An unpatched vulnerability is dangerous; an unmonitored exposed asset is catastrophic.
1. Introduction
Many products, including security solutions, contain vulnerabilities that continuously evolve as new research and attack techniques emerge. Unfortunately, it is impossible to predict precisely which weaknesses will be discovered or exploited next.
The real issue is not merely the existence of these flaws, but the fact that many systems are unnecessarily exposed to the internet. When vulnerable assets are publicly accessible without a clear business need, even a single newly disclosed vulnerability can be rapidly leveraged by attackers.
As highlighted in CrowdStrike’s 2025 Threat Hunting Report, 52% of the observed vulnerabilities were related to initial access, with public-facing applications and management panels remaining the primary attack vectors. Advanced threat actors such as Glacial Panda and Graceful Spider continue to rely on exposed internet-facing assets as their initial breach point, underscoring the critical importance of controlling exposure and maintaining full visibility into organizational assets.
In this post, we will focus on asset exposure and practical ways to define the attack surface.
2. What Are External Assets?
External assets include:
- Security appliances (VPNs, firewalls, gateways)
- Cloud and SaaS services
- Forgotten or temporary systems
- Domains
- IPs
If it’s reachable from the internet, it’s part of the attack surface.
Domains
When asked about their domains, most clients typically provide only the primary website. However, through comprehensive passive reconnaissance, we often identify many additional domains associated with the organization. These domains may represent legacy systems, regional services, testing environments, or forgotten assets that still remain accessible.
By performing a deeper analysis, we can better understand the relationships between these domains. In many cases, they share the same name servers (when the organization manages its own DNS infrastructure), or they are linked directly or indirectly from the main website. Such connections can unintentionally expose additional entry points to attackers.
We recommend reviewing all domain names the organization has used, both past and present, across every domain registrar or provider. Maintaining an accurate and up-to-date domain inventory is essential for understanding the true external attack surface and reducing unnecessary exposure.
IPS
Similar to domains, clients usually provide a list of known IP addresses, which most often includes current cloud assets. However, by querying Regional Internet Registries (RIRs), we frequently discover additional IP ranges associated with the organization. These often relate to legacy infrastructure, decommissioned services, or historical allocations that are still registered under the company’s name.
It is not uncommon for these IP addresses to remain routable and partially exposed, despite no longer being actively managed. Such overlooked assets can significantly expand the external attack surface and introduce unnecessary risk.
We recommend regularly querying the relevant RIRs to identify all IP address ranges associated with the organization and maintaining an accurate inventory to ensure proper monitoring, ownership validation, and exposure control.
Security Appliances
These panels are often used to provide VPN access or remote desktop services. However, they are frequently exposed to new vulnerabilities, which can be exploited if not properly secured. Additionally, not every user needs internet access to these panels—administrative accounts or read-only users, for example, typically do not require remote login. Limiting access to only those who need it reduces the attack surface and helps prevent potential compromises.
3. Case Study: Cisco Secure Email Gateway (CVE-2025-20393)
In 2025, a critical zero-day vulnerability was disclosed in Cisco Secure Email Gateway. The flaw allowed unauthenticated attackers to execute arbitrary commands via the Spam Quarantine feature on appliances where the interface was exposed to the internet.
Exploitation in the wild resulted in root-level access, the deployment of persistent mechanisms, and manipulation of system configurations.
This incident illustrates how exposed management interfaces — even on security appliances — can become initial access vectors when reachability is not tightly controlled. Systems running the same vulnerable software but not externally accessible were not impacted.
To reduce risk, organizations should minimize internet exposure of administrative interfaces, enforce strict access controls, apply patches promptly, and monitor for anomalous behavior.
Risk becomes real when a vulnerable system is reachable, trusted, and poorly monitored.
4. Visibility Is the Control Plane of Exposure
Before vulnerabilities can be prioritized or remediated, organizations need a reliable view of what is actually exposed, how it connects, and why it matters. Asset inventories alone are not enough. What’s required is continuous visibility into how external assets, identities, vulnerabilities, and controls combine into real attack paths.
This is where many security programs struggle. Data exists across scanners, cloud platforms, identity providers, and assessments, but it remains fragmented. As a result, teams may patch aggressively while still leaving critical paths open, or miss emerging exposure created by infrastructure changes, acquisitions, or temporary assets.
Some organizations are addressing this gap by adopting exposure-centric operating models that correlate asset discovery, attack-path analysis, and business impact into a single, continuously updated view. Platforms like CYE, for example, focus on modeling exposure across the full environment not just identifying what exists, but showing how attackers would actually reach high-value assets and which exposures materially change risk.
The key takeaway is not the tooling itself, but the shift in mindset:
Visibility is no longer about completeness; it’s about relevance.
The goal is to understand which exposed assets are reachable, trusted, and insufficiently monitored — before attackers do.
