One email a week - something from which I hope you'll get real value. We talk about things we can build, and how to defend them. That can apply to cybersecurity, physical buildings, digital products, and .... just about anything. It gives me a lot of latitude in what I can write about, but the two concepts are important for progress - as individuals, and as society.

Today's topic is: auditing subscriptions. Yes, it's going to be exciting! 😉 Apologies this one's a bit later.... been very busy!

So yesterday I got an email from Cursor that my subscription was renewing for $192. Then I got an email from Amazon Prime (one of three (US, UK, AE)) that it was renewing for £95 per year. I looked at that and thought - that's $300 for things I don't actually use. (Apparently Amazon still ships things if you don't have Prime, and I can't recall ever using Cursor since I got Claude Code.) Removing just those two subscriptions pays for a month of AI and then some.

Every subscription is a tiny dependency. A tiny drain on otherwise product resources.

There is a particular kind of modern bank statement that looks less like spending and more like technical debt:

$12.99 here....

$29 there....

A cloud account nobody has logged into since it was hosted on a server in someone's basement.

Three AI tools doing almost the same thing.

Domains registered for ideas that died quietly. (I may still have .... 300+ domains!?)

A "starter" SaaS plan that became a production dependency because nobody had time to replace it.

Individually, none of these feel urgent.

Together, they become a monthly tax on your money, your attention, and your security.

This week: a practical audit of the tools, subscriptions, hosting, domains, cloud accounts, AI services, and recurring software you quietly depend on.

Not because frugality is noble. Because every recurring tool is also an account, a login, a billing relationship, a data store, an integration, and a potential attack surface. (I can always tie it back to cybersecurity!)

🔨 BUILD: Your Subscription Analysis

Most people audit subscriptions like consumers: "Do I still use this?"

That could work for Netflix. It's not enough for your business stack, or if you treat things like a business. Maybe a better question is:

"If this service disappeared, changed pricing, locked my account, leaked my data, or got compromised, what breaks?

That turns the audit from a cost-cutting exercise into an operations exercise.

Start with a simple list:

  • SaaS tools

  • Cloud accounts

  • AI tools and API subscriptions

  • Domains and DNS providers

  • Hosting and website platforms

  • Email tools

  • Design, writing, automation, analytics, CRM, and finance tools

  • App Store subscriptions

  • Browser extensions with paid plans

  • GitHub/GitLab marketplace apps

  • Anything charged through Stripe, PayPal, Apple, Google, or your business card

Then tag each one:

  • Keep

  • Cut

  • Consolidate

  • Downgrade

  • Replace

  • Self-host

  • Review later

The point is not to become a minimalist monk who runs everything on a Raspberry Pi under the stairs that gets kicked when Harry shifts in his sleep.

The point is to know what you are paying for, what owns your data, and what your business would actually miss.

A subscription is easy to start because someone else runs the hard parts. That is also the dependency.

Keep in mind now, too, that agents can potentially do some things (system administration, email tooling, calendaring, content generation, grammar checking, etc.) which can potentially reduce many of these tools with a comprehensive one. Do a cost benefit analysis to see if you can stack a Mac Mini and a ChatGPT subscription together to reduce your costs longer term.

🛡️ DEFEND: Your "Side Doors"

Old tools are dangerous because nobody is looking at them. Everyone adds, but no one subtracts.

A forgotten SaaS account might still have:

  • OAuth access to Google Workspace

  • Access to GitHub repositories

  • API keys

  • Customer data

  • billing permissions

  • admin users who left the company

  • weak passwords from five years ago

  • no MFA

  • integrations into Slack, email, Notion, Stripe, Zapier, an/dor your cloud environment

The subscription may only cost $9 a month - and you only pay it once per year at $84 (with the discount) so barely ever notice it.

The blast radius may be really large, and we're finding more and more hackers are taking advantage of trying to get in through things like repositories, tools you subscribe to, and just about anything you can think of. This is especially true now that AI tools are being connected to everything.

People are granting agents and copilots access to email, documents, code, calendars, chat history, internal notes, and cloud dashboards. Some of those tools are excellent. Some are temporary experiments that should never become permanent fixtures. (This is why I've suggested in previous newsletters that these agents be isolated first and foremost, and run locally where possible.)

The security question is not "Do we trust the vendor?"

It is:

"What can this tool touch?"

For each recurring service, check:

  • Who owns the admin account?

  • Is MFA enabled?

  • Are there inactive users?

  • What integrations are connected?

  • What data does it store?

  • Can it export data cleanly?

  • Does it support SSO or passkeys?

  • Are API keys still active?

  • Is it used in production?

  • If cancelled today, what would break?

Cutting unused subscriptions saves money. Disconnecting unused access saves you from explaining later why a ghost tool still had keys to the building.

💰 STACK: The Practical Audit

Here's a practical audit you can use to examine these things in detail:

1. Pull the money trail

Export or review the last 90 days from:

  • business credit cards

  • personal cards used for work

  • PayPal, Apple, Stripe, Google subscriptions

  • cloud provider billing

  • domain registrars

  • accounting software

Do not rely on memory. Memory lies. (You saw "Minority Report" just like I did.) Stripe receipts do not lie.

Ask your agent to create a spreadsheet with:

  • service name

  • monthly or annual cost & renewal date

  • owner

  • login/admin URL

  • purpose

  • data stored

  • integrations

  • decision

2. Sort by dependency

Use the tags mentioned earlier:

  • Keep

  • Cut

  • Consolidate

  • Downgrade

  • Replace

  • Self-host

  • Review later

Consolidation is where the money is.... that and everything else is where you can find security surprises.

3. Cut carefully

Before cancelling anything, check:

  • Is it tied to a domain, email route, webhook, API, automation, or production system?

  • Does it hold records you need for tax, legal, compliance, or customer support?

  • Can you export the data?

  • Is there an annual renewal coming up? (Or has it occurred recently enough to get a refund?)

  • Is there a cancellation trap?

Do not heroically cancel DNS because it "looked unused". (Generally never mess w/ DNS unless you know what you're doing and even then probably not.)

4. Consolidate where it makes sense

Common consolidations:

  • multiple note tools into one knowledge base

  • several AI chat tools into one primary account plus one backup

  • three form tools into your website or CRM

  • one-off automations into a single automation platform

  • scattered cloud storage into one managed workspace

  • unused domains into one registrar

  • random VPS boxes into one documented hosting setup

Consolidation is not always cheaper! However, simplification can make life much more pleasant even if you do spend the same or even slightly more. That can be worth it.

5. Self-host selectively

Self-hosting is not free. It moves the cost from a vendor invoice to your time, patching, backups, monitoring, and recovery. (You can use AI agents for this though, if you're careful about what they do.)

Good candidates:

  • internal dashboards

  • link shorteners

  • documentation

  • uptime monitoring

  • private automation

  • analytics

  • knowledge tools

  • software testing services

Bad candidates, unless you know what you are doing:

  • email

  • payments

  • identity

  • public customer data stores

  • anything with compliance exposure

  • anything your family or business depends on when you are asleep

  • giant screens on which to investigate pre-crime

Self-host the boring, low-risk stuff first. Do not self-host your way into becoming unpaid night staff for your own infrastructure.

AWS Pricing Calculator
Useful for turning vague cloud anxiety into actual numbers.

CISA Cyber Hygiene Services
Free scanning services for organizations that want an outside view of exposed assets.

Cloudflare: What is vendor lock-in?
A good primer on why convenience can become dependency.

Awesome Selfhosted
A giant list of self-hosted alternatives. Useful, but dangerous if you enjoy tinkering.

FTC: Negative Option Rule compliance guide
Worth knowing if you sell subscriptions, and darkly amusing if you have ever tried to cancel one.

💬 ONE THING

Do this ideally once a quarter, but at least every six months. It will pay dividends!

Thanks for reading this newsletter! Feel free to respond any time.

Thomas

Was this forwarded to you? Subscribe at builddefend.fyi.

Had enough? [Unsubscribe] - no hard feelings.*

* Well, a little bit.

Keep reading