# App Intelligence
### Table of Contents
1. [Overview](#overview)
2. [Key Concepts](#key-concepts)
3. [Navigating the App Intelligence Interface](#navigating-the-interface)
4. [Tutorials](#tutorials)
* [Tutorial 1: Getting Your First Look at App Usage](#tutorial-1)
* [Tutorial 2: Reviewing a High-Risk App's Details](#tutorial-2)
* [Tutorial 3: Investigating a High-Risk App and Its User Activity](#tutorial-3)
5. [Use Case Examples](#use-case-examples)
6. [Frequently Asked Questions](#frequently-asked-questions)
***
### Overview
**App Intelligence** gives your security team a complete, continuously updated view of every SaaS application and AI tool your employees are actually using — not just the ones on your approved list.
In most organizations, employees use five to fifteen times more applications than IT formally manages. This includes AI assistants like ChatGPT and Claude, personal cloud storage, file-sharing services, and agentic AI tools that act on behalf of users. Until now, this activity has been largely invisible to security teams.
App Intelligence changes that. Using data movement APIs provided by Apple and Microsoft, Nightfall's lightweight agent detects paste and file upload activity to automatically discover these applications, assign a risk score, categorize them by functional type, and surface early adopters — with none of the latency associated with traditional DLP tools.
***
### Key Concepts
#### App Categories
Nightfall classifies every detected app into one of twelve categories. Categories reflect the nature of the product and its typical data exposure potential — they form the foundation of how risk is calculated. Your team can use categories to filter, prioritize, and focus on the parts of your app landscape that matter most.
| Category | Risk Level | Description | Examples |
| --------------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- |
| **Core System** | Low | Business systems of record with strict identity controls and low exfiltration risk. | Workday, NetSuite, SAP, Salesforce CRM |
| **Business SaaS** | Low | Enterprise productivity and collaboration tools. | Slack, Notion, Figma, Canva, Asana, Loom |
| **Internal Apps** | Low | Internal or private applications, staging/QA environments, and SSO-only portals. | Internal dashboards, staging portals, \*.internal domains |
| **Public Web** | Low | General consumer or informational websites not primarily designed for file transfer. | YouTube, Wikipedia, Medium, Amazon |
| **Social / Messaging** | Medium | External messaging or social platforms where users can send or post corporate data. | WhatsApp Web, Telegram, Discord, LinkedIn, X/Twitter |
| **Cloud Providers / Infra** | Medium | Cloud consoles and infrastructure administration surfaces. | AWS Console, GCP Console, Azure Portal, Cloudflare |
| **GenAI** | High | LLMs, AI assistants, and AI-powered creation tools that may ingest internal data. | ChatGPT, Claude.ai, Gemini, Perplexity, DeepSeek |
| **Developer Tools** | High | Platforms hosting source code, configuration, logs, or automation pipelines. | GitHub, GitLab, Replit, Databricks, Netlify |
| **Unknown** | High | Domains that cannot be reliably classified (e.g., raw IPs or unrecognized destinations). | Unclassified IPs, localhost, unresolved domains |
| **AI Agents** | Critical | Autonomous or semi-autonomous systems that act on behalf of users to access and move data. | Wisprflow, Glean, n8n, Zapier Desktop Runner |
| **Cloud Storage / Sync** | High | Cloud-based file storage and synchronization platforms with high exfiltration risk due to bulk file movement and multi-device sync. | Google Drive, Dropbox, Box, iCloud, OneDrive |
| **File Sharing** | Critical | Public or anonymous file-sharing services with minimal identity boundaries. | WeTransfer, file.io, Snapdrop, Pastebin |
> **A note on cloud productivity suites:** Nightfall classifies by the actual product surface an employee uses, not the parent company brand. For example, Google Workspace Mail and Google Docs are classified as **Business SaaS** because their primary function is collaboration and editing. Google Drive is classified as **Cloud Storage / Sync** because its primary function is file storage and bulk sync. The same principle applies to Microsoft 365, AWS, and Salesforce subdomains.
#### Risk Scoring
Every app in App Intelligence displays one of four risk labels: **Low**, **Medium**, **High**, or **Critical**. These reflect Nightfall's assessment of how much data exposure risk the app represents in your environment.
| Label | What It Means |
| --------------- | -------------------------------------------------------------------------------------------- |
| 🟢 **Low** | Minimal concern; typically well-governed, established tools with strong identity boundaries. |
| 🟡 **Medium** | Worth monitoring; may involve less-governed surfaces or moderate data exposure potential. |
| 🔴 **High** | Requires attention; elevated data risk or boundary concerns detected. |
| 🚨 **Critical** | Immediate review recommended; significant risk signals across multiple dimensions. |
Risk is calculated in two steps. First, every app starts with a baseline risk level inherited from its category — for example, File Sharing apps start at Critical and Core Systems start at Low. Second, Nightfall adjusts the score for the specific app within that category: if an app is consumer-focused, allows anonymous access, or is less governed than its peers, the risk increases. If the app is unusually well-governed for its category — for example, enterprise-only access with mandatory SSO — the risk may decrease.
***
### Navigating the Interface
#### The App Intelligence Page
Access App Intelligence from the **Discovery** section of the left-hand navigation menu.
*The App Intelligence list view, showing 5,892 total apps discovered across the organization.*
The page is divided into two main sections:
**App Insights (Top Panel)** The insights panel gives you a quick summary of what's happening across your app landscape. It shows:
* **Total Apps** discovered, **AI Apps** in use, and **Total Users** observed
* **Top AI Apps by Adoption** — the GenAI tools growing fastest in your environment over the last 30 days, shown as a percentage of users
* **Top Apps by Data Volume** — the apps handling the most data, with user counts and data sizes
**App List (Bottom Panel)** The full table of all discovered applications. Each row shows:
| Column | Description |
| --------------------- | ------------------------------------------------------------- |
| **App Name** | The detected application, grouped under its canonical domain |
| **Domain** | The primary domain associated with the app |
| **Destination Count** | Number of distinct subdomains or destinations observed |
| **Category** | App type classification |
| **Risk** | Nightfall's computed risk level |
| **Users** | Number of users or unique devices observed accessing this app |
| **Data Volume** | Total data transmitted to this destination |
| **First Seen** | When Nightfall first detected activity to this app |
| **Last Seen** | Most recent observed activity |
#### Filtering and Search
Use the filter bar above the app list to narrow results by:
* **Time range** (e.g., Last 30 Days)
* **App Name** — search by name or keyword
* **Domain** — filter to a specific domain
* **Category** — show only GenAI, Cloud Storage, etc.
* **Risk** — focus on High or Critical apps
#### The App Details View
Clicking any app in the list opens its detail page.
*The App Details view for Wisprflow (wisprflow\.ai), an AI agent platform classified as High risk.*
The detail view includes:
* **Summary stats** — total users, when first and last seen
* **App Risk panel** — a plain-language explanation of why Nightfall assigned this risk level, covering category, identity boundaries, and data exposure
* **Destination List** — a breakdown of every subdomain or endpoint within the app where data was sent, including per-destination user counts, data volume, and activity timestamps. This helps you understand whether a tool is being used for its core purpose or whether data is flowing to admin panels, APIs, or documentation portals.
* **Add to Collection** — a button that lets you add the app's domain directly to a domain collection. Domain collections are the allow lists and block lists that power Nightfall's exfiltration control policies. Adding an app here is how you translate App Intelligence findings into active data protection — for example, blocking a risky file-sharing site or explicitly allowing an approved storage tool.
***
### Tutorials
#### Tutorial 1: Getting Your First Look at App Usage
**Goal:** Understand which apps are active in your environment and identify where to focus first.
**Steps:**
1. Navigate to **Discovery → App Intelligence** in the left sidebar.
2. Review the **App Insights** panel at the top of the page. Note:
* How many **Total Apps** have been discovered.
* Which **AI Apps** have the greatest adoption (Top AI Apps by Adoption chart).
* Which apps have the most users over the last 30 days (Top Apps by User Count, 30d).
3. In the **App List**, sort by **Risk** to bring the highest-risk apps to the top. Look for any apps labeled **Critical** or **High** that you don't recognize.
*Example showing a small tenant environment. Deepseek is flagged as Critical risk — a GenAI tool with elevated data exposure signals.*
4. Sort by **Last Seen** to find apps with very recent activity, then cross-reference with **First Seen** to spot newly adopted tools your team may not be aware of.
5. Use the **Category** filter and select **GenAI** and **AI Agents** to see all AI tools in use. This is a fast way to understand your organization's AI footprint.
***
#### Tutorial 2: Reviewing a High-Risk App's Details
**Goal:** Understand why an app received a high risk score and gather the information your team needs to take action.
**Steps:**
1. Filter the App List by **Risk = High** and sort by **Users** to surface the most widely adopted high-risk apps first.
2. Click on an app to open its **Detail View**.
3. Read the **App Risk** explanation on the right side. This gives you Nightfall's reasoning in plain language — for example, whether the tool is an AI agent that can access data on behalf of users, or whether it lacks standard enterprise governance controls.
4. Review the **Destination List** to understand how the app is being used. Are employees accessing only the main product domain, or is data also flowing to API endpoints or admin subdomains? Higher destination counts can indicate more complex, potentially automated workflows.
5. Note the **Total Users** and **First Seen** date. If adoption is recent and growing, that context is useful when escalating to your IT or security governance team.
6. If your team decides to act on what you've found, use the **Add to Collection** button to add the app's domain to a domain collection. Choose a block list collection to prevent data from flowing to the app, or an allow list collection to explicitly permit it within your exfiltration control policies.
***
#### Tutorial 3: Investigating a High-Risk App and Its User Activity
**Goal:** Understand the risk signals behind a specific app and determine whether action is needed.
**Steps:**
1. Identify an app of interest in the App List — for example, an AI Agents tool or a GenAI service you don't recognize.
*Wisprflow appears in the App List as an AI Agents tool with a High risk rating, 28 users, and 2.2 GB of data sent — with activity as recently as 5 hours ago.*
1. Click the app row to open its **Detail View**.
2. In the **App Risk** panel, read Nightfall's risk explanation. For an AI Agents tool, this will typically explain that the platform is designed to build and deploy autonomous agents that can access and move data across multiple systems — and why this elevates the risk classification above the category baseline.
3. Check **Total Users** and compare it to **First Seen**. If a large number of users adopted the tool quickly, that's a signal of fast organic growth that may have outpaced governance review.
4. Review the **Destination List** to see exactly where data is flowing within the app's ecosystem. For example, if you see traffic to both the main product domain and an API subdomain, it suggests programmatic or automated use — not just manual browser sessions.
5. Cross-reference the **Data Volume** against the number of users. Disproportionately high data volume relative to user count can indicate automated workflows, bulk uploads, or exfiltration-style behavior.
6. Click **Show Events** on a destination row to see the individual users and corresponding events associated with that site. This is one of the most powerful features in App Intelligence — it lets you move from aggregate risk signals to the specific people and actions driving them.
7. Share your findings with your IT or security governance team, including the risk score, user count, data volume, any API-level destinations observed, and the specific user activity surfaced via Show Events.
***
### Use Case Examples
#### Use Case 1: Discovering Shadow AI Adoption
A security team at a mid-size technology company suspects employees are using unauthorized GenAI tools but has no visibility into which ones or how widely.
They open App Intelligence, filter by **Category = GenAI**, and sort by **Users**. Within minutes, they can see that three GenAI tools not on the approved list have been adopted by dozens of employees. They use the details view to assess each tool's risk score and destination activity, then route the highest-risk findings to the IT governance team with the context they need to take action.
***
#### Use Case 2: Identifying a New High-Risk Agentic Tool
An insider risk analyst receives an alert about unusual data movement patterns. They open App Intelligence and sort by **Last Seen** to find recently active apps. They spot an AI Agents platform that was first seen a month ago but has seen a spike in data volume in the last 24 hours.
Clicking into the app detail, they see the risk explanation highlights that the tool is designed to build autonomous agents capable of accessing data across multiple systems — and that several API-level destinations are active. The analyst notes their findings and escalates to the security team for deeper investigation.
***
#### Use Case 3: Prioritizing App Review During Quarterly Governance
An IT Policy Owner needs to audit which high-risk apps are active in the environment as part of a quarterly governance review. Rather than sifting through all discovered apps manually, they filter the App List to **Risk = High or Critical**, sort by **Users**, and work through the results.
Using the risk scores and destination breakdowns, the owner quickly identifies which apps need immediate attention from the security team and which are low-risk tools that don't require escalation. Within a single session they have a clear picture of their app risk landscape to bring into the governance review.
***
#### Use Case 4: Turning App Findings Into Exfiltration Controls
A data security engineer reviewing App Intelligence notices a file-sharing site with Critical risk that has been used by multiple employees to send data externally. Rather than just flagging it for review, they want to act immediately.
From the app's detail page, they click **Add to Collection** and add the domain to their organization's block list collection — the same list already enforced by Nightfall's exfiltration control policies. The domain is now blocked from receiving corporate data without any separate policy configuration required. For a second app — an approved cloud storage tool that was mistakenly triggering alerts — they add it to the allow list collection instead, suppressing false positives going forward.
App Intelligence becomes the discovery layer that feeds directly into enforcement, closing the loop between visibility and protection.
***
#### Use Case 5: Understanding Your GenAI Footprint Before a Compliance Review
A CISO preparing for an upcoming compliance review needs a clear picture of all AI tools in use across the organization, including what data types are being transmitted. They use the **Top AI Apps by Adoption** insight to see which GenAI tools are most widely used, then filter the app list to **Category = GenAI** to review risk levels across the full set.
For any GenAI tool with a **High** risk rating, they open the detail view to review the risk explanation and destination breakdown. This gives them the documentation they need to demonstrate that the organization has visibility into AI tool usage and the risk signals associated with each one.
***
### Frequently Asked Questions
**How often is the app data refreshed?** App Intelligence data is refreshed hourly. The "Last updated" timestamp in the top right corner of the page shows when the data was last synced.
***
**How does Nightfall discover which apps employees are using?** Nightfall uses data movement APIs provided by Apple and Microsoft to detect paste and file upload activity on enrolled devices — not network traffic or keystrokes. This lightweight approach means App Intelligence can identify which apps employees are sending data to without the performance impact or latency of traditional DLP tools. No additional configuration is required; new apps are detected automatically.
***
**How exactly is an app's risk score calculated?** Nightfall uses a two-step process. First, every app starts with a baseline risk level inherited from its category — for example, File Sharing apps start at Critical and Core Systems start at Low. Second, Nightfall evaluates the specific app within its category: if it's consumer-focused, allows anonymous access, or is less governed than peers, the risk increases. If the app is unusually well-governed for its category — mandatory SSO, enterprise-only access — the risk may decrease. This category-based assessment is then combined with usage signals including behavioral patterns and identity boundary data to produce the final label.
When reviewing individual events in **Forensic Search**, scoring goes a step further. If your organization has completed MDM integration, Nightfall can determine whether a user is sending data to a corporate or personal account at a given destination — for example, distinguishing between a managed Google Workspace account and a personal Gmail account at the same domain (mail.google.com). This account context is factored into the event-level risk score in Forensic Search, giving you a more precise signal when investigating specific user activity.
***
**Can I override the risk level Nightfall assigns?** Not in v1. The ability to apply custom risk overrides is planned for a future release.
***
**Why do some apps show a high Destination Count?** Destination Count reflects the number of distinct subdomains or endpoints Nightfall has observed data flowing to within a single app's domain. For many apps, destinations are specific enough to tell you something meaningful about how the app is being used.
GitHub is a good example: each destination corresponds to a specific repository. A SecOps admin reviewing GitHub's destination list can research individual repos to determine whether employees are pushing data to a corporate repository, a public open-source project, or a personal account — a meaningful distinction when assessing data exposure risk. The same principle applies to other developer tools, cloud storage platforms, and any app where the destination encodes context about the recipient or purpose.
***
**Will App Intelligence block apps or take enforcement actions?** App Intelligence itself is a visibility tool — it does not block apps directly. However, you can act on what you find by using the **Add to Collection** button in any app's detail view. This lets you add the app's domain to a domain collection, which feeds directly into Nightfall's exfiltration control policies. Adding a domain to a block list collection will prevent data from being sent to that destination; adding it to an allow list collection explicitly permits it and suppresses false positives. Automated enforcement actions beyond this are planned for a future release.
***
**Does App Intelligence cover desktop apps like Slack or Zoom?** Not yet — but coming soon! The current release focuses on web apps and GenAI tools accessed through the browser. Coverage for native desktop applications is on the roadmap for an upcoming release.
***
**What should I do first if I'm new to App Intelligence?** Start with the App Insights panel to understand the shape of your environment — how many apps are active, which AI tools are growing fastest, and where the most data is flowing. Then filter the App List to **Risk = High or Critical**, sort by **Users**, and work through the results. This gives you a focused view of the apps that carry the most risk and the widest reach across your organization.
***
*For additional help, contact Nightfall support or reach out to your Customer Success Manager.*
