Shadow IT is your biggest external exposure

The exposure your security team did not create

Every organization has two attack surfaces. The first is the one the security team built, documented, and monitors. The second is everything else: the staging server a developer spun up two years ago, the SaaS tool the marketing team connected to your Google Workspace without telling IT, the legacy domain registered during an acquisition that nobody owns anymore.

Attackers do not limit their reconnaissance to your documented perimeter. They scan everything associated with your organization name, your ASN, your certificate fingerprints, your email domain. The assets you do not know about are the ones you cannot monitor, patch, or take offline when they are compromised.

This is not a failure of policy. It is a failure of visibility. Shadow IT accumulates faster than most security teams can track, and in large organizations with multiple business units or a history of acquisitions, the gap between what is documented and what is actually reachable from the internet is substantial.

How shadow IT accumulates

There is no single cause. Shadow IT is the compound effect of normal business activity happening faster than security oversight can follow:

• Developer infrastructure. Engineers create cloud instances, object storage buckets, and container registries to test features or run experiments. The instance gets forgotten. The bucket stays public. The credentials in the environment variables stay valid.
• Marketing and product tools. Teams subscribe to SaaS platforms using SSO or direct credential login, connecting them to corporate data without a formal procurement or security review process. These connections persist after the tool is no longer actively used.
• Acquisition residue. When a company is acquired, its external infrastructure often continues to run under the original domain for months or years. Security controls from the acquiring organization are not applied. Legacy software versions sit unpatched.
• Domain sprawl. Defensive registrations, campaign microsites, and regional TLD variants accumulate over time. Many expire and get re-registered by third parties. Some remain active but unmaintained.
• Contractor and agency work. External developers and agencies stand up infrastructure on client behalf, often in their own cloud accounts, and transfer it (or fail to transfer it) at project end.

What we find in the first 30 days

When ClairSec begins an attack surface engagement, we start from the same external vantage point as an attacker: a company name, a known domain, and a set of passive intelligence sources. What we surface consistently falls into predictable categories.

Forgotten subdomains with live services

Subdomain enumeration against the primary domain and known subsidiary domains typically surfaces between 30 and 200 hosts that are not in the client's asset inventory. A significant portion of these are running services. Common examples: development environments accessible over the public internet, internal portals without authentication, Elasticsearch instances with no access control.

Misconfigured cloud storage

Public object storage buckets containing internal documents, build artifacts, or backup files appear in roughly 40% of engagements with organizations that have been using cloud infrastructure for more than three years. The data in these buckets is often sensitive: configuration files containing API keys, HR exports, financial documents staged for reporting.

Expired or orphaned certificates

Certificate transparency logs reveal services that were stood up at some point, received a certificate, and are still reachable. Many of these are running outdated software with known CVEs because they were never included in patch management workflows.

Third-party integrations with excessive access

OAuth grants and API integrations connected to core systems (email, calendar, CRM, HR) often have broader scopes than the integration requires. A marketing analytics tool with access to your full contacts list is a supply chain exposure that does not appear in any endpoint inventory.

In 30 days of passive and active enumeration, we consistently find assets that would take an attacker less than a day to discover and that the internal security team was not monitoring.

The third-party surface problem

Shadow IT inside your organization is one problem. The third-party surface is a separate one.

Every SaaS vendor, supplier, and partner that processes your data or has network connectivity into your environment is part of your attack surface. When they are breached, the exposure reaches you. When their infrastructure is misconfigured, your data is at risk. You did not create that exposure, and you cannot directly remediate it, but you are affected by it.

The supply chain attacks of the past three years have established clearly that perimeter defense alone is insufficient. An organization with a hardened internal network and strong endpoint controls can be compromised through a vendor that has neither. The most effective organizations in managing third-party exposure treat it like first-party exposure: mapped, monitored, and subject to security requirements.

Closing the visibility gap

Attack surface management is not a one-time audit. It is a continuous monitoring problem, because the surface changes every time a developer pushes to production, every time a team subscribes to a new tool, and every time a vendor updates their infrastructure.

The baseline requirement is having a complete, current inventory of everything reachable from the internet that is associated with your organization. That inventory cannot be built from internal records alone. It requires external reconnaissance: passive DNS, certificate transparency, ASN mapping, and active probing of discovered assets.

Once the inventory exists, monitoring for changes is the ongoing work. New subdomains appearing, certificates issued for unexpected domains, exposed services on known hosts, new third-party integrations authorized by users: all of these need to surface to the security team within hours, not weeks.

If you have never run an external attack surface assessment, the results will be uncomfortable. That discomfort is the value. Knowing what attackers can see is the prerequisite for securing it.