Key Takeaways
- Attackers rarely need to breach anything to start. Public records, DNS history, and old certificates hand them a map for free.
- A large share of real breaches trace back to forgotten assets, shadow IT, or a staging server nobody decommissioned.
- Once an attacker finds one weak spot, they chain it with others to build a path toward your most valuable systems, your crown jewels.
- Time to exploit has collapsed. Mandiant’s M-Trends 2026 report found that on average, exploitation now begins before a patch is even publicly available.
- Continuous, outside-in monitoring is what closes the gap between what your team knows and what an attacker already knows.
An attacker never starts with your firewall. They start with Google, a certificate log, and a list of your subdomains. Most of that work happens before anyone on your team even gets an alert.
That’s the uncomfortable part of external attack surface management. The assets attackers find first are usually the ones your own team forgot existed.
Security teams often assume the attack starts with a scan; in reality, it starts with reconnaissance, and most of that reconnaissance is passive, quiet, and completely legal. Here’s what that looks like from the other side of the screen, and what to do about it.
What Your External Attack Surface Actually Looks Like
Your external attack surface is everything about your company that’s visible from the public internet: domains, subdomains, APIs, cloud storage, remote access tools, even a marketing microsite from three years ago. If it resolves to an IP address, it’s part of the picture.
The problem is that this list grows on its own: new SaaS tools, a developer’s test environment, and a subsidiary nobody updated in the asset inventory. Shadow IT typically emerges when teams need tools fast, don’t wait for approval, and connect them to company email or shared logins—creating blind spots security teams never see, and those systems become blind spots that the security team never sees.
How to discover forgotten assets in your external attack surface
Forgotten assets show up in a few predictable places:
- Old subdomains that still point to a live server
- Staging or QA environments that were never taken down after launch
- Cloud storage buckets created for a one-time project
- Domains inherited from an acquisition that were never folded into the main inventory
Most of these were reasonable decisions at the time. Nobody plans to leave a login page running for four years. It just happens, project by project, until the map in your head stops matching the map on the internet.
Cutting down forgotten asset exposure
Finding the forgotten stuff is only half the job. Reducing the exposure it creates comes down to a few habits:
- Decommission anything that’s finished serving its purpose, not just anything that’s failed
- Require a ticket or approval step before a new subdomain or cloud resource goes public
- Set a review cadence for staging and QA environments so they don’t quietly outlive the project they were built for
- Fold acquired infrastructure into the main asset inventory as part of the deal, not months after
None of this needs to slow teams down. It just needs an owner and a recurring check, so “forgotten” stops being the default state of anything public-facing.
How do attackers discover shadow IT in enterprise environments
Shadow IT tends to follow the path of least resistance: a team needs a tool fast, doesn’t wait for approval, and connects it to the company email or a shared login. Attackers look for exactly that pattern. A tool from a research firm found that 68% of organizations already run workloads across multiple public clouds, often with two dozen or more cloud services in active use. That kind of sprawl is hard for any internal team to track manually, and it’s exactly where shadow IT hides.
Acquisitions add another layer. When a company gets acquired, its infrastructure comes along with it, often with outdated security controls and no documentation. That’s part of why unsecured acquisition assets show up again and again in real incident reports.
How Attackers Map Your Organization From the Outside In
Attacker reconnaissance works in two stages: gather everything public first, then confirm what’s actually reachable. Before an attacker touches anything that could trigger an alert, they build a picture using data that’s already sitting in public records. This is the reconnaissance phase, and it can take minutes with the right tools.
Passive techniques that need zero access to your network
- Open source intelligence (OSINT): public records, job postings, social media, and company filings that reveal vendors, tech stacks, and org structure
- Passive DNS data: historical records showing every domain and subdomain ever tied to your infrastructure, even ones you’ve since taken down
- Certificate transparency logs: every SSL certificate ever issued for your domains is logged publicly, including ones for subdomains you may have forgotten about
- WHOIS and registration history: ownership trails that connect subsidiaries and acquisitions back to the parent company
None of this requires touching your servers. It’s public by design, which is exactly why it’s so useful to someone building a map of your organization.
Two stages, zero alerts
Gather everything public first, then confirm what’s actually reachable — before touching anything that could trip a wire.
- OSINT — filings, job posts and socials revealing vendors and stack
- Passive DNS — every domain ever tied to your infrastructure
- Certificate transparency logs — every SSL cert issued, forgotten subdomains included
- WHOIS & registration history — ownership trails to subsidiaries and acquisitions
- Open ports & exposed services on internet-facing systems
- Admin panels & login interfaces that shouldn’t be reachable
- Cloud buckets checked for public read or write access
- APIs & VPN/RDP gateways tested for missing auth or weak permissions
Per Mandiant’s M-Trends 2026 report, exploitation now begins on average before a patch is even public — the scan-then-patch model can no longer keep pace.
Active discovery once the map exists
Once an attacker has a list of domains and IP ranges, they move to lighter touch scanning:
- Finding open ports and exposed services running on internet-facing systems
- Spotting exposed admin panels or login interfaces that shouldn’t be reachable from outside
- Checking cloud storage buckets for public read or write access
- Testing APIs for missing authentication or overly generous permissions
- Looking for exposed remote access tools like VPN portals or RDP gateways
- Scanning for unpatched systems still running known vulnerable software versions
Third-party and supply chain connections widen this even further. If a vendor has weak security, that vendor becomes a route into your organization, and attackers actively map those relationships as part of target discovery.
AI has sped this whole process up
This part matters more each year. Recent threat intelligence reports describe AI-powered reconnaissance tools compressing what used to take hours into minutes, running automated scans at unprecedented scale, compressing what used to take hours of reconnaissance into minutes. Continuous, automated attacker reconnaissance now looks a lot different from the periodic scans defenders have relied on for years, and the gap between the two is where most exposure lives.
From Exposure to Exploit: How Attackers Prioritize and Chain Attack Paths
Finding an exposed asset is only step one. Attackers don’t treat every finding equally. They prioritize.
Identifying crown jewels from the outside
A crown jewel is whatever system, if compromised, causes the most damage: customer data, financial systems, source code, production infrastructure. Attackers work backward from there. They look at your external footprint and ask which exposed asset sits closest to something valuable, then target that connection first.
Chaining exposures into a real attack path
Individually, a misconfigured cloud bucket or an old staging server might look low risk; chained together, they can form a full attack path. A leaked credential from one system might unlock access to another. A forgotten subdomain might share infrastructure with a production environment. Attackers link small findings into a bigger route, one step at a time.
One weak spot never travels alone.
Why speed changes the calculus
Here’s the part that should worry every security leader: exploitation timelines have collapsed. Mandiant’s M-Trends 2026 report, built on hundreds of thousands of hours of incident response, found that on average, exploitation now begins before a patch is even publicly available. That means the old model of “scan periodically, patch on schedule” no longer matches how attackers actually operate.
Before acting on any exposure, attackers also validate whether it’s genuinely exploitable rather than a false positive. That’s a step defenders can borrow directly. Not every finding deserves the same urgency, and validating real-world exploitability is what separates a useful risk list from a noisy one.
Closing the Gap Between What You See and What Attackers See
Here’s the honest question worth asking your own team: who currently knows more about your external footprint, you or a determined attacker? For a lot of organizations, the answer isn’t comfortable. Industry research suggests organizations typically have visibility into only about 60-65% of their external attack surface, meaning more than a third of what’s exposed sits in forgotten subsidiaries, shadow IT, or supply chain dependencies nobody’s tracking.
Your external attack surface doesn’t sit still. Domains expire, new cloud services spin up, APIs get deprecated, and certificates renew. A point-in-time scan is outdated within days. Continuous monitoring is what catches:
- New assets appearing without a formal request or ticket
- Configuration drift on existing systems
- Newly disclosed vulnerabilities affecting the infrastructure you already have exposed
- Certificate and DNS changes that signal something new just went live
Building a program around this doesn’t mean disrupting how your teams already work. It means adding visibility on top of what’s already there: continuous discovery, risk-based prioritization, and a workflow that gets findings to the right owner without turning into another dashboard nobody checks.
How the Infrastructure Security Teammate Fits In
It continuously discovers assets across AWS, Azure, GCP, SaaS, and on-premises environments — then benchmarks configurations against CIS, DISA STIG, and vendor standards to flag insecure defaults before adversaries find them first.
Explore the Infrastructure TeammateContinuous Discovery
Maps internet-facing assets to surface shadow IT and dependency risk as it appears.
Benchmarked Configs
Checks environments against CIS, DISA STIG, and vendor standards automatically.
Unified Risk Register
Ties every exposure to the business risk it represents, not a standalone report.
Owner Accountability
Assigns exposures directly to asset owners for real governance, not guesswork.
Sharper Red Teaming
Feeds continuous exposure data so red teams test real paths, not rediscover old ones.
Before They Find It
Surfaces misconfigurations and risky exposure ahead of adversary reconnaissance.
FAQs
What does an attacker see about your organization from the outside?
How do I build an external attack surface management program?
Can I reduce my external attack surface without disrupting operations?
How attackers validate which vulnerabilities are actually exploitable?
The Bottom Line
Your external attack surface isn’t static, and neither is the attacker looking at it. The forgotten subdomain, the shadow IT tool, the staging server that never got decommissioned, these are the entry points that show up in breach reports year after year. Seeing your organization the way an attacker does isn’t paranoia. It’s just accurate.