Ship fast without shipping vulnerabilities

A SaaS company's attack surface is unusually wide and unusually fluid. The product itself is internet-facing by design, and around it sits a sprawl of supporting infrastructure: marketing and docs sites, app and API subdomains, staging and preview environments, status pages, customer-facing trust portals, and a long tail of one-off tools spun up by engineers and never decommissioned. Multi-tenant architectures concentrate risk — a single exposed admin endpoint, leaked API key, or misconfigured object store can reach data belonging to many customers at once. Fast shipping cadence means new subdomains, certificates, and cloud resources appear weekly, and the security team (if there is one) rarely has a current inventory of what is actually reachable from the public internet.

The most common external exposures for SaaS are mundane but high-impact: an .env or config file left in a webroot leaking database credentials, Stripe keys, or signing secrets; a .git directory exposing source and history; staging environments running with debug mode on, default credentials, or no auth at all; and public S3/GCS/Azure buckets holding backups, logs, or customer uploads. Subdomain takeover is a SaaS-specific hazard because teams point CNAMEs at Heroku, Vercel, GitHub Pages, Netlify, and other PaaS providers, then deprovision the backend while leaving the DNS record dangling — letting an attacker claim the subdomain and serve content under the company's own domain.

DNS and certificate hygiene quietly shape risk too. Missing or misconfigured SPF/DKIM/DMARC lets attackers spoof the company's domain in phishing aimed at customers and staff — a real threat for a brand whose login page is a high-value credential target. Certificate Transparency logs leak the names of internal and pre-release subdomains the moment a cert is issued, handing attackers a map of staging, admin, and internal-tooling hosts. Lookalike and typosquat domains get registered to harvest credentials or run invoice fraud against a recognizable SaaS brand. None of this requires a sophisticated adversary — it requires the surface to be left unwatched.