NEW AI & agent attack-surface fingerprinting is live
← Blog

What an attacker sees when they look at your company

July 1, 2026Resensor5 min read

Two views of the domain acme.com. The owner sees only a homepage, while an attacker sees everything around it: dev.staging, a spoofable mail record, an open port 3389, api, vpn and admin subdomains, and an s3://acme-backups bucket.

Before anyone tries to break into your company, they read it. No exploit, no phishing email, no contact with your staff. Just an afternoon with public data and free tools, spent building a map of everything you have left facing the internet.

That map is the most useful document in the entire attack, and it is the one you never get to see. Your team looks at the company from the inside out: the asset register, the ticket queue, the tools you chose to deploy. The attacker looks from the outside in, and the two views rarely match. What follows is that outside-in view, the way it actually gets assembled.

It starts with your name, not your network

The attacker begins with almost nothing. A company name, one domain, maybe a stock ticker. From there the job is expansion: every domain you own, every subdomain, the IP ranges behind them, the cloud accounts and hosting providers, the businesses you acquired and never fully absorbed.

This is where the surface is almost always bigger than the inventory. The staging site someone stood up for a launch three years ago. The marketing microsite a vendor built and handed back on a domain nobody tracks. The subdomain for an internal tool that was supposed to sit behind the VPN. None of it is in your asset list, because nobody wrote it down. All of it is in theirs, because enumeration does not care what you remembered.

By the end of this stage the attacker has a wider view of your estate than most of your own teams do.

The edge: what is actually listening

With the map drawn, they walk it. Every host gets checked for what it exposes: open ports, web applications, login portals, VPN endpoints, admin panels, APIs, forgotten dev environments. They read your TLS certificates for hostnames you forgot were public and for certs about to expire. They note which sites hide behind a CDN and which ones expose the real origin.

They are not looking for the well-defended front page. They are looking for the one host that was never meant to be out here: the test box with default credentials, the staging environment running last year's build, the admin login that answers straight from the open internet. One weak edge is all the map needs to become a way in.

The front door of your brand

Now the part most vulnerability tools never test. The attacker checks whether they can simply be you.

Can they send email from your exact domain, your name in the From line, straight into your customers' inboxes? For a lot of companies the answer is yes, because SPF, DKIM, and DMARC were never finished. Who has already registered the lookalike versions of your domain, and which of those are provisioned to send mail and wear your brand on a login page right now? Is there a subdomain pointing at a torn-down cloud host that anyone can claim?

None of this involves a vulnerability. Nothing here has a severity score. It is also how a large share of real intrusions against ordinary companies actually begin, because impersonation is cheaper than exploitation and it walks around your defenses instead of through them.

What you left lying around

The next stop is everything that leaked. Secrets and API keys committed to public code repositories. A live credential sitting in an .env file in someone's personal GitHub. Source maps that hand over your front-end internals. Object storage left open to the world. Employee credentials already exposed in breach corpuses from somewhere else entirely.

This is the quiet shortcut. A single working credential found in a repository you do not even control skips the edge, skips the brand, and logs straight in. No alarm goes off, because from the inside it looks exactly like your own people at work.

The short list that actually matters

By now the attacker has found far more than they will ever use, and this is the step defenders most often get backward. They do not work through their findings by severity, top to bottom. They ask a sharper question: of everything here, what is both reachable from the outside and actually exploitable today?

A CVSS 9.8 on a host nobody can reach, with no public exploit, is not where they spend the weekend. A lesser-rated flaw on your public edge, with a weaponized module already in Metasploit and an active spot on CISA's known-exploited list, is. Exploit availability, not the raw score, is what turns a line in a report into a plan for the evening.

That short list, the reachable and the exploitable, is the real attack surface. Everything else was noise they were glad to skip.

The map you were never shown

Here is the uncomfortable part. There is nothing secret in any of this. Every stage runs on public data and tools an attacker can get for free. The reason they hold the map and you do not is not capability. It is point of view.

Your tooling is organized inside out and split by function: a scanner for services, a different product for email, another for brand, another for cloud. Each one shows a slice, and none of them shows the whole. The attacker suffers no such split. They see one connected picture, and they see it from where you are actually attacked, which is the outside.

That is the entire reason we built Resensor. Same public data, same outside-in vantage point, assembled into the one map your own stack keeps in separate boxes: your real estate, what it exposes, whether your brand can be worn, what has leaked, and the short list of exposures that are both reachable and exploitable. Not twenty reports. One view of your company as an attacker reads it.

See what an attacker sees

Resensor maps your external attack surface the way an attacker does, then ranks what is both reachable and exploitable. Start a scan and get your own copy of the map in a few minutes, before someone else finishes drawing theirs.