The assets nobody remembers
In 2024, a major financial services company was breached through a forgotten staging server. The server had been set up for a project two years earlier, ran an outdated version of WordPress, and used default credentials. It was connected to the internal network. The project had been cancelled, but nobody decommissioned the server. Attackers found it through DNS enumeration, exploited the outdated software, and used it as a pivot point into the production environment.
This isn't an unusual story. It's the norm. Across industries, the assets that get breached are disproportionately the ones that security teams didn't know existed.
What is shadow IT?
Shadow IT refers to any technology resource deployed, used, or managed outside the visibility of the IT or security team. In the context of external attack surface management, this typically includes:
- Forgotten subdomains — staging.example.com, test-api.example.com, old.example.com
- Developer test environments — cloud instances spun up for testing and never torn down
- Marketing microsites — campaign landing pages on subdomains that outlive the campaign
- Contractor deployments — services set up by third parties who no longer work with you
- Acquired company infrastructure — domains, servers, and services from M&A that were never integrated or decommissioned
- Legacy applications — old versions of applications still running alongside their replacements
- Exposed cloud storage — S3 buckets, Azure blobs, or GCS buckets with overly permissive access controls
Why shadow IT is a security problem
No patches, no monitoring
If the security team doesn't know an asset exists, it's not in the patch management cycle, it's not being monitored for suspicious activity, and it's not included in vulnerability scans. It sits in a blind spot, accumulating vulnerabilities over time.
Often running outdated software
Shadow IT assets tend to be "set and forget" deployments. They run whatever software version was current when they were created, which means they accumulate known vulnerabilities at an alarming rate. A server untouched for two years might have dozens of critical CVEs.
Weak or default credentials
Test environments frequently use weak passwords, default credentials, or no authentication at all. When those environments are internet-facing, they're trivial for attackers to compromise.
Network connectivity
The most dangerous shadow IT assets are ones that can reach internal systems. A forgotten jump box, a VPN endpoint, or a server with both public and private network interfaces can serve as an attacker's bridge from the internet to your internal network.
How to find your shadow IT
DNS enumeration
Start with your registered domains and enumerate subdomains using certificate transparency logs, DNS brute-forcing, and passive DNS databases. You'll almost certainly find subdomains you didn't know about.
Certificate transparency monitoring
Every SSL certificate issued for your domains is logged in public certificate transparency logs. Monitoring these logs catches new subdomains and services as soon as someone provisions a certificate for them.
Cloud account auditing
Review all cloud accounts for running instances, storage buckets, and exposed services. Pay special attention to resources in regions your team doesn't normally use — they're often forgotten experiments.
Automated asset discovery
Manual discovery efforts are necessary but insufficient. Automated tools continuously scan for new assets, catching shadow IT as it appears rather than waiting for periodic audits.
Building a culture of visibility
Finding shadow IT is a technical problem, but preventing it is a cultural one. Teams create shadow IT because deploying infrastructure is easy and the perceived overhead of going through proper channels is high. The solution isn't to make deployment harder — it's to make visibility automatic.
When your security platform automatically discovers and monitors new assets, the "shadow" part of shadow IT disappears. Teams can move fast and deploy freely, knowing that anything they expose to the internet will be discovered, inventoried, and scanned.
FortWatch's continuous asset discovery does exactly this — it monitors your domains for new subdomains, services, and exposed resources, adding them to your inventory and scanning them automatically. No manual registration required.