Every organization believes its internet-facing footprint is smaller than it actually is. It almost never is.
When we run an external attack surface assessment, we start where a real attacker starts: with nothing but your company name. From there we map what’s reachable from the public internet — domains, subdomains, exposed services, cloud storage, login portals, and credentials that have leaked in past breaches. The results are consistently surprising to the people who own those systems.
A few things we find on nearly every engagement:
Forgotten infrastructure. A staging server someone spun up two years ago. An old subdomain pointing at a service that no longer exists. A test environment that was never taken down. Each one is a door nobody is watching.
Services that shouldn’t be public. Database ports, admin panels, remote access tools — exposed directly to the internet, often protected by nothing more than a password. Attackers scan for these continuously and automatically.
Credentials already in the wild. Employee emails and passwords surface in breach data from unrelated services. When people reuse passwords, those leaked credentials become a working key to your systems.
None of this requires a sophisticated attacker. It requires patience and freely available tools — which is exactly why it happens so often. The first step to fixing it is simply seeing what an attacker sees.
If you’ve never had your external footprint mapped, that’s the gap worth closing first. It’s usually where we’d start, too.
