HYCU State of SaaS 2025: Sprawl, Security, Spend

TL;DR: The HYCU State of SaaS Report 2025 connects SaaS sprawl directly to security exposure and wasted spend, not just clutter. Organizations run 139 SaaS apps on average, 65% were breached in the past year, and breach odds climb with portfolio size. The fix starts with visibility: knowing what tools hold which data, and connecting that knowledge so people and AI can reason across it instead of guessing.

Most leaders already sense their tool count is too high. What they often miss is that every extra app is not just another login or another invoice. According to the HYCU State of SaaS Report 2025, it is another integration, another set of permissions, and another place a breach can start (HYCU, 2025). This post pulls the report’s numbers apart and shows why SaaS sprawl is a knowledge problem before it is a budget one.

How bad is SaaS sprawl in 2025?

SaaS sprawl is the uncontrolled spread of cloud applications across an organization, usually bought team by team without a central owner. The scale is now hard to ignore.

The average organization runs 139 SaaS applications, and 96% have added more in the past two to three years (HYCU, 2025). Nearly half, 46%, reported a significant jump. The count varies by industry: consumer packaged goods firms averaged 158 apps and manufacturing 148, while financial services sat lower at 99 (HYCU, 2025).

Here is the part that matters. The report found no single department has a complete view of what is in use. Marketing buys its own CRM, HR onboards collaboration tools, finance spins up its own platforms. The result is partial visibility and unclear ownership across the board.

Why does sprawl raise security exposure?

This is where the HYCU data gets specific. More apps mean more breaches, and the relationship is close to linear.

• 65% of organizations experienced a SaaS-related data breach in the past 12 months (HYCU, 2025).
• Breach likelihood scales with portfolio size: 60% for companies running 1 to 100 apps, 66% at 101 to 200, and 77% at 201 or more (HYCU, 2025).
• Companies hit by more than one breach averaged 159 apps, while breach-free companies averaged 116 (HYCU, 2025).

The mechanism is the attack surface: the total set of entry points an attacker can target. Each new tool widens it. And 87% of organizations admit they have at least one SaaS application at risk because of inadequate backup or blind reliance on the vendor’s own recovery, with about six at-risk apps per organization on average (HYCU, 2025).

Respondents named the apps that worry them most, and the pattern is telling. Salesforce, GitHub, Okta, Microsoft 365, Slack, and Google Workspace came up repeatedly because they hold business-critical data and connect to everything else. One senior manager described Okta as “the central gateway to virtually all other SaaS tools and internal systems” (HYCU, 2025). The riskiest tools are the most connected ones, which is exactly where sprawl concentrates damage.

What does sprawl cost when something breaks?

The financial side is just as blunt. The HYCU report puts the average cost of SaaS data unavailability at $405,770 per day, with recovery taking about five working days, roughly $2.3 million per incident (HYCU, 2025).

Portfolio size drives that number too. Companies running 1 to 100 apps faced about $219,458 in daily downtime cost, while those with 201 or more faced $999,112 (HYCU, 2025). For large portfolios, breach recovery ran nearly five times higher than for small ones. The report also notes the harder-to-measure losses: customer trust, regulatory penalties, and reputational damage that often outweigh the technical bill.

Add the quieter waste of redundant tools. When three teams each buy overlapping software and nobody tracks it, the organization pays multiple times for capabilities it already owns. Sprawl spends money twice: once on duplicate licenses, again on the breaches and downtime those extra apps invite.

Why is this a knowledge problem first?

The HYCU report keeps circling back to one root cause: nobody can see the whole picture.

• 42% face limited visibility into data protection across their SaaS apps (HYCU, 2025).
• 43% say no one truly owns SaaS data resilience (HYCU, 2025).
• 44% struggle to respond to audits and regulatory requests (HYCU, 2025).
• Only 5% of organizations have full control of their SaaS applications, and on average just 56% of apps are under IT’s control (HYCU, 2025).

Put plainly, half the tools an enterprise depends on are running outside the team responsible for securing them. You cannot protect, audit, or rationalize what you cannot see. Before any backup policy or license cleanup works, an organization needs an accurate map of which apps exist, who owns them, what data they hold, and how they connect.

That map is a knowledge graph problem. A knowledge graph links entities such as people, tools, documents, and permissions so a single query can traverse relationships across systems instead of stopping at one app’s login screen.

A concrete example

Vantage Health, a fictional regional insurer, ran a SaaS audit after a near-miss in its claims system. The security team expected to find 80 or so applications. They found 137, close to the HYCU average, and a third had been bought by individual departments with no central record.

Two of those apps stored the same member records. One had not been backed up in eight months. When auditors asked who owned data resilience for the marketing automation platform, three managers each assumed it was someone else, the exact ownership gap 43% of HYCU respondents reported (HYCU, 2025).

Vantage Health’s first move was not buying another security tool. It was connecting its existing systems into a unified semantic layer so the security team could ask, in plain language, “which apps hold member PII, who administers them, and which lack a backup policy,” and get an answer that traverses every system at once. This is the role a knowledge-graph platform like SemanticOS plays: it connects fragmented tools so people and AI agents can find and reason over institutional knowledge that was previously scattered across 137 logins. With that single view, deciding what to retire, consolidate, or protect stopped being guesswork.

Key takeaways

• SaaS sprawl is measurable: 139 apps on average, and breach odds rise with portfolio size, from 60% at small portfolios to 77% at 201-plus apps (HYCU, 2025).
• Sprawl is a security and spend problem, not just clutter: $405,770 per day of downtime, about $2.3 million per incident, plus redundant licenses (HYCU, 2025).
• The root cause is lost visibility: only 5% of organizations fully control their SaaS, and 43% say no one owns resilience.
• Fixing sprawl starts with a knowledge map, connecting tools so people and AI can see what exists, who owns it, and what it holds.