Aligning browser activity with
security & compliance

Empower your IT and security teams to protect company data, identify shadow SaaS subscriptions, and educate employees on compliance policies in real-time.

Business View Take a Deeper Look

See what your team feeds the AI tools

ChatGPT, Claude, Copilot, and the next 50 your team will try this quarter. Fantomo shows which AI tools are in use, who's using them, and what's getting pasted or uploaded into them.

  • Shadow AI discovery: Find the AI apps nobody put on the approved list.
  • Data exposure: Catch source code, secrets, and customer data on the way into an AI prompt or upload.
  • Login posture: See which AI tools people sign into without SSO or MFA.

On-device prompt scanning

The client-side scanner intercepts text inputs, clipboard paste events, and drag-and-drop file transfers directly inside tabs matching known generative AI domains. Checks run locally on the client endpoint, meaning raw prompt inputs are evaluated in user space without third-party API routing.

When a policy check triggers (e.g. detecting API keys or database connection strings), the extension blocks the payload before it leaves the browser. The violation is logged in the admin panel with telemetry metadata, while the prompt content is kept private.

  • Local Prompt Checks: Scan input areas on ChatGPT, Claude, and custom endpoints.
  • Data Leak Mitigation: Detect source code, access tokens, and SSNs.
  • Identity Auditing: Flag when employees bypass enterprise SSO.
AI prompt scanned on-device Tool: chat.openai.com Match: source code + API key Blocked before send User asked to remove sensitive data

Discover new software sign-ups automatically

Keep track of what software tools are being adopted across your organization in real time, helping you prevent data fragmentation and unnecessary subscriptions.

  • Sign-Up Alerts: Spot new accounts the moment employees create them.
  • Directory Integration: Filter discoveries and analyze SaaS usage mapped to Google Workspace OUs and Groups.
  • Instant Action: Remind employees of company guidelines or block access if the tool is unsafe.

Local form monitoring

The extension scans DOM form submissions and SAML/OAuth assertion flows inside the browser process to identify SaaS logins. This approach observes new software signups the moment they occur, bypassing corporate firewall limitations.

SaaS discovery is mapped directly to synchronized directories. Telemetry details are aggregated daily by Google Workspace Organizational Units or Microsoft 365 groups to provide clear software adoption reports.

  • Form Element Scans: Catch account registrations at SaaS portals.
  • Directory Mapping: Filter SaaS usage metrics by directory OUs and Groups.
  • Response Playbooks: Fire custom alerts or Slack webhooks on new signups.
Account Created App: unsanctioned-ai-tool.com User: [email protected] View Telemetry Slack: Alert Sent

Direct employee guidance when it matters most

Help your staff make better security decisions with real-time browser alerts. Guide them away from risky tools and suggest company-approved alternatives right when they are browsing.

  • Helpful Alerts: Advise employees on security policies and recommend approved tools.
  • Flexible Formats: Choose between informational banners, warning pop-ups, or full blocks.
  • Simple Override Logic: Allow staff to bypass alerts for valid business purposes by submitting a quick explanation.

Shadow DOM UI injection

Alert banners, full block pages, and warning pop-ups are rendered using isolated Shadow DOM elements. This locks overlay stylesheets from being overridden or altered by the underlying web page CSS.

When a user overrides a warning by providing a business justification, the extension packs the response into a signed JSON payload. The console registers the comment and updates the active session exception rules immediately.

  • Isolated UI Nodes: Inject warning overlays using Shadow DOM containers.
  • Bypass Log Flows: Sync user-entered justifications as signed JSON packets.
  • Contextual Banners: Prefill warnings based on the blocked domain category.
Security Warning Please use our approved corporate SaaS tools for code sharing. Acknowledge

Audit-ready compliance reporting

Fulfill strict compliance standards (SOC 2, ISO 27001, GDPR) regarding SaaS tracking, access validation, and data residency controls, keeping your company audit-ready.

  • Privacy-First Logging: Keep compliance records secure and isolated from other accounts.
  • Custom Retention: Adjust data survival periods from 30 days to 4 years to meet internal rules.
  • Anonymous Statistics: Gather aggregate usage reports without logging individual employee profiles.

Multi-tenant data isolation

All configurations, device registration lists, and transaction histories are isolated at the database layer using a multi-tenant data architecture. Query contexts require organization-level verification keys, preventing data visibility leakage.

The control plane supports granular retention rules. Older compliance logs are purged daily, and audit reports can be exported to CSV or streamed directly to external SIEM tools like Splunk or Microsoft Sentinel.

  • Data Isolation: Partition logs and configuration details between clients.
  • Retention Controls: Schedule automated compliance log deletion.
  • SIEM Connectors: Stream real-time logs to Splunk, Sentinel, and CrowdStrike.
AUDIT LOG: SOC 2 Compliant EXPORT: CSV generated Retention: 365 Days Locked Tenant: Multi-Tenant Active

Reclaim unused software seat licenses

Organizations waste up to 30% of their software budget on unused or duplicate SaaS licenses. Fantomo tracks not just if an account is registered, but how often users actively open and interact with those applications in their browser.

  • Usage Duration Tracking: Aggregate aggregate session times to identify software that is rarely launched.
  • Identify License Waste: Target duplicate tools (e.g. departments using both Zoom and Google Meet) to consolidate subscriptions.
  • Automatic Reminders: Reach out to users with low usage stats to automatically reclaim their seats before monthly renewals.

Active tab session auditing

The extension measures actual tab focus durations and user activity pulses (mouse clicks, scroll events) on target SaaS domains. It collects aggregate session data locally in the browser to calculate weekly usage metrics.

This architecture tracks whether a license is active or dormant without recording raw visit histories. The admin console flags overlapping tool subscriptions (e.g. departments paying for multiple PDF editors) and runs offboarding scripts to reclaim unused seats.

  • Interaction Auditing: Track active tab durations using local activity timers.
  • Overlap Identification: Spot duplicate SaaS platforms within departments.
  • Auto-Offboarding: Run compliance playbooks to reclaim idle user seats.
License Analysis Total active licenses: 140 Unused seats (>30 days): 42 Est. Savings: $1,260/mo

Find the AI agents your team is quietly building

People wire up agents and automations in Zapier, ChatGPT, Copilot Studio, Retool, and n8n without telling anyone. Fantomo spots them in the browser, asks the person who built each one what it does, and gives you an inventory with a risk score and an approval state.

  • Agent discovery: Catch agent-builder pages the moment an employee opens one.
  • Ask the creator: A short questionnaire captures what the agent reads, writes, and whether it touches sensitive data.
  • Risk and approval: Score agents on write access, PII, production use, and dormancy, then mark each Approved, Allowed, or Not permitted.

Browser detection plus a creator intake

The extension recognizes high-precision agent-builder URLs and reports each discovery. The API creates an agent record, scores it, and emails the creator a tokenized intake form. Their answers populate the record and recompute risk. A playbook trigger lets you layer your own response.

  • Long-tail coverage: Catch platforms an API-only tool misses.
  • Departed-creator flag: Surface agents whose builder has left the company.
  • Nudge-the-creator playbook: Automate the intake, escalation, or approval on discovery.
AI agent discovered Platform: Zapier · Creator: [email protected] Risk 72 · In review Write access to Salesforce, handles PII Intake sent to creator

Give employees an approved-app catalog on your intranet

Paste one tag onto any intranet page. Where the Fantomo extension is installed, it renders a searchable directory of the apps you've approved, with a details view and how to get access. No new login for employees, and no separate portal to run.

  • One embed tag: Drop it anywhere; the extension does the rest.
  • Rich details: Each app opens a card with description, security characteristics, and useful links.
  • Clear next step: Show a license link or instructions per app, with an org-wide default so every card leads somewhere.

Rendered by the extension, styled by you

The directory renders inline in the page's light DOM so your intranet layout flows around it. A tightly scoped style block ships with the widget, and your designers can override it. The app list and generic access fallback travel in the extension's sync payload.

  • Light-DOM inject: Containers expand to fit the content.
  • Admin preview: See exactly what employees will see before you ship the tag.
  • Editable CSS: Copy the real embedded fragment and restyle it.
Search approved apps... Slack Communication View details → Figma Design View details →

See breaches that reach you through the vendors you don't buy from

Your apps depend on other vendors. When one of those sub-processors is breached, you're exposed through an app you use, even though you never signed a contract with the breached company. Fantomo maps those dependencies and tells you which of your apps are affected.

  • Sub-processor mapping: Know the vendors behind your vendors.
  • Breach propagation: Turn a breach in a dependency into an alert on the apps that rely on it.
  • OAuth blast radius: When a connected vendor is breached, see how many people granted it access.

A dependency graph over breach data

Vendor sub-processors come from AI-assisted enrichment with human review. Breach data comes from HaveIBeenPwned. After each breach scan, Fantomo walks the graph: a breached domain that is a sub-processor of an app you use, or a breached vendor you're connected to through OAuth grants, becomes a distinct supply-chain risk signal.

  • Fourth-party depth: Reach past your direct vendors.
  • Automatic recompute: Signals refresh after every breach scan.
  • One feed: Supply-chain alerts sit alongside direct breach alerts.
Your app Sub- processor Supply-chain exposure Breached sub-processor reaches your app

One place to sync directories and cut off access

Fantomo connects to Google Workspace, Microsoft 365 and Entra ID, and Okta for user and group context. When someone leaves, or when a session looks hijacked, it can deactivate the account and clear sessions across the providers you've connected.

  • Directory sync: Pull users and groups from Workspace, Entra ID, and Okta.
  • Offboarding actions: Deactivate accounts and revoke OAuth grants when someone departs.
  • Session response: Clear sessions in response to session-hijacking detections.

Read for context, manage for response

Okta connects with a scoped API token. With directory read plus user lifecycle and session management, Fantomo reaches parity with Workspace and Microsoft 365: deactivate on offboarding, clear sessions on a hijack. Entra ID directory context comes through the Microsoft Graph connection, with an identity-only mode for orgs that don't use Microsoft mail.

  • Standard plans: No Okta Identity Threat Protection add-on required.
  • Identity-only mode: Use Entra ID for identity without any Microsoft mail scanning.
  • Encrypted secrets: Tokens and credentials are stored encrypted.
Connected directories Google Workspace · synced Microsoft 365 / Entra ID · synced Okta · synced Offboard: deactivate + clear sessions