Ask most IT teams to list every domain, subdomain, IP address, and exposed service their business runs, and you will get a confident answer. Run a proper external review, and you will discover the answer was wrong. Modern attack surfaces sprawl. Marketing campaigns spin up landing pages, developers stand up staging environments, acquisitions bring entire estates with them, and over the years it all adds up to a far larger footprint than any single team can keep in their head.
What Counts as Your Attack Surface
Anything an attacker can reach from the internet without prior knowledge of your environment counts. That includes all your public DNS records, the IP ranges you own and the ones your cloud provider hands you, third-party services that integrate with your systems, marketing properties on platforms you do not directly control, and the email infrastructure attackers use for phishing runs. Each of those categories produces its own risks. Each tends to be owned by a different team, with predictable consequences.
Forgotten Subdomains Cause Real Damage
Subdomain takeovers, where a stale DNS record points to a service nobody uses any more, give attackers a legitimate-looking foothold. They register the abandoned service, host a phishing page on your real domain, and watch the click-through rates climb. external network penetration testing that includes proper subdomain enumeration and DNS hygiene catches these regularly. So does cheap automation, if you set it up. Either way, knowing what your DNS still points at is the start of getting it under control.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
Comments: When I run an external surface review for a new client, I almost always find at least one forgotten asset they did not know existed. Sometimes it is an old marketing microsite running an unpatched WordPress instance. Sometimes it is a developer test box that ended up in production DNS. The findings vary, but the lesson is the same.
Continuous Discovery Beats Periodic Audit
An audit done once a year shows you the surface as it was on the day of the audit. By next month, your developers have launched two new properties and your DNS team has added a CNAME for a third-party app. Continuous discovery, where new assets trigger an alert and feed automatically into a review queue, keeps the picture current. Pair this with regular vulnerability scanning services so that anything new is checked for known weaknesses without anyone having to remember.
Treat the Result as a Living Inventory
An attack surface inventory is most useful when it sits in a place engineers actually consult. Drop it in a spreadsheet on someone’s desktop and it dies within a fortnight. Put it in your asset management system, link it to your CMDB, or feed it into your SIEM as enrichment data and it earns its keep. The point is not the document. The point is that everyone who provisions, decommissions, or changes a public-facing asset has a single shared view of what exists and what state it is in.
Practical Next Steps
Run a discovery exercise this quarter. Compare the result to whatever inventory you currently consider authoritative. Investigate every difference. The exercise alone will tell you more about your security posture than any number of compliance dashboards, and the resulting inventory becomes the foundation for every assessment, every detection, and every conversation with the board for the next twelve months.
