Available
Bitdo
All workCase study · 04 · Security SaaS

Workspace securitythat doesn't sleep.

Google Workspace emits massive volumes of audit logs from sixteen separate sources — and almost no out-of-the-box way to monitor them. enigma is the platform we built (and now sell) to ingest, normalize, attest and alert on Workspace activity 24/7, with SOC 2-ready evidence collected as it goes.

Client
GSEC · enigma (Bitdo product)
Industry
Cloud Security · SaaS product
Year
2025 → today
Region
Multi-tenant · The Americas

Live demos for qualified buyers

16
Workspace sources
24/7
Unattended attestation
<5min
Tenant onboarding
4ch
Notification channels

A glimpse of what we shipped

Live · multi-tenant
εenigma· attestation feed
Live·16 sources
All · 19Critical · 2High · 5Medium · 12
Tenantacme-co.workspace
  • HIGHDrive·2 min ago

    Mass file download · 247 files

    [email protected]

    Sent to #security on Slack

  • CRITICALAdmin·8 min ago

    Super-admin role granted to a new account

    [email protected][email protected]

    Pending acknowledgment

  • MEDIUMToken·14 min ago

    Third-party app granted drive.readonly scope

    Workspace scheduler · OAuth client 84a2…

    Acknowledged by [email protected]

Sources: Admin · Drive · Login · Meet · Token · SAML · +10
The challenge

Workspace tells you everything — if you can listen to all of it.

Google Workspace audit logs are split across the Admin SDK, Drive activity, Meet events, Calendar, SAML, Login, OAuth tokens, mobile, Chrome, Groups, GCP and more. Each has its own shape, retention and authentication. Most security teams either pay enterprise SIEM prices to centralize it, or rely on a fragment of the picture and hope. Smaller and mid-market companies — exactly the audience that needs SOC 2 cleanly — get neither option. The brief: build a platform that ingests every Workspace source, normalizes them into a single event model, runs rules against them, and tells the right human in the right tool when something matters.

Our solution

Three services. One event model. Sixteen sources covered.

enigma is three composable services. gsec-ingestor (Next.js + TypeScript) pulls each Workspace API on schedule, normalizes every event into a unified ActivityEvent shape with source, actor, category, severity, target and risk factors, then stores it in MongoDB with HashiCorp Vault holding the per-tenant credentials. gsec-attestation (Python + Prefect) runs source-specific rule engines — admin, drive, meet — over the ingested data and produces AttestationFinding documents. gsec-guardian (Python + Prefect) routes findings to Google Chat, Slack, Email or Discord with trusted-actor allowlists so the on-call ladder doesn't drown in noise. Adding a new Workspace source or a new notification channel is a small, additive change in each service.

Key decisions · 06

Architecture choices that earn their complexity.

// 01

Unified ActivityEvent model

Every source — login, drive, admin, SAML, meet, calendar, token — normalizes into the same TypeScript interface. Rules and UI never branch on source type unless they explicitly want to.

// 02

Vault-isolated credentials

Each tenant's GCP service account JSON lives in its own Vault path with its own AppRole. A breach in one tenant cannot read another's keys. AppRole auth is cached, never hardcoded.

// 03

Prefect-orchestrated pipelines

Attestation and notification flows are Prefect flows with retries, alerting and observability built in. Failed runs page the operator with the artifact attached.

// 04

Notifier registry pattern

Channels (Google Chat, Slack, Email, Discord, WhatsApp coming) live behind a uniform interface. Per-tenant configuration picks which channels and which severities, with trusted-actor allowlists.

// 05

MongoDB for append-heavy logs

Workspace audit data is write-heavy and shape-varied per source. Mongo's flexible documents + indexed sources fit the access pattern better than relational rows.

// 06

TS for product surface, Python for analytics

The customer-facing dashboard and the ingestor live in TypeScript. The rule engines and notifiers live in Python — where the scientific stack and Prefect ecosystem are stronger.

What enigma can do · 04 surfaces

The full product, in four screens.

Workspace security isn't one dashboard — it's a product loop: ingest everything, surface what matters, prove the controls, investigate when something breaks. Here's how enigma does each of them.

// 01SOC Dashboard

See your Workspace before it sees the news.

A single overview that answers the four questions every security team wakes up to — what's normal, what's elevated, who's risky and which sources are healthy. Threat level is computed from your real events, not a static score.

  • Threat level rolled up from live findings — Normal / Elevated / High / Critical.
  • Event volume timeline with high-risk events visually broken out.
  • Top risk users sorted by composite score across the last 30 days.
  • Ingestion health per source — Drive, Admin, Login, SAML, Meet, Token and 10 more.
SOC Dashboard
enigma.bitdo.dev/dashboard
εenigma· soc dashboard
Live·acme-co.workspace

Security overview

16 sources · last sync 4 min ago

Threat level · Elevated
Monitored users
1,284
Active connections
12
Events · 24h
47,392
Open alerts
19
Investigations
03
Alert rules
42
Event volume · last 30 days
normalhigh-risk
Top risk users
Ingestion health
  • AdminActive
  • DriveActive
  • LoginActive
  • MeetActive
  • SAMLDelayed
  • TokenActive
  • CalendarActive
  • MobileActive
// 02Google Apps & Risk

Catch the OAuth app no one approved.

Every OAuth grant inside your Workspace, scored for risk, sorted by exposure, revocable in one click. The unknown calendar sync with drive.readonly access nobody noticed? Now you can.

  • 127 apps · 41 external · 8 high-risk, all surfaced in one table.
  • Per-app aggregate risk score combining scope sensitivity, user count and publisher trust.
  • One-click revoke writes the action through the Admin SDK and removes the token from Mongo.
  • Filter by scope, publisher, risk bucket — find every app touching `drive.*` in two seconds.
Google Apps & Risk
enigma.bitdo.dev/integrations/google

Google apps & services

Every OAuth grant inside acme-co.workspace · scored, paged, revocable.

Last sync · 8 min ago
Total apps
127
High risk
08
External
41
Aggregate risk
6.4
Total grants
3,492
Filter apps · scope · publisher · risk…
All · 127High-risk · 8Needs review · 19
ApplicationScopesUsersRiskAction
No
Notion (External)
notion.so
drive.readonlyuserinfo.email
247
high
Un
Unknown Calendar Sync
third-party · unverified
calendaruserinfo.email+1
3
critical
Lo
Loom
loom.com
userinfo.emailuserinfo.profile
89
low
Trusted
Ch
ChatGPT (Personal)
openai.com
userinfo.emaildrive.file
142
medium
Showing 4 of 127 apps · scoped to acme-co.workspace
// 03Compliance & Evidence

Evidence that builds while you sleep.

SOC 2 doesn't have to be a fire drill anymore. enigma maps your live events to framework controls and collects attestations continuously — so audit prep stops being something you schedule.

  • Eight frameworks supported out of the box — SOC 2, ISO 27001, NIST, HIPAA, GDPR, PCI DSS, CIS, custom.
  • Per-control compliance score with status, last assessed date and linked evidence.
  • Auto-evidence: enigma attaches the ingested events that prove a control is operating.
  • One-click PDF export for the auditor — already formatted, already signed.
Compliance · evidence
enigma.bitdo.dev/settings/compliance

Compliance frameworks

257 controls across 4 frameworks · evidence collected continuously.

Auto-evidenceExport · PDF
Framework
SOC 2 Type II
91/ 100
58/64 controls+4 partial
Framework
ISO 27001
77/ 100
88/114 controls+18 partial
Framework
GDPR
87/ 100
41/47 controls+3 partial
Framework
HIPAA
56/ 100
18/32 controls+9 partial
Active framework · SOC 2 Type II
Common Criteria · 64 controls
+ Assess control
IDControlCategoryStatusLast assessedAction
CC6.1Logical access — authenticationCommon CriteriaCompliant2 days agoAssess
CC6.2User provisioning approvalCommon CriteriaCompliant2 days agoAssess
CC6.6Restriction on access from outsideCommon CriteriaPartial5 days agoAssess
CC7.2System monitoring for security eventsCommon CriteriaCompliantyesterdayAssess
CC7.3Incident detection &amp; responseCommon CriteriaCompliantyesterdayAssess
CC8.1Change management — authorisationCommon CriteriaNot assessedAssess
Evidence is collected continuously from ingested events · attestations re-run nightly
// 04Investigations

Investigate without paging engineering.

When a finding matters, it becomes a case. Linked findings, a typed timeline of every alert / action / comment / evidence drop, SLA tracking and watchers — so your SOC stops living in five tabs.

  • Auto-link related findings by actor, source, IP or domain — context arrives before the analyst does.
  • Typed timeline events (alert · action · comment · evidence) with actor attribution.
  • First-response and resolution SLAs visible per case, with budget remaining.
  • Built-in evidence attachments — PDFs, exports, screenshots — stored against the case.
Investigation
enigma.bitdo.dev/investigations/INV-2026-0042
InvestigationsINV-2026-0042

Mass download · [email protected]

Opened 1h 12m ago · 3 linked findings · assigned to [email protected]

In progress · High severity
Case timeline
  1. ALERTtoday 14:02
    Mass file download · 247 files
    [email protected] · drive.activity
    rule: mass-download-threshold
  2. AUTOtoday 14:03
    Linked to investigation INV-2026-0042
    Auto-grouped with 2 prior high-severity findings from same actor.
  3. ACTIONtoday 14:11
    Notified #security on Slack
    @security-oncall paged · acknowledged in 6 min.
  4. COMMENTtoday 14:24
    Priya assigned the case
    “Reviewing source IPs — looks like a personal device. Pulling auth logs.”
    [email protected]
  5. EVIDENCEtoday 15:08
    Attached: login geo report
    login-geo-export-2026-05-12.pdf · 8 logins across 3 countries in 12 hours.

All of this. One tenant. Five minutes to live.

Connect a Workspace account, grant the read-only scopes, write your Vault credentials. enigma's first attestation run finishes the same hour. No agents on user devices. No new SaaS for your team to learn — alerts land where your engineers already work.

Impact

From log firehose to actionable alerts.

  • 16

    Workspace sources monitored

    Admin, Drive, Login, SAML, Token, Meet, Calendar, Mobile, Chat, Chrome, Groups, GCP, Rules, User Accounts, Context-Aware Access, Access Transparency — all normalized into one stream.

  • Product

    Sold standalone

    Productized under the enigma brand and sold to third parties looking for SOC 2-aligned Workspace monitoring without enterprise SIEM bills.

  • <5min

    Setup per tenant

    OAuth + domain-wide delegation + Vault credential write. The first attestation run completes the same hour the tenant is onboarded.

  • Audit

    Evidence collected as we go

    Every finding, notification and revocation action is logged with timestamps and actors. SOC 2 prep stops being a quarterly fire drill.

Tech stack

Two languages, picked on purpose.

  • Next.js
  • TypeScript
  • React 19
  • Python
  • Prefect
  • MongoDB
  • HashiCorp Vault
  • Google Admin SDK
  • Google Drive API
  • Google Reports API
  • Domain-Wide Delegation
  • Kubernetes
  • Docker
  • Pydantic
  • Slack / Google Chat / Email / Discord

Related services

Want enigma running on your Workspace?

Request a demo →
WhatsApp