External Attack Surface Management (EASM)

Incident

During a late-night hotfix, a DevOps engineer working remotely pushed a Python script to a public GitHub repo.

The script contained embedded AWS IAM credentials with admin-level privileges.

Within 8 hours, the credentials were harvested by a crypto mining bot and used to spin up 24 EC2 instances across 3 regions.

The incident wasn’t detected until an unexpected AWS billing alert triggered. Total loss: $12,300 in 24 hours.

Implementation:

• Detected the AWS key within 30 minutes of being posted
• Enriched the alert with repository link, timestamp, author, and potential impact
• Correlated the leaked key to your organization’s GitHub activity using domain and email intelligence
• Enabled immediate IAM key revocation and rotation before the blast radius expanded

Incident

vpn-emea.clientname.com — a subdomain tied to a decommissioned test VPN in Frankfurt — was left active months after an M&A transition.

The login page used default OpenVPN credentials and lacked 2FA.

Shodan indexed the asset, and it appeared on multiple low-tier hacking forums under “low-hanging fruit” lists.

Credential stuffing attempts from Ukrainian and Vietnamese IPs followed within 72 hours, with at least one successful login traced to a test account still active in the internal Jira system.

Implementation

• Detected the forgotten subdomain as part of continuous external asset mapping
• Flagged the endpoint as high-risk due to exposed login panel + lack of 2FA
• Enriched alert with associated certificates and SSL fingerprints
• Provided remediation recommendations to decommission and update DNS records

Incident

A new Jenkins instance was deployed for an upcoming product release and assigned a public IP without firewall restriction.

The server, accessible on port 8080, had no authentication configured due to testing shortcuts.

Attackers discovered the service via Censys.io, installed a malicious plugin, and exfiltrated the secrets.xml file containing API keys for production services, including Slack webhooks and Jira tokens.

Implementation

• Detected the Jenkins instance via external service exposure scanning
• Identified it as vulnerable due to version fingerprinting and lack of authentication
• Prioritized alert based on critical asset correlation (e.g., matching org domain, Git commit references)
• Suggested access control fixes and helped initiate emergency patch workflows

Incident

After a global brand transition, the domain retailgroupindia.com — used for supplier onboarding — expired quietly.

An attacker re-registered it, cloned your vendor portal, and sent phishing emails to active suppliers requesting re-verification of PAN cards and bank details.

Over 30 supplier accounts were compromised, leading to fake invoices being submitted and paid before the fraud was detected.

Implementation

• Detected domain expiration and flagged it in real-time as a high-risk asset
• Notified your team when the domain was re-registered by a third party
• Detected that the new DNS pointed to a phishing infrastructure with reused SSL certs from previous scams
• Offered takedown support via brand protection workflows and legal escalation paths

Incident

A threat actor created a fake profile of your CFO using a publicly available headshot, matching titles, and recent post activity.

They connected with over 40 employees across HR and Finance over a week.

Via LinkedIn InMail, they requested employees wire funds to a “confidential M&A escrow account.” One junior controller sent €270,000 before realizing the fraud.

Implementation

• Detected the fake profile using AI-based identity monitoring and fuzzy image matching
• Correlated LinkedIn activity patterns with anomalous impersonation attempts across other execs
• Flagged urgent alert to brand protection team and initiated takedown request to LinkedIn Trust & Safety team
• Helped create internal awareness campaign around executive impersonation risks

Incident

A marketing agency partner stored customer onboarding files in an Azure Blob container for survey analysis.

The container had public read access enabled and lacked index blocking — allowing Google to index over 3,000 PDFs.

The data included names, Aadhaar IDs, mobile numbers, and preferred insurance coverage.

A journalist discovered the leak via a Google search and published an exposé the next day.

Implementation

• Detected exposed Azure blob using cloud scanning against third-party asset surfaces
• Identified PII based on content classification: IDs, personal forms, and location metadata
• Alert included direct links, hosting region, and Azure blob URI
• Enabled rapid contact with the third-party agency and remediation via access controls and DMCA notice

Incident

The attacker registered secure-portal-login[.]org, mimicking your Okta login.

Using a pretext that employees must “urgently reset their MFA,” they sent SMS messages targeting users in your Singapore office.

The phishing site used cloned HTML and a valid SSL certificate from Let’s Encrypt.

Within 24 hours, 17 valid login credentials were submitted before the campaign was shut down.

Implementation

• Detected typosquatted domain at time of registration using WHOIS monitoring + lexical similarity models
• Flagged high-risk due to brand keyword + TLS cert + observed hosting on a known bulletproof provider
• Alerted your SOC with attack vector analysis and initiated coordinated takedown with the registrar
• Helped you proactively block future lookalikes and train staff against phishing indicators