SASECompare
deep-dive9 min read

Who Actually Controls Shadow SaaS: CASB and Shadow IT Discovery Across 8 SASE Vendors

Shadow IT became Shadow AI, and CASB is how you claw back control. We ran 5 CASB checks on Zscaler, Netskope, Palo Alto, Cato, Cisco, Fortinet, Cloudflare, and Check Point. Three vendors scored 100%. One holds the only NO in the dataset.

SASECompare Research
|

The Problem CASB Was Built For Just Got Ten Times Bigger

CASB, the cloud access security broker, was invented to solve one question: which cloud apps are your employees actually using, and can you control them? A decade ago that meant a few hundred SaaS tools and a slow-moving problem. In 2026 it means tens of thousands of apps, a new one launched every day, and a workforce that signs up for whatever gets the job done before IT ever hears about it.

Then came the accelerant. Shadow IT quietly turned into shadow AI. Every unsanctioned ChatGPT tab, every AI note-taker bolted onto a calendar, every browser extension with an OAuth grant is a new SaaS relationship your security team never approved. Our companion analysis, Shadow AI Is Exploding, documented a 91% year-over-year surge in enterprise AI activity and hundreds of monthly data-policy violations per organization. CASB is the layer that has to see and govern all of it, because you cannot secure what you cannot see.

The CASB and Shadow IT comparison notes that 56% of organizations report concerns about overprivileged API access. That is not a discovery problem. That is a control problem. And control is exactly where the 8 major SASE vendors separate.

We tested all 8 on 5 CASB capabilities that decide whether you actually govern shadow SaaS or just watch it scroll by: automatic shadow IT discovery, app risk scoring with risk-based blocking, having both inline and API-based CASB modes, OAuth and SaaS-to-SaaS integration control, and the breadth of the cloud app catalog (10,000+ pre-classified apps).

The Scorecard

RankVendorYESPARTIALNOScore
1Netskope500100%
1Cisco500100%
1Check Point500100%
4Zscaler41090%
4Palo Alto Networks41090%
6Fortinet32080%
6Cato Networks32080%
8Cloudflare31170%

Netskope, Cisco, and Check Point pass all five checks. That Netskope sits at the top is no accident: the company was born as a CASB, and cloud app control has been its center of gravity from day one. Cloudflare anchors the bottom at 70% and holds the only NO in the entire dataset. As always, the ranking is the least interesting part. The story is in what separates a 100% CASB from a 70% one, and every gap here maps to a specific SaaS blind spot.

Check 1: Automatic Shadow IT Discovery

Does the platform discover unsanctioned SaaS apps across all users without manual configuration?

All 8 vendors score YES. This is now table stakes, and the architectures converge: mine the traffic you already carry, surface the apps.

VendorScoreHow It Discovers
Cato NetworksYESMines billions of user flows through Cato Cloud, no agents or manual app lists
NetskopeYESInline steered traffic plus log parsing from perimeter firewalls, GenAI models categorize new apps
CiscoYESDiscovers every app as traffic (including DNS) passes through Umbrella/Secure Access
ZscalerYESShadow IT Report from user traffic and transaction logs across all locations
Palo Alto NetworksYESApp-ID Cloud Engine (ACE) auto-discovers all SaaS apps and users after activation
Check PointYESSaaS Security maps the SaaS ecosystem within minutes of an API connection
FortinetYESFortiCASB ingests FortiGate/FortiAnalyzer logs to surface apps per user
CloudflareYESShadow IT SaaS analytics from Gateway HTTP traffic, discovered apps default to "unreviewed"

The takeaway: if a vendor is selling shadow IT discovery as a differentiator in 2026, they are selling you the floor. The one caveat worth noting is dependency: Fortinet requires you to configure the log feed first, and Cloudflare and Zscaler need the relevant traffic proxied. Discovery is only as complete as the traffic your platform actually sees.

Check 2: App Risk Scoring and Risk-Based Blocking

Can it score discovered apps and block access based on a risk threshold?

Here is the first crack. Discovery tells you an app exists. Risk scoring tells you whether to care, and risk-based blocking is what turns a dashboard into a control.

VendorScoreScoring Model
NetskopeYESCloud Confidence Index scores each app 0-100 across 50+ attributes, policies block below a threshold
Cato NetworksYESML-based 0-10 risk score (7+ flagged high-risk), Application Control blocks on score and compliance
ZscalerYESRisk Index 1-5, Cloud Application Risk Profiles block apps that fail a chosen threshold
Palo Alto NetworksYESSaaS Risk Score 1-5 with customizable weights, predefined Block Access rule
CiscoYESComposite Risk Score (Very Low to Critical), Web policy blocks by risk level or category
FortinetYESCloud risk score with a filterable slider, blocking via FortiGate application control
Check PointYESClassifies from its catalog into risk tiers such as "Critical Risk," blocks by category/risk tier
CloudflarePARTIALApplication Confidence Scorecards quantify risk, but Gateway blocks on manual approval status, not a score threshold

Cloudflare is the outlier. Its 5-point Application Posture and Gen-AI Posture scores exist in the Application Library, but enforcement is still driven by manual approved/unapproved/in-review status. Score-based blocking was announced as a future capability, not a shipping block-by-threshold control. In practice that means an analyst still has to triage apps by hand instead of writing "block anything above risk X." Note also the nuance on the leaders: Check Point and Cisco block by risk tier or category rather than a granular numeric slider, and Cisco does not auto-block on "Not Approved" status, a policy rule has to be set. The capability is there, the granularity varies.

Check 3: Both Inline AND API-Based CASB Modes

Does the CASB run inline (real-time proxy) AND API-based (out-of-band) modes?

This is the most important check in the set, and all 8 vendors score YES, but the fine print matters more here than anywhere else. Inline mode catches threats and risky actions in real time as traffic flows. API mode reaches into sanctioned apps out-of-band to inspect data already sitting at rest. You need both: inline alone misses data that never transits your proxy, API alone cannot stop an action in the moment.

VendorScoreThe Fine Print
NetskopeYESForward and reverse proxy inline plus API Data Protection, most customers run both
ZscalerYESMultimode CASB: inline proxy plus SaaS Security API for data at rest
Palo Alto NetworksYESCASB-X license bundles SaaS Security Inline and SaaS Security API
Check PointYES"Inline and API-based enforcement" for 10,000+ apps
CiscoYESInline in Umbrella/Secure Access, API-based via Cloudlock (a separate component)
FortinetYESInline via FortiSASE/FortiGate app control, API-based via FortiCASB over REST/OAuth 2.0
Cato NetworksYESInline HTTP/S proxy plus Data Protection API, but API mode is newer and limited to a defined app set
CloudflareYESInline Gateway proxy plus API-based scanning across 25+ SaaS/cloud environments

The takeaway: everyone checks the box, but "both modes" is not uniform. Cato's API mode is documented as newer and limited to a defined set of connected apps (Microsoft 365/Copilot, Google Workspace, Salesforce, Box). Cisco's API mode lives in Cloudlock, a distinct licensed component rather than the same engine as its inline proxy. When you evaluate this, ask which specific apps the API side actually connects to, not whether the vendor "supports" API mode.

Check 4: OAuth and SaaS-to-SaaS Integration Control

Can it detect and control OAuth token grants and third-party SaaS-to-SaaS integrations?

This is the fastest-growing attack vector in the set and where the scorecard spreads the most. A user clicks "Sign in with Google" for some new tool, grants it persistent read access to corporate data, and that authorization outlives the user's interest in the app. This is the overprivileged API access that worries 56% of organizations.

VendorScoreDepth of Control
NetskopeYESSSPM surfaces OAuth-connected apps, revokes tokens at the provider, blocks new apps that fail standards
Check PointYESContinuously monitors SaaS-to-SaaS OAuth risk, one-click automatic revocation of risky access
ZscalerYESSSPM (bolstered by the Canonic Security acquisition) audits and revokes over-permissive OAuth grants
Palo Alto NetworksYESClassifies third-party apps as approved/restricted/blocked, blocking revokes OAuth for all users
CiscoYESCloudlock Apps Firewall rates each OAuth scope low/mid/high and revokes access instantly
Cato NetworksPARTIALSSPM audits OAuth grants and recommends remediation, but native automated token revocation is limited
FortinetPARTIALRobust OAuth control depends on the separate FortiCASB-SSPM add-on; base API CASB mostly surfaces Google's verification status
CloudflareYESDetects third-party OAuth access via Google/Microsoft 365 sign-in, supports revoking risky integrations

The pattern to notice: OAuth control almost always lives in an SSPM (SaaS security posture management) module, and whether that module is included or a separate add-on determines the real answer. Cato scores PARTIAL because its SSPM does detection plus guided remediation rather than documented native, automated token revocation, control stops at "here is the problem, here is what to do." Fortinet scores PARTIAL because real OAuth enforcement depends on the FortiCASB-SSPM add-on; without it, the base API CASB largely reports Google's third-party verification status. For the YES vendors, one-click or automatic revocation is the differentiator, and Check Point, Netskope, and Cisco all document instant revocation. If SaaS-to-SaaS sprawl is your worry, this is the single check to weight heaviest.

Check 5: A Cloud App Catalog With 10,000+ Apps

Does the platform maintain 10,000+ pre-classified cloud apps with risk ratings and categories?

Catalog breadth decides how many apps get identified and scored automatically versus falling into an "unknown" bucket where your controls go dark. Thin catalogs miss niche and regional SaaS.

VendorScoreDocumented Catalog
CiscoYES250,000+ cloud apps discovered, over one billion files monitored daily
NetskopeYES85,000+ cloud apps plus 1,800+ GenAI tools, each across 50+ attributes
Check PointYES10,000+ business/cloud apps classified by behavior, category, and risk
ZscalerPARTIALMore than 8,500 apps across 25 risk attributes, short of the 10,000 bar
Palo Alto NetworksPARTIALACE classifies thousands scaling to tens of thousands, but no confirmed 10,000+ figure
Cato NetworksPARTIALThousands of apps (~9,000 cover ~96.78% of traffic), de-emphasizes raw count
FortinetPARTIALFortiGuard catalog with risk scores, but no published count confirming 10,000+
CloudflareNO~31 app types and an Application Library, no catalog approaching 10,000+, scores only on a subset

This check produces the only NO in the entire dataset. Cloudflare documents categorization into roughly 31 app types with confidence scores for a subset of SaaS and AI apps, but publishes no catalog anywhere near 10,000 pre-classified applications. That is the gap that drops it to 70%. Worth calling out on the other side: Cato's PARTIAL is a deliberate philosophy, not a shortfall. Cato explicitly argues raw app count is a vanity metric and points out that ~9,000 apps cover ~96.78% of real traffic. There is a real debate here between coverage of traffic and coverage of the catalog, and buyers should decide which they actually care about. Cisco (250,000+) and Netskope (85,000+ plus 1,800+ GenAI tools) simply overwhelm the 10,000 threshold.

Why Netskope Sits at the Top

Netskope is the CASB pioneer. It did not add CASB to a firewall or a proxy; it started as a CASB and grew the SASE platform around it. That heritage shows in the details that the scorecard only hints at: the Cloud Confidence Index rates 85,000+ apps across 50+ attributes, Cloud XD instance awareness can tell a corporate Microsoft 365 tenant from a personal one, and the SSPM revokes OAuth tokens at the provider rather than just flagging them. When cloud app control is your founding problem rather than a bolt-on, depth accumulates. That is why the same platform tops both this comparison and the shadow AI analysis, and it is the core of the Netskope vs Zscaler and Cato vs Netskope matchups buyers ask about most.

But heritage is not the whole answer. Cisco reaches 100% on the strength of Cloudlock (an early CASB acquisition) bolted to Umbrella's massive discovery engine, and Check Point reaches 100% by pairing 10,000+ app inline/API enforcement with the API-based SaaS Security module for OAuth revocation. Three roads, same summit.

What This Means for Your CASB Evaluation

The capability that used to define CASB, shadow IT discovery, is now the price of entry. Every vendor sees the apps. The differentiation has moved down the stack to three questions:

  1. 1.Can you block by risk score, or only by a manual approval status? If an analyst has to triage every app by hand, your control does not scale with the app explosion. Cloudflare's PARTIAL here is the one to watch.
  1. 1.Is OAuth and SaaS-to-SaaS control native and automated, or an add-on that only surfaces problems? This is the 56%-overprivileged-access question. Ask specifically about one-click or automatic token revocation, and confirm whether the SSPM module is included or sold separately. This is where Cato and Fortinet land at PARTIAL.
  1. 1.Does the API CASB side actually connect to the apps you run? "Both modes" is a YES for everyone, but Cato's API mode covers a defined app set and Cisco's lives in a separate Cloudlock license. Get the specific app list, not the checkbox.

And because shadow IT and shadow AI are now the same governance problem, evaluate CASB alongside GenAI DLP and AI Security Controls. The vendor that scores your unsanctioned SaaS is the same one that has to score the unsanctioned AI hiding inside it.

The Bottom Line

Three vendors, Netskope, Cisco, and Check Point, deliver complete CASB across all five checks. Zscaler and Palo Alto trail by a single point, each missing only the documented 10,000+ catalog threshold. Fortinet and Cato share 80%, both gapped on native OAuth control and catalog breadth, though Cato's catalog stance is a deliberate coverage argument rather than a miss. Cloudflare's 70% and lone NO reflect a CASB that discovers well but scores narrowly and blocks by hand.

Shadow IT is not shrinking, and shadow AI is pouring fuel on it. The vendors that convert discovery into automated, risk-based, OAuth-aware control are the ones that will keep pace. The rest hand you a very good map of a problem you still have to solve manually.

Explore the full data: CASB and Shadow IT Comparison | Companion read: Shadow AI Detection Across 8 Vendors


Methodology: All findings are based on SASECompare independent research across 5 CASB and shadow IT capability checks. Vendor ratings reflect documented capabilities from official documentation, knowledge base articles, and verified public sources as of July 2026. YES requires clear documented evidence, PARTIAL indicates the capability exists with limitations, and NO indicates no documented support. Scores are computed as (YES + 0.5 x PARTIAL) / 5. See the [full comparison page](/compare/casb-shadow-it) for source citations per vendor per check. Browse all topics on the [comparisons page](/comparisons), see head-to-head [vendor matchups](/versus), or build a weighted shortlist with our [RFP tool](/rfp).


Browse all vendor matchups

casbshadow-itcloud-access-security-brokersaas-securityshadow-aisase-comparisonapp-discoveryoauthsspm2026
Share

Want to know which CASB gaps expose your shadow SaaS and OAuth sprawl? Get a custom analysis weighted to the apps your organization actually runs.

Get Your Custom Report
Feedback

Help me make this better

This is a one-person project. Your input directly shapes what gets added, fixed, or prioritized next.