You Can’t Defend the Doors You’ve Forgotten You Have

Somewhere in your business, there is probably a server, a subdomain, or a test environment that someone spun up two years ago, forgot to decommission, and never told the current security team about at all. It is still online. It is still reachable from anywhere in the world. And nobody currently on your payroll is watching it. The person who built it may well have left the company entirely, taking the only real knowledge of it with them.

Your Attack Surface Is Bigger Than Your Inventory

Most organisations maintain a mental picture of their internet-facing systems that is somewhat out of date the moment it is drawn up, because new subdomains get created for marketing campaigns, staging environments get spun up for testing and never torn down afterwards, and old vendor integrations quietly keep an API endpoint alive years after the vendor relationship itself ended. Each of these is a door into your business, and none of them appear on the diagram anyone actually uses to plan defences. Ask three different people in the same organisation how many public-facing systems exist and you will likely get three different answers.

external network pen testing exists precisely to close that gap between what you think is exposed and what genuinely is exposed, by continuously mapping every internet-facing asset connected to your organisation rather than relying on a list someone compiled once and filed away years ago. Paired with proper external testing, it turns guesswork about your exposure into an accurate, current picture.

You Can't Defend the Doors You've Forgotten You Have — Aardwolf Security

Shadow Assets Do Not Ask Permission

The dangerous part of a forgotten asset is that it was often built quickly, under deadline pressure, with security treated as an afterthought rather than a design principle from day one. A staging server for a marketing microsite might still be running the same software version from the day it launched, quietly accumulating unpatched vulnerabilities while everyone assumes it was taken down months ago along with the campaign it originally supported. Speed to launch was the only priority anyone cared about at the time, and nobody circled back once the deadline passed.

This is a scenario William Fieldhouse encounters often enough that it no longer surprises him, only frustrates him on the client’s behalf.

“We once mapped a client’s external footprint and found a login portal for a system they had decommissioned three years earlier, still live, still accepting login attempts, and still running software that had not been patched since the day it was abandoned entirely.”

— William Fieldhouse, Director of Aardwolf Security Ltd

Three years of unpatched vulnerabilities sitting quietly on the open internet is not a hypothetical risk, it is an open invitation with a welcome mat laid out, and the business genuinely had no idea it existed until someone went looking specifically for what they had forgotten rather than what they remembered actually building. Nobody had lied about it; the knowledge had simply left the building along with the people who once held it.

Map It Before Someone Else Does

You cannot secure what you do not know exists, and attackers spend considerable time scanning the internet for exactly these forgotten, unmonitored assets because they are so often the softest target available to them. Get a proper map of your external footprint and work with the best pen testing company to test every door on it, including the ones you had genuinely forgotten were ever there. A map compiled once, years ago, will not tell you what changed since.