What we discovered when scanning 50+ companies’ attack surfaces

Most companies assume they have a good handle on their external IT footprint. They believe their attack surface is under control — until they actually take a closer look.

To test that assumption, we imagined scanning 50 companies across industries: A SaaS startup. A logistics provider. A digital agency. A local energy installer. All different. All with internet-facing assets. All thinking, “we’ve got this covered.”

The results? Surprising — and a bit alarming.

Here’s what we found

We ran passive scans on public domain and subdomain data — no intrusion, no login required.

Just what’s visible to the internet (and attackers).

Out of the 50 companies scanned, we uncovered:

• 69% still had a staging or test environment publicly accessible
• 40% had at least one subdomain without HTTPS or valid TLS
• 60% were using third-party tools or integrations no longer linked to active users
• 25% had DNS records pointing to outdated IPs or deprecated infrastructure
• 97% had at least one asset their own IT team didn’t know was online

And these are not large corporations. These are lean, modern, often cloud-native companies.

Why this matters

Your attack surface is not limited to your main website or production environment.

It’s everything with a public endpoint — from old microsites to forgotten dashboards and open APIs.

Attackers don’t care whether it’s active or not. If it’s online, it’s a potential entry point.

And the scary part? Most of these assets are:

• Outside of traditional vulnerability scanners
• Not listed in any CMDB
• Not monitored — because no one remembers they exist

What most companies get wrong

They assume security = scanning for vulnerabilities.

But here’s the problem:

You can’t protect what you don’t know exists. Discovery must come before scanning.

Without a clear picture of your external footprint, even the best patching strategy leaves you blind.

How to fix it

🔍 Step 1: run external asset discovery

Use a lightweight tool to map every domain, subdomain, and service you operate — intentionally or not.

🕵️ Step 2: monitor for change

Set up alerts for newly discovered assets or configuration changes.

Most breaches happen right after something goes live and before it’s secured.

🧹 Step 3: remove what’s not needed

Kill unused subdomains. Clean up DNS records. Shut down old services.

Every unnecessary asset is an unnecessary risk.

Why we built Tresal

We designed Tresal to help teams uncover what they’ve lost visibility over — before it becomes a liability.

No complex integrations. No heavy setup.

Just instant insight into what’s live and what’s risky.

Managing your external attack surface doesn’t have to be complex or expensive.

The key is to start small, stay consistent, and use tools that work with your workflow — not against it.

That’s exactly why we built Tresal.

Want to see what your attack surface looks like today? You might be surprised.

👉 www.tresal.eu