Back to Blog
Attack Surface ManagementSecurityEnterprise

Your Attack Surface Is Bigger Than You Think

F
Frank Renehan
5 min read

Frank writes about vulnerability management, patch operations, and Microsoft-native security workflows.

Your Attack Surface Is Bigger Than You Think

Ask any IT director how many externally-facing assets their organization has. They’ll give you a number. It’ll be wrong – almost always low.

I’ve had this conversation dozens of times over the past 15 years, and the pattern is remarkably consistent. The official count covers the main website, the customer portal, the VPN gateway, maybe the mail server. What it misses is everything else – the staging environment a developer stood up two years ago, the subdomain from a marketing campaign that never got decommissioned, the legacy portal from a pre-acquisition company that’s still resolving to an IP address nobody monitors.

This is the shadow attack surface, and it’s where breaches start.

Why this keeps happening

It’s not negligence. It’s a natural consequence of how modern organizations operate. Cloud makes it trivially easy to spin up infrastructure. Acquisitions bring entire technology stacks that need to be absorbed. Marketing teams register domains. Development teams deploy test environments. DevOps teams stand up staging and QA environments that mirror production. Each of these creates external exposure – and the security team often finds out about them after the fact, if at all.

The challenge compounds over time. Every year the digital footprint grows. Every year there are more assets that exist outside the formally managed inventory. And the assets that fall outside the inventory don’t get patched, don’t get monitored, and don’t get hardened – because as far as the security program is concerned, they don’t exist.

Eventually you reach a point where the gap between what the security team knows about and what actually exists is significant enough to be dangerous. In most mid-market organizations we work with, that point has already been reached. They just don’t know it yet.

What attackers see

Here’s the uncomfortable reality – an attacker performing reconnaissance on your organization will discover things your own team doesn’t know about. They’ll enumerate your subdomains, scan your IP ranges, check certificate transparency logs, probe every open port. They’ll find the old portal, the exposed staging database, the expired SSL certificate. And they’ll look for the easiest way in.

The assets most likely to be vulnerable are precisely the ones most likely to be unmanaged. A production web server gets patched, monitored, and hardened because it’s in the inventory. A forgotten test server running three-year-old software doesn’t – because nobody knows it’s there. From an attacker’s perspective, that forgotten server is a gift.

Certificate transparency logs alone are a significant reconnaissance resource. Every TLS certificate issued for your domain is publicly logged. Attackers use this to map subdomains you’ve never documented. Your security team probably isn’t reviewing those logs. Someone else might be.

What a perimeter scan actually finds

The gap between known and discovered assets shows up in every engagement we run. One bank I supported had over 400 inactive domains still registered – gathered from shuttered acquisitions, marketing campaigns, and joint ventures. Not all of them were as inactive as expected. Old mail servers and web servers were still connected to a marketing agency, combining forgotten assets with supply chain risk in a single finding.

Tech-focused organizations aren’t immune – they may actually be the worst culprits. When enumerating subdomains for an IT services company recently, we found 161 subdomains. Fast-moving engineering cultures spin up infrastructure constantly; governance rarely keeps pace.

These aren’t unusual findings, they’re typical. The organizations that are most exposed are rarely the ones with the worst security culture – they’re the ones that have grown fast, gone through acquisitions, or moved aggressively to cloud without keeping the inventory current.

What to actually do about it

The first step is accepting that your current inventory is incomplete. Not as a failure – as a reality of operating in a complex environment. Once you accept that, the approach becomes clear: automate the discovery process so it runs continuously, not as a quarterly audit.

Practically, that means mapping your full external footprint – domains, subdomains, IP ranges, certificates, cloud assets, DNS records, email configuration. Then monitoring it. New subdomain appears? You should know about it before an attacker does. Certificate expiring in 14 days? That should trigger a notification, not a surprise outage.

The second step – and this is where most standalone ASM tools fall short – is connecting discovery to action. Knowing that a staging server is exposed is useful. Automatically feeding it into your vulnerability scanning pipeline and tracking it through to remediation is what actually reduces risk. Discovery without remediation workflow is just a more comprehensive list of problems.

The third step is making it continuous. A point-in-time perimeter scan is better than nothing, but your attack surface changes constantly. New infrastructure gets deployed. Subdomains get added. Certificates get issued. The scan you ran six months ago reflects an organization that no longer exists.

Where this fits with vulnerability management

Attack surface management and vulnerability management are complementary disciplines, but they’re often run as separate programs with no connection between them. Discovery finds the exposed asset; vulnerability management scans it; remediation closes the gap. When those three things aren’t connected, assets fall through the cracks at every handoff.

The way we’ve built Patchly’s attack surface capability is to treat discovered assets as automatic inputs to the vulnerability assessment pipeline. There’s no manual handoff, no spreadsheet, no email to the right person asking them to add it to the next scan. The moment something shows up in the external footprint, it enters the assessment workflow. Discovery and remediation tracking are the same program, not two separate ones.

That’s not a novel idea – it’s just not how most tools work in practice.

Related reading: Finding Vulnerabilities Is Easy. Proving You Fixed Them Is the Hard Part. | The Case for Continuous Penetration Testing

Most organizations are surprised by what a perimeter scan reveals. Request a free perimeter scan and see your attack surface from the outside.

In this article
  1. Why this keeps happening
  2. What attackers see
  3. What a perimeter scan actually finds
  4. What to actually do about it
  5. Where this fits with vulnerability management

Want to see how Patchly works? Request a free assessment or book a demo.