One email a week - something from which I hope you'll get real value. We talk about things we can build, and how to defend them. That can apply to cybersecurity, physical buildings, digital products, and .... just about anything. It gives me a lot of latitude in what I can write about, but the two concepts are important for progress - as individuals, and as society.
Today's topic is: auditing subscriptions. Yes, it's going to be exciting! 😉 Apologies this one's a bit later.... been very busy!
So yesterday I got an email from Cursor that my subscription was renewing for $192. Then I got an email from Amazon Prime (one of three (US, UK, AE)) that it was renewing for £95 per year. I looked at that and thought - that's $300 for things I don't actually use. (Apparently Amazon still ships things if you don't have Prime, and I can't recall ever using Cursor since I got Claude Code.) Removing just those two subscriptions pays for a month of AI and then some.
Every subscription is a tiny dependency. A tiny drain on otherwise product resources.
There is a particular kind of modern bank statement that looks less like spending and more like technical debt:
$12.99 here....
$29 there....
A cloud account nobody has logged into since it was hosted on a server in someone's basement.
Three AI tools doing almost the same thing.
Domains registered for ideas that died quietly. (I may still have .... 300+ domains!?)
A "starter" SaaS plan that became a production dependency because nobody had time to replace it.
Individually, none of these feel urgent.
Together, they become a monthly tax on your money, your attention, and your security.
This week: a practical audit of the tools, subscriptions, hosting, domains, cloud accounts, AI services, and recurring software you quietly depend on.
Not because frugality is noble. Because every recurring tool is also an account, a login, a billing relationship, a data store, an integration, and a potential attack surface. (I can always tie it back to cybersecurity!)
🔨 BUILD: Your Subscription Analysis
Most people audit subscriptions like consumers: "Do I still use this?"
That could work for Netflix. It's not enough for your business stack, or if you treat things like a business. Maybe a better question is:
"If this service disappeared, changed pricing, locked my account, leaked my data, or got compromised, what breaks?
That turns the audit from a cost-cutting exercise into an operations exercise.
Start with a simple list:
SaaS tools
Cloud accounts
AI tools and API subscriptions
Domains and DNS providers
Hosting and website platforms
Email tools
Design, writing, automation, analytics, CRM, and finance tools
App Store subscriptions
Browser extensions with paid plans
GitHub/GitLab marketplace apps
Anything charged through Stripe, PayPal, Apple, Google, or your business card
Then tag each one:
Keep
Cut
Consolidate
Downgrade
Replace
Self-host
Review later
The point is not to become a minimalist monk who runs everything on a Raspberry Pi under the stairs that gets kicked when Harry shifts in his sleep.
The point is to know what you are paying for, what owns your data, and what your business would actually miss.
A subscription is easy to start because someone else runs the hard parts. That is also the dependency.
Keep in mind now, too, that agents can potentially do some things (system administration, email tooling, calendaring, content generation, grammar checking, etc.) which can potentially reduce many of these tools with a comprehensive one. Do a cost benefit analysis to see if you can stack a Mac Mini and a ChatGPT subscription together to reduce your costs longer term.
🛡️ DEFEND: Your "Side Doors"
Old tools are dangerous because nobody is looking at them. Everyone adds, but no one subtracts.
A forgotten SaaS account might still have:
OAuth access to Google Workspace
Access to GitHub repositories
API keys
Customer data
billing permissions
admin users who left the company
weak passwords from five years ago
no MFA
integrations into Slack, email, Notion, Stripe, Zapier, an/dor your cloud environment
The subscription may only cost $9 a month - and you only pay it once per year at $84 (with the discount) so barely ever notice it.
The blast radius may be really large, and we're finding more and more hackers are taking advantage of trying to get in through things like repositories, tools you subscribe to, and just about anything you can think of. This is especially true now that AI tools are being connected to everything.
People are granting agents and copilots access to email, documents, code, calendars, chat history, internal notes, and cloud dashboards. Some of those tools are excellent. Some are temporary experiments that should never become permanent fixtures. (This is why I've suggested in previous newsletters that these agents be isolated first and foremost, and run locally where possible.)
The security question is not "Do we trust the vendor?"
It is:
"What can this tool touch?"
For each recurring service, check:
Who owns the admin account?
Is MFA enabled?
Are there inactive users?
What integrations are connected?
What data does it store?
Can it export data cleanly?
Does it support SSO or passkeys?
Are API keys still active?
Is it used in production?
If cancelled today, what would break?
Cutting unused subscriptions saves money. Disconnecting unused access saves you from explaining later why a ghost tool still had keys to the building.
💰 STACK: The Practical Audit
Here's a practical audit you can use to examine these things in detail:
1. Pull the money trail
Export or review the last 90 days from:
business credit cards
personal cards used for work
PayPal, Apple, Stripe, Google subscriptions
cloud provider billing
domain registrars
accounting software
Do not rely on memory. Memory lies. (You saw "Minority Report" just like I did.) Stripe receipts do not lie.
Ask your agent to create a spreadsheet with:
service name
monthly or annual cost & renewal date
owner
login/admin URL
purpose
data stored
integrations
decision
2. Sort by dependency
Use the tags mentioned earlier:
Keep
Cut
Consolidate
Downgrade
Replace
Self-host
Review later
Consolidation is where the money is.... that and everything else is where you can find security surprises.
3. Cut carefully
Before cancelling anything, check:
Is it tied to a domain, email route, webhook, API, automation, or production system?
Does it hold records you need for tax, legal, compliance, or customer support?
Can you export the data?
Is there an annual renewal coming up? (Or has it occurred recently enough to get a refund?)
Is there a cancellation trap?
Do not heroically cancel DNS because it "looked unused". (Generally never mess w/ DNS unless you know what you're doing and even then probably not.)
4. Consolidate where it makes sense
Common consolidations:
multiple note tools into one knowledge base
several AI chat tools into one primary account plus one backup
three form tools into your website or CRM
one-off automations into a single automation platform
scattered cloud storage into one managed workspace
unused domains into one registrar
random VPS boxes into one documented hosting setup
Consolidation is not always cheaper! However, simplification can make life much more pleasant even if you do spend the same or even slightly more. That can be worth it.
5. Self-host selectively
Self-hosting is not free. It moves the cost from a vendor invoice to your time, patching, backups, monitoring, and recovery. (You can use AI agents for this though, if you're careful about what they do.)
Good candidates:
internal dashboards
link shorteners
documentation
uptime monitoring
private automation
analytics
knowledge tools
software testing services
Bad candidates, unless you know what you are doing:
email
payments
identity
public customer data stores
anything with compliance exposure
anything your family or business depends on when you are asleep
giant screens on which to investigate pre-crime
Self-host the boring, low-risk stuff first. Do not self-host your way into becoming unpaid night staff for your own infrastructure.
🔗 LINKS
AWS Pricing Calculator
Useful for turning vague cloud anxiety into actual numbers.
CISA Cyber Hygiene Services
Free scanning services for organizations that want an outside view of exposed assets.
Cloudflare: What is vendor lock-in?
A good primer on why convenience can become dependency.
Awesome Selfhosted
A giant list of self-hosted alternatives. Useful, but dangerous if you enjoy tinkering.
FTC: Negative Option Rule compliance guide
Worth knowing if you sell subscriptions, and darkly amusing if you have ever tried to cancel one.
💬 ONE THING
Do this ideally once a quarter, but at least every six months. It will pay dividends!
Thanks for reading this newsletter! Feel free to respond any time.
Thomas
Was this forwarded to you? Subscribe at builddefend.fyi.
Had enough? [Unsubscribe] - no hard feelings.*
* Well, a little bit.
