Press TechRound interviews Secure.com CEO on the future of AI security
Read

External Attack Surface Through Attacker Eyes

See your external attack surface the way an attacker does. Learn how they find forgotten assets, shadow IT, and attack paths before you do.

Key Takeaways

  • Attackers rarely need to breach anything to start. Public records, DNS history, and old certificates hand them a map for free.
  • A large share of real breaches trace back to forgotten assets, shadow IT, or a staging server nobody decommissioned.
  • Once an attacker finds one weak spot, they chain it with others to build a path toward your most valuable systems, your crown jewels.
  • Time to exploit has collapsed. Mandiant’s M-Trends 2026 report found that on average, exploitation now begins before a patch is even publicly available.
  • Continuous, outside-in monitoring is what closes the gap between what your team knows and what an attacker already knows.

An attacker never starts with your firewall. They start with Google, a certificate log, and a list of your subdomains. Most of that work happens before anyone on your team even gets an alert.

That’s the uncomfortable part of external attack surface management. The assets attackers find first are usually the ones your own team forgot existed.

Security teams often assume the attack starts with a scan; in reality, it starts with reconnaissance, and most of that reconnaissance is passive, quiet, and completely legal. Here’s what that looks like from the other side of the screen, and what to do about it.

What Your External Attack Surface Actually Looks Like

Your external attack surface is everything about your company that’s visible from the public internet: domains, subdomains, APIs, cloud storage, remote access tools, even a marketing microsite from three years ago. If it resolves to an IP address, it’s part of the picture.

The problem is that this list grows on its own: new SaaS tools, a developer’s test environment, and a subsidiary nobody updated in the asset inventory. Shadow IT typically emerges when teams need tools fast, don’t wait for approval, and connect them to company email or shared logins—creating blind spots security teams never see, and those systems become blind spots that the security team never sees.

How to discover forgotten assets in your external attack surface

Forgotten assets show up in a few predictable places:

  • Old subdomains that still point to a live server
  • Staging or QA environments that were never taken down after launch
  • Cloud storage buckets created for a one-time project
  • Domains inherited from an acquisition that were never folded into the main inventory

Most of these were reasonable decisions at the time. Nobody plans to leave a login page running for four years. It just happens, project by project, until the map in your head stops matching the map on the internet.

Cutting down forgotten asset exposure

Finding the forgotten stuff is only half the job. Reducing the exposure it creates comes down to a few habits:

  • Decommission anything that’s finished serving its purpose, not just anything that’s failed
  • Require a ticket or approval step before a new subdomain or cloud resource goes public
  • Set a review cadence for staging and QA environments so they don’t quietly outlive the project they were built for
  • Fold acquired infrastructure into the main asset inventory as part of the deal, not months after

None of this needs to slow teams down. It just needs an owner and a recurring check, so “forgotten” stops being the default state of anything public-facing.

How do attackers discover shadow IT in enterprise environments

Shadow IT tends to follow the path of least resistance: a team needs a tool fast, doesn’t wait for approval, and connects it to the company email or a shared login. Attackers look for exactly that pattern. A tool from a research firm found that 68% of organizations already run workloads across multiple public clouds, often with two dozen or more cloud services in active use. That kind of sprawl is hard for any internal team to track manually, and it’s exactly where shadow IT hides.

Acquisitions add another layer. When a company gets acquired, its infrastructure comes along with it, often with outdated security controls and no documentation. That’s part of why unsecured acquisition assets show up again and again in real incident reports.

How Attackers Map Your Organization From the Outside In

Attacker reconnaissance works in two stages: gather everything public first, then confirm what’s actually reachable. Before an attacker touches anything that could trigger an alert, they build a picture using data that’s already sitting in public records. This is the reconnaissance phase, and it can take minutes with the right tools.

Passive techniques that need zero access to your network

  • Open source intelligence (OSINT): public records, job postings, social media, and company filings that reveal vendors, tech stacks, and org structure
  • Passive DNS data: historical records showing every domain and subdomain ever tied to your infrastructure, even ones you’ve since taken down
  • Certificate transparency logs: every SSL certificate ever issued for your domains is logged publicly, including ones for subdomains you may have forgotten about
  • WHOIS and registration history: ownership trails that connect subsidiaries and acquisitions back to the parent company

None of this requires touching your servers. It’s public by design, which is exactly why it’s so useful to someone building a map of your organization.

Attacker Reconnaissance

Two stages, zero alerts

Gather everything public first, then confirm what’s actually reachable — before touching anything that could trip a wire.

AI-accelerated Automated recon tools now compress hours of scanning into minutes.
Stage 1 — Passive, zero access needed
  • OSINT — filings, job posts and socials revealing vendors and stack
  • Passive DNS — every domain ever tied to your infrastructure
  • Certificate transparency logs — every SSL cert issued, forgotten subdomains included
  • WHOIS & registration history — ownership trails to subsidiaries and acquisitions
Stage 2 — Active, light-touch scanning
  • Open ports & exposed services on internet-facing systems
  • Admin panels & login interfaces that shouldn’t be reachable
  • Cloud buckets checked for public read or write access
  • APIs & VPN/RDP gateways tested for missing auth or weak permissions

Per Mandiant’s M-Trends 2026 report, exploitation now begins on average before a patch is even public — the scan-then-patch model can no longer keep pace.

Active discovery once the map exists

Once an attacker has a list of domains and IP ranges, they move to lighter touch scanning:

  • Finding open ports and exposed services running on internet-facing systems
  • Spotting exposed admin panels or login interfaces that shouldn’t be reachable from outside
  • Checking cloud storage buckets for public read or write access
  • Testing APIs for missing authentication or overly generous permissions
  • Looking for exposed remote access tools like VPN portals or RDP gateways
  • Scanning for unpatched systems still running known vulnerable software versions

Third-party and supply chain connections widen this even further. If a vendor has weak security, that vendor becomes a route into your organization, and attackers actively map those relationships as part of target discovery.

AI has sped this whole process up

This part matters more each year. Recent threat intelligence reports describe AI-powered reconnaissance tools compressing what used to take hours into minutes, running automated scans at unprecedented scale, compressing what used to take hours of reconnaissance into minutes. Continuous, automated attacker reconnaissance now looks a lot different from the periodic scans defenders have relied on for years, and the gap between the two is where most exposure lives.

From Exposure to Exploit: How Attackers Prioritize and Chain Attack Paths

Finding an exposed asset is only step one. Attackers don’t treat every finding equally. They prioritize.

Identifying crown jewels from the outside

A crown jewel is whatever system, if compromised, causes the most damage: customer data, financial systems, source code, production infrastructure. Attackers work backward from there. They look at your external footprint and ask which exposed asset sits closest to something valuable, then target that connection first.

Chaining exposures into a real attack path

Individually, a misconfigured cloud bucket or an old staging server might look low risk; chained together, they can form a full attack path. A leaked credential from one system might unlock access to another. A forgotten subdomain might share infrastructure with a production environment. Attackers link small findings into a bigger route, one step at a time.

Exposure → exploit

One weak spot never travels alone.

Forgotten subdomain Never decommissioned after launch
Leaked credential Unlocks access to another system
Shared infrastructure Bridges into a production environment
Crown jewel Customer data, source code, production
Typical external visibility
60–65% seen
35%+ unseen
Tracked assets Shadow IT & unknowns
Most organizations can only account for 60–65% of their external attack surface. The rest sits in forgotten subsidiaries, shadow IT, and supply chain dependencies nobody is tracking — exactly where attackers start chaining exposures into a path.

Why speed changes the calculus

Here’s the part that should worry every security leader: exploitation timelines have collapsed. Mandiant’s M-Trends 2026 report, built on hundreds of thousands of hours of incident response, found that on average, exploitation now begins before a patch is even publicly available. That means the old model of “scan periodically, patch on schedule” no longer matches how attackers actually operate.

Before acting on any exposure, attackers also validate whether it’s genuinely exploitable rather than a false positive. That’s a step defenders can borrow directly. Not every finding deserves the same urgency, and validating real-world exploitability is what separates a useful risk list from a noisy one.

Closing the Gap Between What You See and What Attackers See

Here’s the honest question worth asking your own team: who currently knows more about your external footprint, you or a determined attacker? For a lot of organizations, the answer isn’t comfortable. Industry research suggests organizations typically have visibility into only about 60-65% of their external attack surface, meaning more than a third of what’s exposed sits in forgotten subsidiaries, shadow IT, or supply chain dependencies nobody’s tracking.

Your external attack surface doesn’t sit still. Domains expire, new cloud services spin up, APIs get deprecated, and certificates renew. A point-in-time scan is outdated within days. Continuous monitoring is what catches:

  • New assets appearing without a formal request or ticket
  • Configuration drift on existing systems
  • Newly disclosed vulnerabilities affecting the infrastructure you already have exposed
  • Certificate and DNS changes that signal something new just went live

Building a program around this doesn’t mean disrupting how your teams already work. It means adding visibility on top of what’s already there: continuous discovery, risk-based prioritization, and a workflow that gets findings to the right owner without turning into another dashboard nobody checks.

Secure.com · Infrastructure Security Teammate

How the Infrastructure Security Teammate Fits In

It continuously discovers assets across AWS, Azure, GCP, SaaS, and on-premises environments — then benchmarks configurations against CIS, DISA STIG, and vendor standards to flag insecure defaults before adversaries find them first.

Explore the Infrastructure Teammate
AWS Azure GCP SaaS On-Prem
Continuous asset discovery across every environment

Continuous Discovery

Maps internet-facing assets to surface shadow IT and dependency risk as it appears.

Benchmarked Configs

Checks environments against CIS, DISA STIG, and vendor standards automatically.

Unified Risk Register

Ties every exposure to the business risk it represents, not a standalone report.

Owner Accountability

Assigns exposures directly to asset owners for real governance, not guesswork.

Sharper Red Teaming

Feeds continuous exposure data so red teams test real paths, not rediscover old ones.

Before They Find It

Surfaces misconfigurations and risky exposure ahead of adversary reconnaissance.

FAQs

What does an attacker see about your organization from the outside?
An attacker sees your domains, subdomains, exposed APIs, cloud storage, certificates, and anything else connected to your infrastructure that’s visible on the public internet, including systems your own team may have forgotten about.
How do I build an external attack surface management program?
Start with continuous discovery across domains, subsidiaries, and cloud assets. Add risk-based prioritization so findings get ranked by real exploitability and business impact, not just by volume. Then connect that data into your existing risk register and incident response workflow instead of running it as a standalone tool.
Can I reduce my external attack surface without disrupting operations?
Yes. Reduction usually means decommissioning assets that are no longer needed, tightening access on ones that are, and adding approval steps for new public-facing systems going forward. None of that requires shutting down active business systems; it just requires visibility into what exists first.
How attackers validate which vulnerabilities are actually exploitable?
Attackers test exposures directly rather than trusting a scanner’s severity score alone. They check whether a vulnerability is reachable, whether protections like authentication actually block it, and whether chaining it with another exposure creates a workable path. Security teams can apply the same validation step to avoid chasing every finding with equal urgency.

The Bottom Line

Your external attack surface isn’t static, and neither is the attacker looking at it. The forgotten subdomain, the shadow IT tool, the staging server that never got decommissioned, these are the entry points that show up in breach reports year after year. Seeing your organization the way an attacker does isn’t paranoia. It’s just accurate.