Your External Attack Surface: What Attackers Look for First

What attackers see before they ever touch your network.

Every organisation has an external attack surface, and almost none of them have an accurate picture of what it actually contains. Old test environments outlive the projects they supported. Marketing spins up subdomains for campaigns that ended three years ago. Cloud accounts created by individual teams sit outside central inventory. Acquired companies bring their own histories of forgotten infrastructure. By the time an attacker arrives, the surface they see is usually larger, messier and more interesting than the one the defender thinks they are protecting.

This article describes how attackers map an organisation from the outside, where they tend to find their first foothold, and the small set of changes that meaningfully reduce risk. The aim is not exhaustive coverage — that is what an engagement is for — but a clear-eyed view of the discovery you should expect to be subjected to, whether you have invited it or not.

How attackers discover exposed assets

Modern attack surface discovery is almost entirely passive in its first phase. Attackers prefer to learn as much as possible before generating any traffic that could attribute their activity. The public internet provides a great deal of information for free.

Common starting points include:

• DNS data. Authoritative records, historical DNS, and subdomain enumeration from public datasets reveal the shape of an organisation’s infrastructure. Tools such as crt.sh, Shodan, Censys and SecurityTrails are routinely used.
• Certificate transparency logs. Every TLS certificate issued by a public CA is logged. Subdomains an organisation may not have intended to expose — staging environments, internal portals briefly given a public certificate — surface here permanently.
• Cloud metadata. AWS, Azure and GCP all leave fingerprints. S3 bucket names, Azure storage URLs and exposed metadata endpoints reveal cloud footprint and sometimes cloud content.
• Code and credential leaks. Public GitHub, GitLab and Bitbucket repositories regularly contain hardcoded credentials, internal hostnames and configuration files that should never have left private infrastructure.
• Acquired company history. When organisation A buys organisation B, attackers happily look at organisation B’s pre-acquisition footprint, much of which is still live.

Active reconnaissance follows. Port scans, service fingerprinting, banner grabbing and targeted enumeration confirm what passive discovery suggested. By the end of this phase, an attacker has a list of live services, technologies, versions and likely owners — often more complete than the asset register the defender is working from.

Common external entry points

The vulnerabilities that lead to real-world compromises are remarkably consistent year-on-year. The technology changes; the patterns do not.

The most reliably exploited categories are:

• Edge devices and VPNs. Citrix, Ivanti, Fortinet, Cisco and Palo Alto appliances continue to dominate the CISA Known Exploited Vulnerabilities catalogue. Devices sitting at the perimeter, often unpatched and under-monitored, are the single most common ransomware entry point.
• Exposed administrative interfaces. Login portals for Jenkins, Kubernetes dashboards, database admin tools and management consoles that should never be reachable from the internet.
• Forgotten applications. Marketing microsites, legacy portals, old test environments and one-off integrations that no team currently owns.
• Weak or misconfigured TLS. Self-signed certificates on production endpoints, outdated TLS versions, and certificates issued by long-departed contractors that nobody now controls.
• Authentication weaknesses. Single-factor authentication on internet-facing services, password reset flows that leak account existence, and SSO misconfigurations that allow lateral movement between tenants.
• Cloud misconfigurations. Public S3 buckets, overly permissive storage URLs, exposed Kubernetes API servers, and IAM roles assumable from outside the account.

The pattern is not “zero-day exploits”. It is “old issues on assets the defender did not know they had”. The 2024 and 2025 high-profile UK ransomware incidents almost all followed this pattern.

High-impact fixes that reduce exposure

You cannot defend what you cannot see, so the first investment is visibility. After that, a small number of changes consistently produce the largest reduction in real-world risk:

1. Build and maintain an authoritative external asset inventory. Combine internal sources (DNS, IPAM, cloud APIs) with external sources (certificate transparency, passive DNS, attack surface management tooling). Reconcile regularly.
2. Retire what you do not need. Most environments contain services, hostnames and applications that no longer serve a business purpose. Decommission them. Every removed asset is one fewer entry point.
3. Patch edge devices first. Treat anything in the CISA KEV catalogue affecting an internet-exposed device as an emergency. The timeline from disclosure to exploitation at scale on edge devices is now routinely measured in hours.
4. Put administrative interfaces behind authenticated access. Management consoles, internal apps and pre-production environments should not be reachable from the public internet. Use a VPN, Zero Trust proxy or IP allow-listing as a minimum.
5. Enforce multi-factor authentication everywhere external. Phishing-resistant MFA (WebAuthn / FIDO2) for administrators is the highest-leverage single change available.
6. Monitor for change, not just for vulnerabilities. A new subdomain appearing, a new certificate being issued, or a new service responding on a known IP is often the first sign of an issue.

This is unglamorous work. It is also the work that prevents the majority of opportunistic compromises. If you do these six things consistently, your external surface becomes substantially harder than your peers’ — and attackers, like everyone else, optimise for effort.

Frequently asked questions

What is external attack surface management (EASM)?

EASM is the continuous discovery and monitoring of an organisation’s internet-facing assets from an attacker’s perspective. It complements internal asset management by capturing what defenders may not know they have exposed.

How often should we map our external attack surface?

Continuously. The surface changes daily as DNS records, certificates and cloud assets are created and destroyed. A point-in-time map is out of date the day it is produced.

What is the CISA KEV catalogue?

CISA’s Known Exploited Vulnerabilities catalogue lists vulnerabilities for which there is evidence of active exploitation in the wild. It is the single most useful free input to vulnerability prioritisation for internet-facing assets.

Should we run our own attack surface tooling or use a service?

Either works. Service-based EASM typically delivers broader passive coverage and curated change alerting; in-house tooling gives more control over data. Most mature programmes combine both.

Next Steps

• Run an Attack Surface Preview
• View External Infrastructure Testing
• Explore Penetration Testing
• Contact Pentiq