Before an attacker ever sends a packet to your network, they've already built a profile of your business using nothing but public data. DNS records, certificate logs, LinkedIn, GitHub, and data breach databases — here's the view from the other side, and why "security through obscurity" doesn't work.
Most business owners assume that unless an attacker is actively targeting them, there's nothing to see. That's not true. The public internet is full of data about every organization — data that attackers gather as the first step of any operation, long before they decide what to do. Understanding what they see is the first step to deciding what to close.
Every domain has DNS records — information about which IP addresses, mail servers, and subdomains belong to your organization. This data is public and queriable by anyone. You can't hide it by making it private; it's fundamental to how the internet works.
What attackers learn from DNS:
dev.yourcompany.com, staging.yourcompany.com, admin.yourcompany.com, or vpn.yourcompany.com. These are often less secured than the main site.You can look up your own DNS records in seconds: use a free DNS lookup tool and search for your domain. Whatever shows up, an attacker sees too.
Every time a certificate is issued for your domain — even for a dev server that only existed for two weeks three years ago — it's recorded in public Certificate Transparency (CT) logs. These logs are searchable by anyone, and they never expire.
The result: any subdomain that ever had a SSL/TLS certificate is permanently, publicly discoverable. That old staging server you decommissioned? The dev environment you spun up for a hackathon? The internal tool you set up with a Let's Encrypt certificate? All in the logs, forever.
Search for your domain at crt.sh and see what comes up. If you're surprised by anything, so will an attacker.
When a domain is registered, the registrant's information goes into the WHOIS database — a public record of who owns what domain, when it was registered, and how to contact them. For many businesses, this reveals:
Privacy services exist to mask this information, but they cost extra and many businesses don't use them. Even with privacy enabled, registration dates and nameservers are often still visible — and those reveal plenty.
Once an attacker knows your IP ranges and subdomains, they run port scans. This maps what's exposed to the internet — and it's often more than businesses expect.
/admin, /wp-admin, /phpmyadmin — often found on staging or dev subdomains with weak or no authA single exposed admin panel on a forgotten staging subdomain — with a weak password — has been the root cause of multiple major breaches. It's not glamorous, but it works.
People are the softest part of any organization. LinkedIn reveals:
LinkedIn isn't "bad" — it's just public information. Attackers use it to craft convincing phishing emails ("Hey, it's Mike from IT, reset my password") and to identify who has access to what systems.
Public GitHub repositories and commits are one of the most underappreciated sources of exposed credentials and system information. Security researchers routinely find:
GitHub's secret scanning catches some of this, but not all of it. Organizations should assume anything ever committed to a public repo is permanently discoverable — even after deletion.
HaveIBeenPwned.com aggregates data from hundreds of breaches. Searching your corporate domain there shows whether any employee email addresses appear in breach data — and what types of credentials were exposed.
The critical point: most people reuse passwords. If an employee's corporate email appears in a breach with a password, attackers will try that email/password combination on corporate services — VPN, O365, cloud apps. It's called credential stuffing, and it's effective because password reuse is everywhere.
Search your domain at haveibeenpwned.com to see what employee data has already been exposed in third-party breaches. The answer is usually surprising.
Some organizations believe that if something isn't widely known, it's safe. They use obscure internal naming conventions, hide dev servers behind non-standard ports, or assume "no one will think to look there."
This fails because:
The only security that works is security that assumes attackers can see everything public about your organization — and designing your defenses accordingly.
EdgeIQ's site scanner automatically maps your exposed subdomains, DNS records, and running services — giving you the same view an attacker sees, without needing to run a dozen different tools.
Scan your domain free →Attackers start with public data. They don't port-scan you until they know what you're running. They don't phishing your employees until they've built a profile. The recon phase is where they decide if you're worth attacking at all — and most of that recon is just reading public information.
The good news: it's fixable. You can audit your DNS, lock down your CT log exposure, remove exposed admin panels, and clean up your public code footprint. You can't unring the bell on breached credentials — but you can stop those credentials from working by enforcing unique passwords and MFA everywhere.
Do the audit. Know what they see. Close what needs closing.