Can you give me a brief overview of DoControl as a company and its backstory?
DoControl was founded in 2020, with our initial funding secured later that year as the world was grappling with the pandemic. At the time, I was working at a company that had acquired my previous startup, SafeDK, which was bought by AppLovin. In January 2020, during a trip to Japan, I encountered a situation that highlighted a major security gap. Someone shared highly sensitive information with me through Google Workspace, and I received an email notification about it. When I tried to access the data, I realized I didn’t have permission, so, like any typical employee, I clicked “Request Access.” Instantly, I was granted entry. However, my default email account on my phone was my personal Gmail, not my corporate one. With just one click, sensitive company data was exposed to a personal email—mine. At the same time, my co-founder, Adam, was working at Google on Data Loss Prevention (DLP), competing with CASB and security compliance solutions. The compliance team approached him about whether he had shared certain materials with a department, freelancer, or vendor. Tracking and managing data exposure was proving to be a tedious and complex process. This growing concern over data security, visibility, and automation led us to partner up and co-found DoControl. From late 2020 into early 2021, we raised our first round of funding, scaled the company to nearly 50 employees, and secured almost $45 million in investment. Today, we work with some of the biggest brands in the world, from Colgate, with 55,000 employees, to Zscaler, a leading security company with 10,000 employees, to Carta, an options management platform with 2,000 employees, and Grammarly, with around 1,000 employees. Regardless of the size or industry, once a company adopts modern SaaS applications like Google Workspace, Box, or even Zoom, data can be shared rapidly and, often, unknowingly. Most organizations lack clear visibility into who has access to their data, how it is being exposed, and whether former employees or third parties are still accessing sensitive information. Beyond just visibility, remediation is another challenge. Companies struggle to undo past exposures and automate internal security processes without disrupting business operations. That’s exactly why we co-founded DoControl—to address these critical gaps in visibility, remediation, and automation. Today, we’re proud to serve hundreds of thousands of employees worldwide, including Fortune 500 companies, helping them secure their SaaS applications and data with efficiency, confidence, and ease.What can you tell me about your SaaS Security Posture Management services?
SaaS Security Posture Management (SSPM) is a widely used term, and almost every security tool on the market offers some form of posture management dashboard. When we started DoControl, we received valuable advice from industry veterans, including former Check Point executives, about the importance of going beyond visibility. At security conferences like RSA, nearly every vendor claims to provide exceptional visibility into risks, exposures, and misconfigurations. While visibility is crucial, it’s just the starting point—we see it as a given. What sets DoControl apart is not just the ability to identify risks like exposed former employee accounts, shadow applications, misconfigurations, or high-risk users, but the ability to take action. Having visibility into exposure doesn’t mean much if you can’t actively reduce it. If there are risky employees, how do you stop them? If dangerous third-party applications are requesting sensitive permissions, how do you cut off access? Our approach is to combine deep posture management insights with automation-driven remediation. Instead of just highlighting risks, we provide tools to automatically address and mitigate them, significantly reducing the attack surface. The result is a continuously improving security posture, where businesses don’t just see their vulnerabilities—they actively fix them.What other security features and services do you provide?
DoControl operates as a security-as-a-service platform, offering an agentless solution that any company can connect to within 10 to 20 minutes. Our core capabilities begin with comprehensive visibility into exposure risks, including current and former employees, publicly accessible data, externally shared files, and other sensitive assets. Beyond visibility, we provide robust remediation workflows to clean up security risks that existed before implementing DoControl—essentially a “spring cleaning” for historical exposure. Our platform is event-driven, meaning it continuously monitors applications, digests security events, alerts the appropriate teams, and takes immediate action when necessary. This can be done automatically or by involving end users through our DoBot automation platform, which enables direct outreach via Slack, Microsoft Teams, or email. Whether a company has 10 or 100,000 employees, our system ensures that those responsible for certain actions are engaged in the remediation process. We also offer Identity Detection and Response (IDR), mapping out high-risk employees within an organization. By integrating with HR systems and Identity Providers (IDPs) like Okta, we assess employee status—whether they’re about to leave the company, are on a performance improvement plan, or have recently submitted their notice. Employees sharing sensitive information with personal accounts or installing high-risk applications receive increased risk scores, enabling security teams to respond proactively. Shadow applications are another key focus. While widely recognized tools like Calendly are common in workplaces, employees often install lesser-known apps that could pose security risks. For example, an unknown developer may create an app that requests excessive permissions, such as the ability to delete an entire Google Workspace environment. DoControl provides visibility into these applications and offers a full remediation path to mitigate potential threats. Finally, we address misconfigurations, ensuring that security settings across applications are correctly implemented. This includes enforcing multi-factor authentication (MFA), identifying weak passwords, and limiting unnecessary admin privileges. Our approach provides a 360-degree security solution, helping companies strengthen their SaaS ecosystem while maintaining business continuity without unnecessary restrictions.DoControl offers data protection in various ecosystems, from Google Workspace to Zoom. What are some differences there?
That’s a great question because each ecosystem—whether it’s Zoom, Google Workspace, GitHub, or Slack—was designed to enhance business operations, but they also introduce unique security challenges. Take Zoom, for example. It’s a communication tool meant for meetings and collaboration, but during those meetings, sessions can be recorded, and sensitive information—potentially including personally identifiable information (PII)—may be shared. If those recordings are then made public, sent to personal emails, or shared externally without proper controls, that data is instantly exposed. DoControl provides tracking, alerts, and remediation to prevent unauthorized exposure in real time. Google Workspace, on the other hand, is a collaboration ecosystem where users create, share, and store massive amounts of data—spreadsheets, presentations, Word documents, and more. While sharing is a natural part of workflow efficiency, employees rarely go back and revoke access, meaning sensitive files may remain accessible indefinitely. Many are even shared with personal emails or external parties without oversight. DoControl alerts, notifies, and remediates these risks by automatically identifying and managing permissions. For developers, GitHub introduces another dimension of risk. Developers frequently create, clone, and modify repositories, but what happens when a sensitive repo is accidentally made public? In large organizations with thousands of developers, such incidents can go unnoticed. DoControl helps detect, alert, and automatically remediate misconfigured repositories, preventing unintended data exposure. Slack, one of the most widely used workplace communication tools, presents yet another security challenge. Files, messages, and sensitive information are exchanged across direct messages (DMs), private channels, and public workspaces. It’s easy to lose track of what’s being shared and where. High-profile breaches at companies like Disney and Twitter occurred when developers accidentally posted encryption keys in Slack channels. If a bad actor gains access, those keys become an open door to critical systems. DoControl provides oversight, ensuring that sensitive data isn’t inadvertently exposed and helping organizations enforce proactive security measures. While each platform is different, they all share the same fundamental issue—uncontrolled data exposure. Most companies lack full visibility into these risks, let alone a structured way to remediate past exposures or automate security moving forward. That’s exactly where DoControl steps in, ensuring that sensitive information remains protected across every business-critical application.What sets DoControl apart from its competitors?
When it comes to competitors, I see every company in our space as a semi-competitor, but the reality is that security practitioners and CISOs have an overwhelming number of vendors to choose from. The industry is flooded with acronyms—CASB, DLP, SSPM, DSP—and it’s easy to get lost in the noise. What truly sets DoControl apart is our ability to provide scalable, automated, and granular security for data access and applications. We go beyond just offering visibility; we deliver a full-blown inventory of all the data stored in cloud applications, identifying exposure risks and, most importantly, remediating them. What makes us unique is that we automate remediation without disrupting business enablement—a critical balance that most solutions struggle with. We’ve patented our approach, with three patents protecting our innovative methods, and we’re actively winning business from legacy security giants like Netskope, CloudLock, and Broadcom. Why? Because traditional security vendors built their solutions for on-prem environments, while today’s world operates in the cloud, leveraging SaaS applications and remote work at an unprecedented scale. The way businesses function has transformed drastically, especially post-pandemic, and outdated security models simply can’t keep up. That’s why companies are shifting to DoControl. We provide modern security for modern businesses, ensuring that organizations can manage and protect their data without slowing down productivity.Is there anything else about your work that you’d like to share that we haven’t covered?
One thing I’d really like to emphasize is just how underestimated the risks in SaaS environments are. Many companies—whether they’re small, mid-sized, or large enterprises—are using around 70 different security tools on average. Everyone wants consolidation, a single platform that does it all, and while that’s an ideal goal, it’s often not realistic. This is exactly why startups like DoControl are founded —we identify gaps that haven’t been solved yet and introduce new, more effective approaches to tackling security challenges. The reality is, the unknown risks in a company’s SaaS ecosystem are often far greater than what security teams are actively monitoring. That’s why we encourage security practitioners to conduct a free risk assessment of their SaaS environments before making assumptions about their security posture. For companies born into the cloud—those using Slack, Box, Zoom, Google Workspace, and other SaaS tools—it’s critical to pause and ask: ● What kind of data do I have stored in these third-party applications? ● Who has access to it? ● How do I shut down unnecessary exposure? ● How do I automate this protection moving forward? These platforms hold sensitive business information, from P&L reports and revenue data to customer lists, legal documents, and commission plans—all of which exist outside of your controlled environment. Yet, many organizations focus primarily on securing AWS, Azure, or GCP, overlooking the sheer scale of their SaaS exposure. Cybercriminals attack businesses daily, often exploiting these overlooked SaaS vulnerabilities. The sooner security teams start recognizing SaaS security as a top priority, the better they can reduce risk and prevent breaches before they happen.To learn more about DoControl, you can visit www.docontrol.io
