You can't protect what you can't see
In early 2024, researchers at Guardio Labs uncovered SubdoMailing - a campaign where attackers hijacked thousands of abandoned subdomains belonging to trusted organizations, including eBay, CBS, McAfee, and Symantec. By exploiting DNS records linked to services that were no longer in use, they were able to send millions of fraudulent emails every day from seemingly legitimate domains. Guardio Labs documented the campaign and highlighted how forgotten internet assets can become powerful tools for attackers.
The lesson wasn't that these organizations had weak security controls. It was the assets that they no longer knew they owned, but attackers were aware of.
When your attack surface grows faster than your visibility
Most organizations have spent years expanding their digital footprint. Cloud services, SaaS applications, acquisitions, development environments, regional websites, marketing campaigns, and third-party integrations all leave traces on the internet.
The challenge is that these environments often grow faster than the processes used to track them.
From an attacker's perspective, every exposed asset is a potential entry point. It does not need to be a critical production system. A forgotten subdomain, an abandoned cloud service, or a legacy application can be enough to create an opportunity.
Attackers don't start with what your security team knows about. They start with what they can find.
The speed of exposure has changed
Even when organizations know about a vulnerability, the timeline for responding has become increasingly difficult.
According to the latest M-Trends report from Mandiant, mean time to exploit vulnerabilities dropped to an estimated -7 days. This means that attackers are weaponizing vulnerabilities at a completely unprecedented speed, often before even a patch is released, and organizations have had time to assess and respond to newly disclosed risks. Meanwhile, the Edgescan 2025 Vulnerability Statistics Report found that internet-facing critical vulnerabilities frequently remain unresolved for weeks or months after discovery.
That gap is where exposure turns into risk.
For security teams, this creates a difficult reality. The challenge is no longer simply finding vulnerabilities in the assets you know. It is understanding which internet-facing assets matter most and which exposures require immediate attention.
What good looks like
Organizations that are making progress in this area typically focus on three things:
- Maintaining a continuously updated inventory of internet-facing assets
- Monitoring for changes, including newly discovered subdomains, cloud services, and exposed applications
- Prioritizing exposures based on exploitability and business impact rather than severity scores alone
None of these practices eliminate risk entirely. What they do provide is a better chance of identifying exposure before an attacker does.
Why this is now a leadership issue
External exposure is often viewed as a technical problem. In reality, it has become a business risk issue. A forgotten internet-facing asset can create operational disruption, reputational damage, regulatory consequences, or customer trust issues long before anyone inside the organization realizes it exists.
That is why leaders should be asking a simple question:
‘Do we know everything our organization exposes to the internet, and how quickly can we respond when something changes?’
The organizations that can answer that question confidently are generally in a much stronger position to reduce risk before it becomes an incident.
Author:
Alexander Matsson, Head of Customer & Technical Success
Detectify will be presenting ‘The Mythos Effect: Elevating External Asset Exposure to a Leadership Priority’ at Cyber Security Nordic on 28th October 2026.
