Operations Dashboard

The Dashboard is the central command center for your organization's security posture. It aggregates real-time telemetry from all enrolled browser extensions and your Google Workspace integration into a single view. In the topbar header, the active subscription plan status is clearly displayed as a badge (e.g., Custom Plan or Complimentary Plan).

System Banners & Alerts

At the top of the dashboard, dynamic system notification banners alert administrators to pending tasks or billing requirements:

• Onboarding Progress Banner — Appears if any of the core onboarding steps are incomplete, linking directly to the setup checklists to complete deployment.
• Billing Prompt Banner — Displays warnings if a payment method is missing or if subscription limits have been exceeded.

KPI Metric Cards

Four KPI tiles appear at the top of the Dashboard. Each shows today's count and a delta vs. the previous day (shown as both an absolute change and a percentage). Page Views Today and Shadow IT Detections additionally display a 7-day sparkline trend; the other two tiles do not.

Understanding Each Metric

7-Day Activity Trend

Below the KPI tiles, the Dashboard renders a 7-day area chart overlaying Page Views and Shadow IT detections. This helps distinguish one-time spikes from sustained behavioral trends.

Bottom-Row Widgets

The bottom of the Dashboard contains three real-time monitoring lists:

• Top Sites Today — Renders the most active domains visited across the entire organization today, ranked by total page views and classified by safety status.
• Recent Alerts Widget — Shows the latest security policy triggers. Hovering over a row displays a quick action button (✓) that allows administrators to instantly resolve the alert directly from the dashboard.
• Recent Shadow IT Feed — Displays a rolling 24-hour log of new applications detected on endpoints that have not yet been categorized in your SaaS Inventory.

Recommended Daily Workflow

1. Check Recent Alerts first — resolve any open DLP alerts that arrived overnight. Use the hover checkmark action to dismiss minor alerts, or click through to review justifications.
2. Review Recent Shadow IT — classify any new SaaS platforms in your inventory before the end of the day.
3. Spot-check Active Users against expected headcount. If it's significantly lower than a normal workday, check extension deployment status in your MDM console.
4. Review any Slack notifications from triggered browser alert rules — these appear in the channels you have configured under Slack Integration → Rule Alert Routing.

Setup & MDM Deployment

Before Fantomo can protect your organization, five setup tasks must be completed in sequence. The Getting Started page (accessible from the sidebar) tracks your progress with a checklist and links to each configuration screen. The Setup Tasks page expands on each item with inline guidance.

The 5-Step Setup Checklist

Task 1: Create Admin Account

Your account email domain anchors the organization. All other admin accounts you invite must share the same domain (e.g. @yourcompany.com). Free email domains (Gmail, Outlook.com, Yahoo) cannot be used as the organization domain.

Authentication can be local email/password initially, but Fantomo recommends — and will eventually require — migrating to Google Sign-In. See the General Settings section for migration steps. Once Google Sign-In is enabled, local passwords are permanently disabled and cannot be re-enabled.

Task 2: Branding & Appearance

Browser warning modals displayed to employees carry your organization's logo, name, and color scheme. Employees who see unbranded warnings often mistake them for browser bugs or phishing attempts and dismiss them. Custom branding increases compliance and reduces help-desk tickets.

Full configuration reference: Branding & Appearance.

Task 3: Connect Google Workspace Sync

This is the most technically involved step. It grants Fantomo read-only access to your Google Workspace tenant through a Service Account with Domain-Wide Delegation.

1. Open the Google Cloud Console. Create a new project (or use an existing one) specifically for Fantomo. Keeping it isolated makes it easy to revoke access later.
2. Within the project, navigate to IAM & Admin → Service Accounts. Click Create Service Account. Name it descriptively (e.g. "Fantomo Sync Agent"). Download the JSON key file.
3. Open the Google Workspace Admin Console. Navigate to Security → API Controls → Manage Domain-Wide Delegation.
4. Click Add New. Enter the Service Account's Client ID (found in the JSON key file as client_id). Add the following OAuth scopes, comma-separated:
   https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/gmail.readonly
5. In the Fantomo portal, go to Settings → Google Workspace. Paste the JSON key file content into the credential textarea. Enter your Workspace domain. Click Test Connection, then Connect Workspace.

Task 4: Deploy MDM Extension Profiles

The browser extension must be force-installed via your organization's MDM system. Simply publishing it to the Chrome Web Store and asking employees to install it voluntarily defeats the security model — employees can uninstall voluntary extensions at any time. Force-installing locks the extension so only MDM can remove it, and the extension shows a briefcase ("Installed by administrator") icon in the browser toolbar.

Extension Configuration JSON

The MDM configuration payload tells the extension three things: your API key (authentication), the API base URL (where to send telemetry), and the user's email address (for device-to-user association). The user email uses an MDM variable that each platform resolves at deploy time.

{
  "apiKey": "ftm_your_api_key_here",
  "apiBaseUrl": "https://api.fantomo.io",
  "userId": "${user.id}",
  "userEmail": "${user.email}",
  "syncIntervalMinutes": 5
}

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>ExtensionSettings</key>
  <dict>
    <key>EXTENSION_ID_HERE</key>
    <dict>
      <key>installation_mode</key>
      <string>forced</string>
      <key>update_url</key>
      <string>https://clients2.google.com/service/update2/crx</string>
    </dict>
  </dict>
  <key>3rdparty</key>
  <dict>
    <key>extensions</key>
    <dict>
      <key>EXTENSION_ID_HERE</key>
      <dict>
        <key>apiKey</key>
        <string>ftm_your_api_key_here</string>
        <key>apiBaseUrl</key>
        <string>https://api.fantomo.io</string>
        <key>userEmail</key>
        <string>$EMAIL</string>
      </dict>
    </dict>
  </dict>
</dict>
</plist>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key>
      <string>com.google.Chrome</string>
      <key>PayloadUUID</key>
      <string>87B576C7-E7BA-429C-B307-F14EB2333BF1</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>ExtensionSettings</key>
      <dict>
        <key>EXTENSION_ID_HERE</key>
        <dict>
          <key>installation_mode</key>
          <string>forced</string>
          <key>update_url</key>
          <string>https://clients2.google.com/service/update2/crx</string>
        </dict>
      </dict>
      <key>3rdparty</key>
      <dict>
        <key>extensions</key>
        <dict>
          <key>EXTENSION_ID_HERE</key>
          <dict>
            <key>apiKey</key><string>ftm_your_api_key_here</string>
            <key>apiBaseUrl</key><string>https://api.fantomo.io</string>
            <key>userEmail</key><string>$EMAIL</string>
          </dict>
        </dict>
      </dict>
    </dict>
  </array>
  <key>PayloadIdentifier</key>
  <string>io.fantomo.chrome-config</string>
  <key>PayloadRemovalDisallowed</key>
  <true/>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist ...>
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadType</key><string>com.google.Chrome</string>
      <key>ExtensionSettings</key>
      <dict>
        <key>EXTENSION_ID_HERE</key>
        <dict>
          <key>installation_mode</key><string>forced</string>
          <key>update_url</key>
          <string>https://clients2.google.com/service/update2/crx</string>
        </dict>
      </dict>
      <key>3rdparty</key>
      <dict>
        <key>extensions</key>
        <dict>
          <key>EXTENSION_ID_HERE</key>
          <dict>
            <key>apiKey</key><string>ftm_your_api_key_here</string>
            <key>apiBaseUrl</key><string>https://api.fantomo.io</string>
            <key>userEmail</key><string>$USER_EMAIL</string>
          </dict>
        </dict>
      </dict>
    </dict>
  </array>
  <key>PayloadIdentifier</key>
  <string>io.fantomo.chrome-config</string>
  <key>PayloadType</key><string>Configuration</string>
</dict>
</plist>

<!-- Same structure as Iru config above -->
<!-- Replace userEmail value with: %email% -->
<key>userEmail</key>
<string>%email%</string>

Task 5: Verify Telemetry Sync

After deploying the MDM profile, verify that the extension is reporting telemetry before rolling out to all users.

1. On a test machine with the extension deployed, open Chrome and navigate to a few websites (including some non-work sites like news or social).
2. In the Fantomo Admin Portal, open Browsing History. The test machine's domain visits should appear within 2–5 minutes.
3. Optionally, create a Browser Alert Rule in Test Mode targeting example.com, then visit that domain on the test machine. Confirm a telemetry event appears in the DLP User Activity log.
4. Check the extension icon in the Chrome toolbar — it should be active (not grayed out). If grayed out, the extension cannot reach the API. Verify that the apiBaseUrl is correct and not blocked by a firewall.

Troubleshooting Extension Deployment

Interactive Extension Verification

To run live diagnostics on an enrolled browser, navigate to the Extension Verification Page at /onboarding/test. This page performs automatic checks and provides manual test triggers:

• DOM Verification — Checks for the presence of the <meta name="fantomo-extension-status" content="active"> tag injected by the active extension into the page DOM. Green status indicates the extension is running and successfully communicating with the local page environment.
• Trigger Welcome Modal — Forces a page reload with a query parameter that triggers the extension's onboarding welcome modal. This confirms the extension can render UI overlays on the client.
• Trigger Shadow IT Test — Redirects the browser to a test registration page (/create-account-test). This simulates a new SaaS account registration to verify that the extension detects and logs shadow IT signup events in real-time.

Setup Tasks Wizard

The Setup Tasks Page (accessible at /setup-tasks) provides a wizard-style interface to complete enterprise configuration. Rather than configuring settings in isolation, administrators can follow the tabbed wizard which tracks status indicators (pending, in_progress, completed, and dismissed) for each required task:

• Workspace Directory Sync — Guides the administrator through connecting Google Workspace, setting up service accounts, and verifying domain-wide delegation scopes to synchronize organizational units (OUs), groups, and user directories.
• MDM Extension Deployment — Provides links to MDM payloads, config profiles, and installation instructions for Jamf, Fleet, Mosyle, and generic plist/registry distributions.
• Outbound Webhooks — Configures event routing endpoints for SIEM integrations or custom automation pipelines.

Security Alerts

The Security Alerts feed is the primary triage queue for DLP policy violations. Every time an employee overrides a browser warning dialog — or triggers a silent-log rule — an entry is created here. Alerts represent moments where a user acknowledged a policy risk and proceeded anyway, requiring admin review.

The Alerts Table

Column Reference

Filtering

Use the date range pickers, category dropdown, and domain search input above the table to narrow the alert list. Active filters appear as removable chips below the filter bar. Click any chip to remove that filter, or "Clear all" to reset to unfiltered.

Bulk Resolve

Select multiple unreviewed alerts using the checkboxes and click Mark Resolved to dismiss all of them in a single action. The header checkbox selects all eligible (unreviewed, non-request) alerts on the current page.

Slack Sync

If Slack integration is configured and a rule has an associated Slack Notification playbook, each new alert triggers the playbook to post a rich-text notification to the configured channel. This creates a closed-loop workflow: the security team sees alerts in Slack, investigates, and when resolved in Fantomo the alert is marked as reviewed in both places.

Troubleshooting

Shadow IT Log

Shadow IT refers to cloud applications and services used by employees without IT's knowledge or approval. The Shadow IT log captures three types of detection events generated by the browser extension and the Google Workspace mail scan:

• signup — employee submitted a new account registration form on an unmanaged domain (detected via form field pattern matching)
• login — employee authenticated to an existing account on an unmanaged domain
• login_challenge / password_reset — detected via Gmail subject line metadata (e.g. "Reset your Notion password")

Shadow IT View

The Shadow IT tab displays data aggregated by domain. Each row represents a unique domain across all users, showing total detection events, user count, and last-seen timestamp. Click any row to open a drill-down modal showing individual event records — with exact URL paths, timestamps, and usernames — for that domain.

Column Reference

Drill-Down: Individual Event Records

Clicking a domain row opens a modal showing individual event records. Each record includes: user email, exact URL path, detection type (signup / login / login_challenge / password_reset), and timestamp. You can search and sort within the modal.

Detection Type Values

Responding to Shadow IT Detections

1. Note the domain from the detection event. Search the SaaS Inventory for that domain. If it already exists, verify its approval status.
2. If the domain is new, add it to the SaaS Inventory and classify it. Review the vendor's security posture (SOC 2 report availability, data residency, privacy policy).
3. If the domain should be Approved: set status to Approved. Future detections from this domain will be suppressed from the alert queue.
4. If the domain should be Blocked: set status to Blocked and create a Browser Alert Rule targeting the domain to display a warning when employees navigate to it.
5. If under review: set to Under Review and optionally trigger a User Activity Outreach questionnaire to ask the employee about their use case.

Shadow IT Category Exclusions

Some categories of services — such as major financial services or government websites — generate Shadow IT signals but are universally low-risk. The Settings → General & MDM page includes a Shadow IT Category Exclusions card. Toggling off a category suppresses all Shadow IT detections for domains classified in that category, reducing noise without losing security coverage on higher-risk categories.

Browsing History

The Browsing History page (labeled Browsing History in the Activity Logs section) provides aggregated domain-level web telemetry for all enrolled devices. This is the raw feed of every domain visited by any managed browser extension, enabling administrators to understand general web usage patterns, identify unusual activity, and audit specific users if a security concern arises.

Browsing Log Table

Like Shadow IT, browsing data is shown aggregated by domain. Each row represents a unique domain with total page view count, session count, user count, and last-seen timestamp. Click any row to open a drill-down modal showing individual browsing sessions for that domain. Sessions can be expanded further to show individual page views.

Filters Available

• Date range pickers — Two date inputs (Start Date, End Date) let you scope to any arbitrary date range. There are no preset dropdown options — enter dates manually.
• Category dropdown — Limit to a specific SaaS category (Collaboration, Email, AI Tools, Cloud Storage, etc.).
• Domain search — Type a partial domain and press Enter or click Search to filter. Active filter appears as a removable chip below the filter bar.

Top Domains Chart

A horizontal bar chart shows the top 10 most-visited domains across all enrolled users in the selected time period. This quickly surfaces unexpected traffic patterns — for example, a sudden spike in visits to a personal cloud storage service may indicate an employee exfiltrating files before departure.

This feature requires the Full Browsing feature flag on your plan. If you see a "Feature not enabled" gate, contact support or upgrade your subscription.

Remote Network Diagnostics

The Network Speed page (labeled Network Speed in the Activity Logs sidebar) opens the Remote Network Diagnostics view — sub-labeled "WFH ISP & Load Telemetry." It displays connection performance metrics collected by enrolled browser extensions from remote employee devices, helping diagnose latency issues, identify underperforming ISPs, and correlate network conditions with security events.

Summary KPI Cards

When data is available, four KPI cards appear at the top of the page:

What Is Measured

Diagnostics Table

Below the KPI cards, a table lists individual domain + ISP combinations with per-row latency breakdowns. Each row shows:

Drill-Down: Raw Samples

Click any row to open a modal showing individual raw telemetry records for that domain and ISP. Each record shows: user email, individual DNS/TCP/TTFB values, total timing, WFH ISP, client IP address, and timestamp. You can search by user or IP and sort by any column.

Filters

Two filter inputs appear above the table: Filter by domain and Filter by WFH ISP. Both support partial text matches. A "Clear filters" button resets both.

This feature requires the Network Diagnostics add-on on your plan. If you see the locked state, go to Billing & Plans to activate it.

Admin Actions Audit Log

The Admin Actions Log (labeled Admin Actions Log in the Activity Logs section) records every configuration change, user management action, and administrative operation performed by any admin or owner account in your organization. It is append-only and immutable — entries cannot be edited or deleted.

Audit Log Table

Logged Action Types

Filtering the Audit Log

• Date range pickers — Two date inputs (Start Date, End Date) scope the log to a specific time window. Essential for compliance audits where you need to demonstrate controls were in place during a specific period.

There are no free-text email or action-type filter inputs on this page. To find events for a specific administrator or action type, use the date range to narrow the window and review the filtered results manually, or export the log via the Export CSV button.

User Activity Outreach

The User Activity page in the SaaS Governance section (labeled "User Activity" in the sidebar, under the SaaS Governance group) manages automated outreach questionnaires sent to employees when Shadow IT detections occur. Instead of a purely passive detection model, Fantomo can proactively engage the employee to understand their use case, collect a business justification, and route their response into the SaaS Inventory workflow.

Pending Queue

The Pending Queue shows outreach questionnaires that have been sent to employees but not yet completed. Each row shows the employee email, the domain that triggered the outreach, the detection type (signup, login, etc.), and the date the questionnaire was sent.

Response Log

Once an employee submits their questionnaire, their response moves to the Response Log. Each entry includes the full text of the employee's justification, the timestamp, and a link to the relevant SaaS Inventory entry. Admins can use this information to approve or block the application directly from this view.

Outreach Configuration

Questionnaire delivery channel is configured in Settings → Slack Integration under the Employee Outreach Check-ins section. Available channels:

• Slack Direct Message (Recommended) — sends an interactive Slack DM to the employee with a response button. Requires Slack integration to be active.
• Email Outreach — sends a plain-text email with a response link. Works without Slack integration.
• Slack & Email (Dual Delivery) — sends both simultaneously for higher response rates.

Bulk Send

The Bulk Send Questionnaires button triggers outreach to all employees who have pending Shadow IT detections that haven't yet been outreached. This is useful when initially enabling the feature after a period of unchecked shadow IT accumulation.

Statistics

A statistics card at the top of the page shows: Total questionnaires sent, response rate (%), average response time, and top responding employees. These metrics help you tune the outreach frequency and channel to maximize engagement.

SaaS Inventory

The SaaS Inventory is the authoritative catalog of every cloud application detected in use across your organization. It aggregates data from both the browser extension (signup/login detections) and the Google Workspace API sync (OAuth grants, Gmail mail scan) into a unified application registry that you classify, govern, and maintain over time.

Inventory Table

Inline Status Modification

The Status column features an inline select dropdown. Rather than drilling down into each application detail page, administrators can update an application's governance classification directly from the main SaaS Inventory table row. Changes save immediately and update all detection filters across endpoints.

Application Status Values

Security Posture Indicator

The Security Posture column reflects the outcome of a vendor security review based on organization protections and data sensitivity:

• Good — SSO is configured and MFA is enforced, or the application stores no sensitive data (neither PII nor confidential data).
• Poor — The application stores sensitive data, but SSO or MFA configurations are incomplete.
• Not Reviewed — Vendor security has not yet been evaluated. Default for newly discovered apps.

Inventory States: Onboarding vs. Steady State

When you first enable Fantomo, the inventory enters an Onboarding state — all discovered applications require triage. Once you have reviewed and classified your initial inventory, click Mark as Steady State to signal that the baseline is established. In Steady State, new discoveries generate higher-priority alerts since they represent genuine new shadow IT introductions rather than pre-existing usage.

Sync Inventory

The ↻ Sync Inventory button triggers an immediate re-scan of your Google Workspace tenant to pull the latest OAuth grant data and recent mail scan signals. Inventory normally syncs automatically every 4 hours. Manual sync is useful immediately after connecting a new integration or after a bulk employee onboarding event.

Organizational Unit & Group Reporting

Fantomo allows security teams to scope and analyze SaaS usage, security events, browsing, offboardings, and DLP violations based on Google Workspace OUs/Groups and Office 365/Microsoft equivalents.

• Hierarchical OU Scoping: Filters match both exact and nested child Organizational Units (e.g., filtering by /Engineering matches users in /Engineering/QA).
• Searchable Dropdown Picker: The unified picker lets you query hundreds of groups and OUs with instant search and clear categories.
• SaaS Category Breakdowns: Toggle the OU & Group Analytics view on the SaaS Inventory page to inspect stacked horizontal charts of the top 10 apps used by departments, or the proportion of app counts per OU/Group for specific categories like AI tools or file sharing.

SaaS App Detail

Clicking any application in the SaaS Inventory opens its Detail page. This view is structured into 8 tabs that consolidate all telemetry, spending, authentication scopes, and security ratings for that application:

1. Overview Tab

The Overview tab manages primary status, owner configuration, and displays a responsive row of KPI cards (Overall Risk score, Security Posture status, Active Users count/adoption rate, Last Activity date/velocity, and recurring Spend or Discovered Instances count). It also hosts Scoped Exception Rules targeting organization-wide, user, group, or Organizational Unit boundaries with Actions (Approve, Ignore, or Alert).

At the bottom of the Overview tab, the Send Check-in Questionnaire button allows administrators to dispatch automated Slack check-in messages to active users requesting business justifications.

2. Security Rating Tab

Consolidates Risk and Security Posture into a single unified view. It displays a 0-100 composite risk rating (0 = lowest risk, 100 = highest risk) in a circular SVG progress dial, alongside a side-by-side **Core Posture Matrix** comparing Catalog-Enriched Vendor support vs. your Organization Configured controls (SSO, MFA, SOC 2/ISO certifications, data encryption, and data classification). Changes to organization status dropdowns are saved inline and immediately trigger a recalculation of the composite risk score. The tab also displays read-only **Operational Telemetry** tracking active user password login ratios, absent MFA logins, and credential reuse events.

3. Users Tab

Lists active and former employees with detected access, login methods, last activity timestamps, and direct Revoke buttons to remove individual access grants.

4. Groups Tab

Displays directory groups (Google Workspace / Office 365) whose members have authorized or accessed the application.

5. OUs Tab

Displays Organizational Units (OUs) within your corporate hierarchy currently accessing the application.

6. Email Indicators Tab

If Google Workspace or Office 365 Mail Scan is connected, this logs invoicing, signups, and registration verification signals extracted from corporate mail headers.

7. Third-Party App Access Tab

Lists active corporate OAuth 2.0 grants linked to this application's client IDs with permission scope details, risk scoring, and a Revoke action to instantly terminate credentials.

8. Spend Tab

Records monthly cost, billing frequency, contract renewal dates, and license counts to track seats purchased against detected usage.

Third-Party App Access (OAuth Grants)

The Third-Party App Access page (route: /oauth-grants) audits all OAuth 2.0 authorizations your employees have granted to third-party applications using their organization's accounts (Google Workspace or Microsoft 365 / Entra ID). This view gives you complete visibility into the tokens that bypass standard centralized login configurations.

OAuth Statistics Cards

At the top of the page, three statistics cards show: Total OAuth grants in your tenant, Number of high-risk scope grants (read/write access to cloud storage, email, or directories), and Number of unclassified client IDs awaiting review (which link directly to the Integration Settings tabs).

Active OAuth Grants Table

The main table lists all active tokens granted by employees to third-party applications. You can filter this list by Risk Level (High, Medium, Low) and search by employee email or application name. A manual Sync Now button in the header forces an immediate pull from the connected directory provider APIs.

Viewing Grant Details & Permissions

Clicking the Details button opens a modal showing the full application registration metadata (Client ID, Homepage URL, description, and status), the detailed security assessment concerns, and all granted permission scopes sorted by risk tier as color-coded badges.

Revoking OAuth Access

Clicking Revoke Grant on any row issues an API command directly to the directory provider (Google Workspace or Microsoft Graph) to revoke the authentication token. The application will immediately lose access to the user's data and the employee will be prompted to re-authenticate on their next visit.

Directory Sync Info

This section also displays the directory integration statuses and the status of the most recent directory sync cycle (runs automatically to pull the latest authorizations).

Tenant Security Tune-up

The Tenant Security Tune-up & Compliance page (route: /security-tuneup) acts as a centralized dashboard to audit, configure, and enforce security policies for Microsoft 365 (M365) and Google Workspace (GWS) tenants. This feature replicates and expands upon enterprise compliance tools to provide complete visibility and automated enforcement of security posture settings, preventing configuration drift across all cloud resources.

Checking Security Settings

The Security Tune-up checklist presents critical security policies grouped into four domains: Identity, Email, Apps, and Audit Logging. Each check evaluates a specific configuration setting returned from GWS Directory or Microsoft Graph APIs. Administrators can choose to Opt In, Skip (with justification), or Ignore each security check independently. This flexibility allows organizations to tailor their compliance profile to their specific risk tolerance.

Temporary JIT (Just-in-Time) Consent Model

Automated remediation ("Do it for me") allows administrators to apply the recommended settings instantly without leaving the Fantomo console. To protect against credentials theft, Fantomo adopts a zero-trust Just-in-Time (JIT) Elevated Credential model:

• No Stored Write Keys: Fantomo never stores permanent administrative write keys or write scopes in its primary database. Ongoing daily compliance scans run using standard, low-privileged read-only credentials established during onboarding.
• Memory-Only Expiration: When running automated remediation, the administrator uploads a temporary GWS Service Account key or consents to a temporary elevated Microsoft OAuth scope. These credentials are held in volatile memory/Redis cache and programmatically destroyed and cleared within 15 minutes after the run completes.
• Manual Instructions: To ensure that admins are fully aware of what changes are being made, Fantomo always displays step-by-step manual remediation instructions alongside the automated option. If automated remediation fails or is not preferred, the admin can complete the same tasks manually in the respective admin centers.

Consolidated Control Panel Guides

To reduce administrator friction, Fantomo's compliance engine groups all selected manual remediation steps by their Control Panel Location. Instead of jumping back and forth between different settings pages in Microsoft or Google Admin interfaces, all actions occurring on a single admin dashboard (e.g. Entra ID Admin Center or Google Admin Console -> Security) are collapsed into a single step-by-step navigation instruction, allowing you to complete multiple tasks in a single console session.

Daily Drift Auditing & Alerts

Once your desired security profiles are defined and applied, Fantomo's compliance engine runs daily background scans to compare expected policy profiles with actual tenant states. If a configuration is modified outside of the Fantomo console:

1. Drift Detected: The system identifies that the actual tenant setting no longer matches the expected security baseline.
2. Audit Logged: A compliance warning is logged in the Fantomo Admin Audit Log.
3. Notifications Fired: Real-time alerts are sent to connected Slack channels and an incident is raised.
4. ITSM Integration: If enabled, a high-priority ticket is automatically created in connected PSA tools (like ConnectWise Manage or Autotask) for tracking and remediation.

Offboarding

The Offboardings page automates employee termination access reviews. Rather than relying on static checklists, Fantomo cross-references your SaaS Inventory against the departing employee's detection history to generate a comprehensive revocation list, ensuring that accounts are terminated before or on their last day.

Dual-Column Offboarding Dashboard

The Offboarding page is structured as a split dual-column layout to streamline review and execution:

• Left Column (Offboarding Queue) — Lists all departing employees, showing their email address, total number of SaaS accounts to revoke, and active status badge. In the header, the ⚡ Detect Departures button triggers a manual query against your directory sync service to locate recently suspended accounts and enqueue them for review.
• Right Column (Task Details Panel) — Clicking any user loads their checklist in this details panel. It displays a checklist of all SaaS applications used by the employee, their authorization statuses, and specific permission scopes. The 🔑 Revoke All OAuth button in the panel header runs a batch revocation on all detected Google OAuth grants for this user.

Task Status Values

Offboarding Failure Handling

When an automated revocation fails, Fantomo fires an offboarding_failure webhook containing the employee's email, the number of successful and failed revocations, and a timestamp. Configure a webhook endpoint (Settings → Outbound Webhooks) to route this event to your ITSM system, creating an urgent ticket for manual intervention.

The offboarding_failure webhook payload contains:

{
  "event_type": "offboarding_failure",
  "data": {
    "user_email": "[email protected]",
    "revocation_successes": 5,
    "revocation_errors": 3,
    "timestamp": "2026-06-08T01:14:59.000Z"
  }
}

Automated Playbooks

Playbooks are multi-step automated workflows that execute in response to security events detected by Fantomo. They eliminate the need for manual repetitive responses to common patterns — for example, automatically sending an employee a questionnaire when they sign up for a new AI tool, notifying IT, and setting the app to "Under Review" status, all without any admin intervention.

Playbook List & Management

The Playbook List shows all configured playbooks as cards. Each card shows the playbook name, active/inactive badge, trigger type, step count, runs in the past 30 days, and failed run count. Controls include an Active toggle, Edit button, and Delete button.

Playbook Editor

Playbook Triggers (11 Types)

Triggers initiate the execution of a Playbook run. Depending on the trigger type, specific configuration parameters (e.g., category, minimum severity) can be set in the editor UI.

Playbook Action Steps (11 Types)

Playbook steps are executed sequentially. If a step fails, the playbook run enters a Failed state, and an automated email alert containing the execution error logs is immediately sent to all organization administrators.

Dynamic Token Replacements

When writing custom email subject/bodies or Slack alert templates in the Playbook Editor, you can use curly-brace tokens. The playbook engine substitutes these tokens at runtime with actual contextual event details:

Master Playbook Propagation (Super Admins)

Super admins can manage organizational default playbooks dynamically in the Super Admin interface. When a super admin updates or inserts a default playbook structure, these modifications are propagated in real-time to all tenant databases, ensuring critical security policies (especially locked system playbooks) remain up-to-date across all organizations without manual intervention.

Step-by-Step Scenario: Employee Outreach & Non-Response Escalation

This example demonstrates how to configure a two-stage automated workflow that audits SaaS signups by reaching out to employees, waiting for a response, escalating to admins if they fail to justify it, and routing successful justifications to security approval channels.

Run Status Values

Each playbook execution is logged in the Execution History tab (the third tab, after Playbooks and Templates). Execution states:

• Running — Currently executing. Check back shortly.
• Waiting — Paused at a "Wait for Response" step. Will resume when the employee replies.
• Completed — All steps executed successfully.
• Failed — One or more steps encountered an error. Click to view the error detail and manually retry.
• Cancelled — Execution was manually stopped by an admin.

Step Log Detail & Raw Results

In the Execution History list, clicking on any past playbook run loads the run details and opens a side-by-side Step Log card. This card displays a list of each playbook step along with its execution outcome (Success or Failure) and a formatted JSON block containing the raw response payload or downstream API error message (e.g. from Slack or Google API integrations). This makes it easy for administrators to inspect the exact payload returned by each action or trace why a specific API call failed.

Template Gallery

Click Browse Templates to access the pre-built playbook template library. Templates include common patterns like "New AI Tool Response", "Offboarding Access Sweep", and "DLP Bypass Investigation". Installing a template creates a ready-to-configure playbook — customize the steps and trigger conditions to match your policies before enabling it. Note: if a playbook from a given template already exists, attempting to install the template again will show a notice rather than creating a duplicate.

Risk Alerts

The Risk Alerts page (labeled "Risk Alerts" in navigation, accessed via the /risk-signals route) monitors vendor security events affecting applications in your SaaS inventory. Signal data is sourced from HaveIBeenPwned.com and similar threat intelligence feeds, surfacing when a SaaS vendor your employees use has experienced a security incident.

Risk Signal Feed

The main feed lists all detected security events, each with a severity rating and signal type. Signals can be filtered by severity and can be dismissed once reviewed.

Signal Types

Severity Levels

Breach Scan

Click 🔍 Scan Now to initiate an on-demand breach check. Fantomo cross-references the domains in your SaaS Inventory against known breach databases (HaveIBeenPwned and similar feeds) and updates the signal feed with any newly discovered events. The Last scan date is shown next to the button. Scans also run automatically on a periodic schedule.

Dismissing Signals

Click Dismiss on any signal to mark it as reviewed. Dismissed signals are hidden from the default view. Toggle Show dismissed to see the full history. Dismissal is logged for audit purposes.

Stats Panel

A stats panel above the feed (loaded via /org/risk-signals/stats) shows aggregate counts by severity and the timestamp of the last successful scan.

DLP User Activity Log

The User Activity page in the Data Protection section (route: /dlp-logs) is the audit log for every DLP policy event — both overrides (where the user dismissed a warning and proceeded) and silent-log matches (where no warning was shown but the event was recorded). This is your primary compliance evidence for data protection controls.

DLP Activity Log Table

Column Reference

This feature requires the Policy Auditor feature on your plan. If gated, contact support or check your billing settings.

Browser Alert Rules

Browser Alert Rules define when and how the Fantomo extension intervenes in employee browser sessions. Each rule specifies a trigger (what to match), an action (what to show the employee), and targeting (which employees the rule applies to). Rules are evaluated in priority order — highest priority first.

Rules Table

Column Reference

Rule Editor

The Rule Editor is accessed by clicking a rule name in the Browser Alert Rules table, or by clicking + Create New Rule. It provides a comprehensive form for defining every aspect of a Browser Alert Rule — from what triggers it to how it appears to employees in their browser.

Tabbed Layout Organization

To provide a structured and full-width editing space, the Rule Editor is organized into four functional tabs:

• Configuration — Contains basic parameters (Rule Name, Match Type/Value, state, and frequency), custom alert buttons, inline Pack Management overrides, and the Message Content section (including titles, body messages, and scrollable policy markdown). Also includes the collapsible Rules Configuration Guide.
• Targeting — Configures user, group, or OU targeting allocations and exception/exclusion rules.
• Automated Playbooks — Associates and manages trigger-based SOAR response playbooks (replacing the legacy rule-specific Slack alerts card).
• Live Preview — Displays a real-time viewport simulation of how the modal or block page will render on the user's browser.

Global Cancel and Save Changes / Create Rule action buttons remain fixed at the bottom of the page across all tabs, allowing you to save changes at any point during configuration.

Basic Configuration

Message Content

Scrollable Policy & Versioning

For rules requiring explicit user agreement, you can configure scrollable policy agreements and version controls:

• Scrollable Policy Content — Configured inside the Message Content card under the Configuration tab. Paste long-form acceptable-use policies or markdown text that employees must scroll through before the modal action buttons become active. Translations for this content can be managed on a per-language subtab in the same block.
• Policy Version — Configured at the bottom of the English (Default) subtab inside the Message Content card under the Configuration tab. Incrementing the policy version on the English tab resets consent tracking globally, prompting employees who agreed to a prior version to re-acknowledge the policy on their next visit. All other translation tabs render an informational message referencing this global behavior.

Custom Alert Buttons (up to 3)

Each rule can display up to 3 custom action buttons in the alert modal. Click + Add Button to add a button. Buttons can be reordered with ▲ Up / ▼ Down controls.

Button Field Reference

Button Action Types

Targeting & Assignment

The Rule Targeting card (right column) controls which employees the rule applies to. Targets can be added or removed individually. The rule defaults to "All Staff Members (Global)."

Assignment Type Reference

Target Exclusions: You can define exceptions to your targeting using the same scopes (User, Group, or OU). For example, you can target a rule to all staff, but add an exception for a specific Google/O365 Group (such as "Senior Leadership" or "HR") or a specific OU path to prevent the rule from enforcing on those segments.

Automated Playbooks Tab

The Automated Playbooks tab replaces the legacy Slack alert routing. It allows you to associate multi-step response playbooks that trigger automatically when specific rule events fire (e.g., when the warning modal is displayed, when a user agrees or declines, when they click a specific custom button, or when they submit a justification request). You can add, activate, or delete associated playbooks directly within this tab.

Additional Settings (in Rule Configuration card)

The following additional fields are located in the Rule Configuration card itself (not a separate Advanced Settings card):

Saving the Rule

Two buttons appear at the bottom of the form: Cancel (discards changes) and Save Changes / Create Rule. There is no "Save as Draft" option — set State to Testing to create a non-enforcing draft.

Translations

If multi-language support is enabled (Settings → Languages), translation fields for each enabled language appear inside the Message Content card below the English fields. For each language you can customize:

• Modal Title — Localized version of the alert modal heading.
• Message Body — Localized alert body text.
• Button Labels — Per-language labels for each custom button (configured inside the Custom Alert Buttons section, per button).
• Justification Placeholder — For submit_request buttons, a per-language placeholder text for the text input field.

When Auto-translate is enabled, Fantomo pre-fills these fields automatically using machine translation. Review auto-translations for accuracy before activating, especially for legal or compliance-critical policy text.

Curated Domain Packs & Manual Overrides

When creating or editing a rule, if you select Domain Pack as the Match Type and pick a valid pack (e.g. AI Tools Pack or Personal Cloud Storage Pack), a Pack Management card is dynamically rendered inline inside the Configuration tab (positioned between the Rule Configuration and Message Content cards):

• Automated Domain List — Displays the dynamically updated list of curated domains included in the selected pack, complete with an inline search bar and pagination controls.
• Manual Overrides — Allows you to define custom domain overrides for the pack once the rule is created. You can enter a domain and classify it as Always Block (Add) to append a domain, or Always Allow (Exclude) to bypass a curated domain. This gives administrators fine-grained control over the pre-built packages.

Rule Debugger

The Rule Debugger (route: /rules/debug) provides an interactive sandbox for testing Browser Alert Rules against URLs without deploying them to employee browsers. It is particularly useful for verifying domain matching logic and testing rule priorities before activating rules.

Using the Debugger Effectively

1. Verify URL Matching: Paste a list of URLs and click Run URL Simulation. Confirm that the intended rules trigger for the correct URLs.
2. Check Priority Ordering: If multiple rules target a single domain, the debugger displays them in evaluation order based on their assigned priorities, helping you see which rule takes precedence.
3. Validate Wildcard and Glob Matches: Test complex glob pattern rules or domain wildcard structures against specific subdomains to verify correct matching behavior.

DLP Policy Settings

The DLP Policies settings page (Settings → DLP Policies) manages global security configurations for the browser extension's data protection engine, including DNS health routing and localized AI text scanning.

Global Security Configuration

Configure the following settings to control browser telemetry behavior:

DNS Diagnostics Log Console

Clicking Run DNS Diagnostic Test runs a live simulated client-side test. It opens an interactive diagnostics console box on the page detailing current connection checks (e.g. DoH endpoints, DNS resolver speeds, certificates checks, and captive portal state verification) to confirm if the DNS routing layer is secure.

Global (System) DLP Rules

Fantomo maintains pre-built pattern rules for standard sensitive data types. These rules use a 3-mode select dropdown (🟢 Enforced, 🟡 Test Mode, and ⚫ Disabled):

Custom DLP Rules

Administrators can create custom regex patterns. If a rule specifies a Sample Test Case, a Copy test input button will render on the row, allowing administrators to copy the string to their clipboard to test the rule locally.

General & MDM Settings

The Settings page (labeled "Settings" in the page heading; linked as "General & MDM" in the sidebar) is the primary configuration hub for your organization's identity, authentication method, browser extension deployment credentials, language support, and Shadow IT category governance. It is the first settings page you should configure during initial setup.

Authentication Card

Organization Card

Languages Card

Enabling a language makes it available for rule translations in the Rule Editor. Once enabled, it cannot be disabled (to prevent breaking existing translations on deployed rules). English is the default and cannot be disabled.

Shadow IT Category Exclusions

This card displays all SaaS classification categories that Fantomo recognizes. Each category can be individually toggled to enable or disable Shadow IT detection for domains classified under it.

Categories toggled off (disabled) will not generate Shadow IT detection events, even if employees sign up for services in that category. This is useful for categories where detection would be noisy and low-risk (e.g. financial services, government sites). Keep high-risk categories like AI Tools and Cloud Storage enabled.

Extension Setup Card

{
  "apiKey": "ftm_your_api_key_here",
  "apiBaseUrl": "https://api.fantomo.io",
  "userId": "${user.id}",
  "userEmail": "${user.email}",
  "syncIntervalMinutes": 5
}

Regenerate API Key

Click Regenerate API Key in the Extension Setup card header to immediately invalidate the current API key and generate a new one. This is a destructive action — all deployed browser extensions will stop syncing until they receive the new key via an updated MDM configuration profile. A confirmation dialog states exactly this before proceeding.

When to rotate the API key:

• A current or former admin is suspected of misuse
• The API key was accidentally exposed (committed to a repo, logged in plain text, etc.)
• As part of a periodic key rotation policy (recommended annually)

After rotating, update your MDM configuration profile with the new key and force a device check-in to push the updated profile to all managed devices.

The MDM & Policy Deployment Guides section (tabs: Google Workspace, Jamf Pro, Iru, Fleet, Mosyle) is covered in detail in the Setup & MDM Deployment section.

Users & Admins

The Users page (Settings → Users & Admins) manages all user accounts in your organization. This includes: admin portal accounts (Owner, Admin, Read Only) who log in to configure Fantomo, as well as auto-provisioned employee device profiles created automatically when browser extensions check in. Both types appear in the same table.

Users Table

User Status Values

Auditing Individual Employee Profiles

Clicking on any employee's email in the Users table loads their dedicated Employee Details Page (route: /users/:id). This dashboard consolidates device telemetry, SaaS credentials, and browser network performance metrics into five primary areas:

1. Profile Controls

Allows administrators to review their system metadata, manage their role (if they are a portal admin), and edit preferred locale settings. You can also configure merge overrides here — useful if an employee accesses SaaS accounts using multiple legacy aliases or alternative domain emails.

2. Employee Key Performance Indicators (KPIs)

3. Registered Devices Table

Logs all devices where the employee has checked in with the Fantomo browser extension active. This telemetry tracks browser and OS variations to audit patch levels:

4. Detected SaaS Accounts

Audits all third-party application accounts and credentials associated with the employee. This list lists both extension logins and directory OAuth permissions, complete with administrative status controls:

5. Network Speed Diagnostics

Monitors client-side latency metrics to debug performance or identify abnormal data routing latency. Administrators can filter these records by domain name:

Add User

Role Capabilities Matrix

Disabling vs. Deleting Users

• Disable — Immediately revokes portal access. The account record, associated audit log entries, and historical data are preserved. The user can be re-enabled later. Use this for temporary leave or investigations.
• Delete — Permanently removes the admin account. Historical audit log entries referencing this user's actions are preserved (for compliance) but the account cannot be recovered. Use this after offboarding an admin who will not return.

Slack Integration

The Slack integration connects Fantomo to your organization's Slack workspace, enabling two capabilities: (1) routing security alerts to designated Slack channels for team visibility, and (2) sending automated direct messages (DMs) to employees when Shadow IT detections occur, requesting a business justification.

Connection Status Card

Connecting Slack for the First Time

If Slack is not yet connected, a Connect Slack button initiates the OAuth 2.0 authorization flow. You will be redirected to Slack's authorization page, where you must approve the permissions listed below. You must be a Slack Workspace Admin (or have a Workspace Admin approve on your behalf) to install the Fantomo app.

Slack App Permissions Required

Rule Alert Routing

This table maps each Browser Alert Rule to a specific Slack channel. When a rule fires and an employee dismisses the alert, a notification is posted to the mapped channel.

The channel dropdown for each rule shows all channels synced from your Slack workspace. The first option is always No Slack Alerts (Disabled) — select this to suppress Slack notifications for that rule. Click Refresh Channel List if recently created channels don't appear.

Employee Outreach Check-ins

Danger Zone: Disconnect Workspace

At the bottom of the Slack settings page, a Danger Zone section contains the Disconnect Workspace button. Disconnecting Slack will: stop all alert channel routing (rules will still fire, but no Slack notifications are sent), disable outreach DM check-ins, and remove the Fantomo app from the Slack workspace. A confirmation dialog appears before any action is taken. Reconnecting requires going through the OAuth flow again and reconfiguring all channel routing mappings.

Google Workspace Integration

Settings → Google Workspace manages the server-side connection between Fantomo and your Google Workspace tenant. This is the agentless detection tier — it requires no software on endpoints and instead uses a Service Account with Domain-Wide Delegation to read audit logs, directory data, and Gmail headers.

Connection Status

Test Connection Handshake

Clicking Test Connection Handshake performs a live verification: Fantomo attempts to authenticate with the service account credentials against your Google Workspace tenant and make a test call to the Admin Reports API. Results are displayed inline — success or a specific error code indicating what's misconfigured (auth failure, DWD not granted, API not enabled in GCP, etc.).

Mail Scan Rules Tab

Visible once Google Workspace is connected and mail scanning is active. This tab manages the subject-line patterns used to detect SaaS signups from Gmail headers.

Active Subject Line Rules

Subject line rule categories: signup, login_challenge, password_reset, invitation. System Default rules are maintained by Fantomo and cover common English-language patterns. Custom Override rules extend coverage for non-English subject lines, industry-specific onboarding emails, or corrections to false-positive system patterns.

Sender Domain Mappings

Maps email sender domains to SaaS application domains. For example, if Notion sends signup emails from mail.notion.so, a sender mapping tells Fantomo that emails from mail.notion.so should be attributed to the application notion.so in the SaaS inventory.

Allowlisted Senders

Suppresses mail scan detections for specific senders. Use this to prevent false positives from trusted vendors whose emails match signup patterns but don't represent actual shadow IT. Two types:

• email — Exact sender email address (e.g. [email protected]).
• domain — All emails from a sender domain (e.g. google.com to suppress all Google-originated emails).

OAuth App Mappings Tab

Visible when Google Workspace OAuth scanning is active. Since employees can authenticate to third-party services using their Google Workspace identity, Fantomo inspects active OAuth client ID tokens. This tab allows administrators to classify unrecognized client IDs and map them to their corresponding SaaS catalog applications.

Unclassified Client IDs Queue

When an employee signs in with Google to an application that is not yet mapped in your SaaS Inventory, the client ID is flagged as unclassified. Administrators must review this queue to map client IDs to the correct SaaS domains:

Add OAuth App Domain Mapping

Use this form to associate a client ID with a specific SaaS domain, automatically updating all active and future user records:

Google Directory Sync Status

Shows the current Domain-Wide Delegation scopes authorized for Fantomo's service account, along with the status of the background directory sync cycle. The sync runs automatically every 4 hours, pulling Workspace groups, OUs, and OAuth grants.

Initial Setup Wizard

When Google Workspace is not yet connected, the page shows a 4-step setup wizard:

1. Create Google Cloud Service Account — link to GCP Console, instructions for creating a service account and downloading the JSON key.
2. Domain-Wide Delegation (DWD) — link to Google Admin Console, instructions for granting the service account the required OAuth scopes.
3. Verify Gmail Safety Settings — guidance on ensuring Gmail API access is not blocked by Google Workspace safety settings.
4. Enable Sync — enter your domain, paste the JSON key, optionally enable telemetry sharing, and click Test + Connect.

Office 365 Integration

Settings → Workspace Sync manages the server-side connection between Fantomo and your Microsoft Office 365 tenant. This agentless detection tier retrieves user directories, audits Azure AD / Entra ID enterprise application consent permissions, and polls simulated Exchange Message Trace logs to detect SaaS subscriptions and shadow IT without endpoint software.

Connection Status

Test Connection Handshake

Clicking Test Connection Handshake runs a live credentials check. Fantomo attempts to fetch an OAuth 2.0 access token from Entra ID (using client credentials grant flow) and verify permissions against the Graph API. Result feedback is shown inline.

Active Directory Sync Status

Displays the current Entra ID permission scopes authorized for Fantomo's App Registration, along with the status of the background directory sync. Sync runs automatically every 4 hours to pull Microsoft groups, OUs/members, and active delegated user permission grants.

Initial Setup Wizard

If Office 365 sync is not yet configured, the Settings tab presents a 4-step wizard:

1. Create Azure AD App Registration — Guidance for registering a new multi-tenant or single-tenant application in the Microsoft Entra admin center.
2. Configure Graph API Permissions — Instructions for granting the required Application permission scopes:
   • Directory.Read.All (to sync users and groups)
   • AuditLog.Read.All (to monitor Exchange logs and audit scopes)
   • DelegatedPermissionGrant.ReadWrite.All (to read and revoke third-party app consents)
3. Generate Client Secret Credentials — Guidance on creating a new client secret under Certificates & Secrets and copying the value before it is obscured.
4. Submit & Handshake Test — Input your Tenant ID, Client ID, and Client Secret, run the connection test, and activate the synchronization pipeline.

Branding & Appearance

Settings → Branding & Appearance opens the Appearance Settings page, which customizes the browser warning modals that Fantomo displays to employees. Every visual element of the modal — colors, fonts, logo, shape, and footer text — can be adjusted to match your organization's brand identity. Consistent branding is critical: employees who recognize their company's design in a warning modal are far more likely to take it seriously than a generic unbranded alert.

Brand Identity

Color System

All color fields use a native color picker input. Values are saved as hex strings. The available color fields are:

Borders & Alerts Layout

Typography

Border Color Input — The Border Color picker dynamically renders inside the layout section only when the Border Width is set to a value greater than 0px (i.e. 1px, 2px, or 3px). If width is set to None (0px), the color selection input is hidden automatically from the settings form.

Default Modal Width — Configures the organization-wide default width for warning modals. Available sizes are Small (460px max width), Medium (50% of viewport width), and Large (80% of viewport width). Individual rules can override this layout option.

The Application Mode dropdown (inside the Borders & Alerts Layout card) controls rollout scope for appearance changes:

• Testing (Admins Only) — Customized branding is only visible to admin sessions. Employee browsers continue using the previously saved configuration. Use this to preview changes before going live.
• All Users — Branding changes are applied to all employee browser extensions. Rollout happens within 5 minutes of the next extension sync.

Click Save Appearance to persist all settings. A live preview panel on the right side of the page updates in real-time as you change values, reflecting exactly what the modal will look like with the current branding applied.

Outbound Webhooks

Settings → Outbound Webhooks configures real-time HTTP POST callbacks that Fantomo sends to external systems when security events occur. Webhooks are the primary integration mechanism for connecting Fantomo to ITSM platforms (Jira, ServiceNow), SIEM systems (Splunk, Sentinel), Slack bots, and custom automation workflows.

Webhooks List

Create / Edit Webhook Form

{
  "event_id": "8f3e5b72-9b24-4a6c-9c98-1e43d748f21e",  // UUID, unique per event
  "event_type": "license_request",                        // one of the four event types
  "org_id": "3c84e1b7-cd34-450f-a39c-f91d830b8d5a",      // your organization UUID
  "timestamp": "2026-06-08T01:05:00.000Z",               // ISO 8601 UTC
  "data": { ... }                                         // event-specific payload (see below)
}

{
  "event_type": "license_request",
  "data": {
    "alert_activation_id": "d16c59b2-38d5-4519-86ab-b0b3d6d5ef0a",
    "user_id": "6e2882a1-fa44-42b7-84bc-87c26fb4c4d5",
    "user_email": "[email protected]",
    "domain": "slack.com",
    "rule_id": "f3cbb031-15d2-430c-be4e-0a562efee120",
    "rule_name": "Unapproved Collaboration Tools Warning",
    "user_justification": "Need to communicate with external client workspace for Q3 deliverables.",
    "button_id": "req_button_1",
    "button_label": "Request Sandbox Access",
    "timestamp": "2026-06-08T01:04:59.000Z"
  }
}

{
  "event_type": "shadow_it",
  "data": {
    "user_id": "6e2882a1-fa44-42b7-84bc-87c26fb4c4d5",
    "user_email": "[email protected]",
    "domain": "zoom.us",
    "detection_type": "signup",
    "matched_pattern": "input[type=\"password\"]",
    "browser_name": "Chrome",
    "timestamp": "2026-06-08T01:09:59.000Z"
  }
}

{
  "event_type": "dlp_bypass",
  "data": {
    "log_id": "5b597cde-9a99-4d1a-b333-d9d1e57cfa45",
    "user_id": "6e2882a1-fa44-42b7-84bc-87c26fb4c4d5",
    "user_email": "[email protected]",
    "matched_rules": ["US Social Security Numbers", "PCI Credit Card Numbers"],
    "justification": "Uploading customer support database extract for debug analysis.",
    "target_domain": "customer-support-staging.com",
    "snippet_checksum": "a45f8e6c7d8b9e0f1a2b3c4d5e6f7a8b",  // SHA-256 of matched text
    "timestamp": "2026-06-08T01:11:59.000Z"
  }
}

{
  "event_type": "offboarding_failure",
  "data": {
    "task_id": "2c8f8bde-e129-4d34-b3ef-88d44e548231",
    "user_id": "71aef42d-2090-4da2-8de9-b1d22bfca422",
    "user_email": "[email protected]",
    "revocation_successes": 5,
    "revocation_errors": 3,
    "timestamp": "2026-06-08T01:14:59.000Z"
  }
}

// Node.js Express — HMAC signature verification
import crypto from 'node:crypto';

function verifyWebhookSignature(req, secret) {
  // Get the signature from the configured header (default: X-Fantomo-Signature)
  const signature = req.headers['x-fantomo-signature'];
  if (!signature) return false;

  // Compute HMAC-SHA256 of the raw body string
  const hmac = crypto.createHmac('sha256', secret);
  hmac.update(req.rawBody);  // Must be raw bytes, not parsed JSON
  const expectedSignature = hmac.digest('hex');

  // Use constant-time comparison to prevent timing attacks
  return crypto.timingSafeEqual(
    Buffer.from(signature, 'utf-8'),
    Buffer.from(expectedSignature, 'utf-8')
  );
}

// In your Express route handler:
app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
  if (!verifyWebhookSignature(req, process.env.WEBHOOK_SECRET)) {
    return res.status(401).json({ error: 'Invalid signature' });
  }
  const event = JSON.parse(req.body);
  // Handle event...
  res.status(200).json({ received: true });
});

Billing & Plans

Settings → Billing & Plans manages your Fantomo subscription tier, active add-ons, payment method, and usage statistics. Only users with the Owner or Admin role can view this page.

Current Plan Card

Add Payment Method (Stripe SetupIntents)

To securely register your payment card, the billing portal embeds the Stripe SetupIntents interface directly inline. Clicking Add Payment Method opens this form, allowing card details to be validated and saved on file without external redirects. Billing charges are computed dynamically at the end of the monthly billing cycle based on the number of active billable users.

Manage Subscription (Stripe Portal)

Clicking Manage Subscription — which only appears when a payment method is on file and the account is not complimentary — opens the Stripe Customer Portal in a new tab. From there you can: update your payment method, download historical invoices, view upcoming invoice details, and cancel your subscription.

Add-ons

Fantomo's feature set is extended via add-ons. The Current Plan card shows your active add-ons with monthly prices. Available add-ons are listed below in a grid. Specific add-ons offered depend on your account configuration and are loaded dynamically — what you see may differ from any list shown here.

Add-on Operations

• Activate — Depending on the add-on, may redirect to a Stripe Checkout page for immediate payment, or activate immediately if the add-on is included in your plan tier.
• Deactivate — Schedules deactivation at the end of the current billing period. You retain access until the period ends.
• Reactivate — Re-enables a deactivated add-on immediately, resuming billing at the next cycle.

Alert Log Setting

An internal setting controls whether historical DLP alert records are retained. When disabled, new alerts are not stored long-term (the real-time dashboard still shows recent events). When enabled, all DLP alert history is retained for the duration configured by your plan. This setting is controlled via support or via the API endpoint /billing/settings/alert-log — it is not currently exposed as a toggle in the billing page UI.

InfoSec 101 Blueprint for SMBs

This section is a practical security program blueprint for small and medium-sized businesses (SMBs) that are adopting Fantomo as their first security tool. It maps Fantomo capabilities to industry frameworks, identifies gaps you'll need to fill with complementary tools, and provides a phased roadmap for building a complete security program over 12–24 months.

You do not need a CISO or security team to use this guide. You need someone with basic IT skills, the patience to work through each phase, and the organizational authority to enforce policy. That person might be you.

Phase 0: Foundations (Before Fantomo)

A security program cannot succeed if basic organizational hygiene is missing. Verify these prerequisites before investing in any security tooling:

Phase 1: Visibility (Months 1–3)

The first goal of any security program is visibility — understanding what's happening in your environment. Fantomo's primary value in this phase is discovery: you cannot govern what you cannot see.

1. Deploy Fantomo's Google Workspace integration. Connect your service account and let it run for 2–4 weeks before taking action on the inventory. You want a baseline, not a knee-jerk reaction to the first discovery.
2. Deploy the browser extension via MDM to all managed devices. Verify telemetry is flowing (check Browsing History for active users).
3. Review the SaaS Inventory after 4 weeks. You will likely discover 30–100 applications your employees are using — many of which IT didn't know about. This is normal and not a crisis. Document everything.
4. Classify applications into Approved / Under Review / Blocked based on your initial risk judgment. Don't block anything yet — just classify.
5. Enable system DLP rules in Testing mode. Review the DLP log after 2 weeks to understand which patterns are generating matches and how frequently.

Phase 2: Basic Controls (Months 3–6)

With visibility established, begin enforcing boundaries on your highest-risk exposure areas.

1. Block the 5 highest-risk applications identified in Phase 1. Focus on: unapproved AI tools receiving sensitive business data, personal cloud storage (Dropbox, WeTransfer) used for business files, and personal email services used for corporate communication.
2. Enable DLP rules in Active mode for the highest-confidence patterns: SSN detection, credit card numbers, and AWS credential patterns. These have low false-positive rates and protect against the most common data types involved in breach notifications.
3. Set up Slack integration and configure at least one alert routing channel (e.g. #security-alerts). This ensures the security team is notified in real-time without needing to check the portal constantly.
4. Configure offboarding playbook. The next time any employee departs, run through Fantomo's offboarding workflow. This builds the habit and process before a high-pressure situation (angry termination, sudden resignation) demands it.
5. Set up your first webhook. Even if it just posts to Slack or a simple logging endpoint, getting the integration plumbing working in Phase 2 means you can scale it later.

Phase 3: Compliance Alignment (Months 6–12)

Once controls are running, align them to the compliance framework most relevant to your industry. The two most common for SMBs are SOC 2 Type II (software/SaaS companies) and HIPAA (healthcare-adjacent businesses). This section maps to SOC 2.

Fantomo → SOC 2 Control Mapping

Phase 4: Maturity & Integration (Months 12–24)

A mature security program integrates multiple specialized tools into a cohesive defense-in-depth architecture. Fantomo occupies the browser-layer and SaaS governance layer. Build out adjacent layers:

The Incident Response Minimum

Every organization needs a documented incident response plan before they have an incident — not during one. At minimum, document:

1. Who to call. A contact list with: CISO/IT lead, legal counsel, cyber insurance carrier (get cyber insurance if you don't have it), and a forensics firm on retainer or a pre-approved incident response vendor.
2. What counts as an incident. Define thresholds: a DLP bypass is a policy event; a DLP bypass combined with a large file transfer to an untrusted domain is a potential incident; confirmed exfiltration of PII to an outside party is a reportable breach under most privacy regulations.
3. Evidence preservation. When a potential breach is detected, preserve Fantomo logs before anyone dismisses or deletes them. Screenshot the Security Alerts and DLP log. Export the Admin Audit Log for the relevant time period.
4. Notification obligations. If your organization handles personal data, you likely have regulatory notification obligations (GDPR: 72 hours; CCPA: "expedient notice"; HIPAA: 60 days). Know your obligations before you need them.
5. Post-incident review. After every incident (even minor ones), conduct a structured retrospective: what happened, what controls failed, what would we do differently. Update your Fantomo rules and playbooks based on lessons learned.

Security Metrics: What to Report to Leadership

Monthly security metrics establish a baseline and demonstrate program effectiveness to executives and boards. Pull these from Fantomo and present them on a one-page executive summary: