy.

Mapit makes approximately 95% of your organization's business SaaS usage visible, including the shadow IT that grew without anyone reviewing it.
Two ways of mapping your SaaS
The workspace connection
The safest way to sign in to an app is with single sign-on: the "Sign in with Google" or "Sign in with Microsoft" button, instead of yet another password. So we encourage organisations to steer their people that way. And once Mapit is connected to your workspace, it quietly keeps track of every app your team has signed in to this way, without anyone having to report a thing. Not just the tools IT rolled out, but the ones people started using on their own. That's where most of your stack turns up.
The browser extension
Not every app uses single sign-on. Sometimes someone logs in with their work email and a password of their own, and nothing shows up through the connection. The extension for Chrome and Edge recognises that login moment and reports the app to Mapit. That fills the gap the connection leaves.
Rolling it out
You don't ask anyone to install a thing. The extension is pushed out centrally, straight from Microsoft Intune or the Google Admin Console, to every managed Chrome and Edge browser at once. You can lock it in place so it stays put. For the person at their desk, nothing changes. For you, it is one policy, not a hundred installs.
What Mapit can touch
Since IT always asks: the detection runs read-only. Mapit reads metadata about which apps are used and who has access, never the content of anything. There is no agent on your servers or laptops, just the workspace connection and the browser extension. Acting on what you find, like revoking access, only happens when you choose to. And all data stays in the EU.
Together, the full picture
Side by side, the two channels give you the overview you actually decide on: which apps are running, who has access, and what grew alongside the tools IT rolled out.
The last bit we leave on purpose
We could close that final gap. Technically, an extension can watch everything that happens in a browser, and then almost nothing slips through. But "everything" includes the private stuff: someone's personal email, their banking, the webshop they opened at lunch. A work tool has no business seeing any of that.
So we drew a clear line. Mapit's extension only registers the login moment of a work app, the web address and the work email used to sign in. It ignores personal sites entirely, and it never reads the content of a page. The price is that a small slice stays invisible: dormant sessions and native desktop clients that leave no login trail. We think that's the right trade-off. Visibility shouldn't come at the cost of looking over someone's shoulder.
Mapit shows every app and who has access in 5 minutes, and keeps it current.
Why is it so hard to track SaaS?
What does Mapit see, and what not?
What's the biggest SaaS security risk for an SMB?
How many SaaS tools does the average SMB use?
