All features Cloud · Google Workspace

CSPM for Google Workspace

18 checks for Google Workspace — 2-step verification enforcement, super-admin hygiene, risky OAuth apps, Alert Center and mobile device posture. Read-only, connected with a service account.

Get started Run a free scan
18Workspace checks
5control areas
Readonly access
google-workspace-posture 61
2SV2-step verificationCHECK
ADMINSuper-admin countFAIL
OAUTHRisky third-party appsFAIL
MDMMobile posturePASS
What we check

18 checks across the Workspace tenant

An agentless scan reads each connected Google Workspace tenant through a read-only service account and runs 18 checks — flagging weak 2-step verification, over-broad admin access, risky third-party apps, blind spots in the Alert Center, and unmanaged mobile access.

2-Step Verification

Whether 2SV is enforced organization-wide, how many users are still exempt or unenrolled, whether weaker SMS-only methods are allowed, and whether security keys are required for admins.

Super-admin hygiene

The count of super-admins against least-privilege guidance, admins without 2SV, dormant privileged accounts, and delegated admin roles handed broader scopes than the job needs.

Risky OAuth apps

Third-party apps granted broad Gmail, Drive or Directory scopes, unverified publishers, and domain-wide delegation — the OAuth grants attackers use to keep access without a password.

Alert Center & audit

Whether the Alert Center and login, admin and Drive audit logs are on and retained, and whether suspicious-login and data-exfiltration alerts are actually configured to reach someone.

Sharing & external access

Default Drive and Docs external-sharing rules, link-sharing exposure, group access set to public, and legacy less-secure-app or IMAP/POP access left enabled.

Mobile device posture

Whether mobile management is enforced, screen-lock and encryption are required, and unmanaged or compromised devices are allowed to reach Workspace data.

How it connects

A read-only service account, then it runs itself

Connecting a tenant is a one-time service-account authorization — no agent to install, no admin password to hand over, and no write access anywhere in the domain.

Read-only service account

A domain-wide-delegated service account is authorized with read-only Admin SDK and Reports scopes. No stored passwords, no agent, and no write permission anywhere in the tenant.

Continuous re-scan

Once connected, the tenant is re-scanned on a schedule with the same zero footprint. Each scan tracks what is new and what has been resolved since last time, so both drift and fixes surface on their own.

Unified findings

Workspace findings land in the same queue as every other source — ranked by real-world risk, paired with AI remediation guidance, mapped to your compliance frameworks, and folded into cross-surface attack paths.

Part of one platform

Workspace identity, in the context of everything else

Google Workspace posture never sits in its own console. Every finding is correlated with your Windows, Linux and macOS endpoint agents and your other cloud and identity data on one platform — so an over-shared Drive or an over-scoped OAuth app becomes a named step in a real attack path, not an isolated ticket.

  • Correlated with endpoint & other cloud identity
  • Findings become steps in named attack paths
  • KEV / EPSS-ranked, real-world severity
  • Paired with AI remediation, mapped to 10 frameworks
See the full platform
82
+27 pts
projected after top fixes

Run your first scan free

See a client’s real posture in minutes — then unlock all 1,692 checks.