Vault Agentics
SSPM

A Practical SSPM Checklist for Mid-Market Companies

Twelve concrete controls every mid-market SaaS-heavy company should verify this quarter — mapped to SOC 2, ISO 27001, and CIS v8.

By Hani Braish6 min read

SaaS sprawl is the new shadow IT. Most mid-market companies discover 3–5x more SaaS tenants than their IT team can name.

The twelve controls

  1. Inventory every OAuth grant across Google Workspace and Microsoft 365.
  2. Disable legacy auth protocols on every identity provider.
  3. Enforce phishing-resistant MFA on all admin accounts.
  4. Map every SaaS admin to a named human, not a shared mailbox.
  5. Continuously diff SaaS RBAC against a known-good baseline.
  6. Alert on any new external sharing of files tagged "confidential".
  7. Auto-revoke OAuth tokens unused for 90 days.
  8. Rotate every long-lived API key on a 90-day cadence.
  9. Centralize SaaS audit logs into a single SIEM lake.
  10. Detect impossible-travel sign-ins across all SaaS apps, not just IdP.
  11. Block downloads to unmanaged devices via conditional access.
  12. Quarterly access reviews — actually performed, not just scheduled.

Mapping to frameworks

Each of the above maps cleanly to SOC 2 CC6, ISO 27001 A.9, and CIS v8 controls 5 and 6. Auditors love checklists. So do attackers — make sure yours is shorter than theirs.

SSPMComplianceSaaS

Related reading

SOC

The AI-Native SOC Blueprint: From Alert Fatigue to Autonomous Triage

How modern security operations centers are replacing tier-1 toil with LLM-driven triage, enrichment, and response playbooks — without losing the human in the loop.

AI Security

Zero Trust for LLM Applications: Beyond the Prompt Firewall

Prompt injection is real, but it is not the threat model that will hurt you most. Here is what a defensible LLM application architecture actually looks like.

SOC 2

SOC 2 in 90 Days Without Burning Out Engineering

A week-by-week plan for getting to a clean SOC 2 Type I report in a quarter, with realistic engineering hours and zero theater.