Find every internet-facing asset you forgot you had
The asset that breaches you is never the one in your inventory.
It’s the staging box someone spun up for a demo in 2023 and never tore down. The S3 bucket a contractor made public to share a file. The subdomain pointing at a load balancer that was deleted last spring. None of it is in your asset spreadsheet, because the whole reason it’s dangerous is that nobody is tracking it.
External attack surface management is the practice of finding those things before someone else does. The hard part has never been the fixing. It’s the finding: the discovery, the correlation, the moment you realize the public IP Shodan is indexing doesn’t match anything in your cloud console. This post is about doing that discovery as a conversation instead of a six-tool scavenger hunt.
The reason this is hard is structural, not lazy. Your asset inventory is a record of decisions you made on purpose: provision this, register that, document it. Your attack surface is the sum of everything reachable from the internet, including the things nobody decided on purpose. Those two sets overlap, but they’re never identical, and the gap between them is precisely the part an attacker probes first. The bigger and older the organization, the wider that gap tends to be, because every team, every acquisition, and every “quick experiment” adds to the surface without always adding to the inventory.
Three places exposure hides
Exposure tends to collect in the same corners. If you know where to look, you can ask for each one directly.
Forgotten cloud resources
Orphaned EC2 instances. Public IPs attached to nothing. Elastic IPs that outlived the instance they were reserved for. Cloud makes it trivial to create infrastructure and just as trivial to forget it, and every forgotten resource is a line item on your attack surface that nobody is patching.
Shadow IT and unmanaged subdomains
A team stands up a tool on a subdomain, ships the project, and moves on. The subdomain stays. So does the marketing landing page on a third-party host, the test environment a vendor set up, the API gateway someone exposed “just for a week.” These rarely show up in a cloud account audit because they often aren’t in your cloud account at all.
Drift
This is the quiet one. Things that were private last quarter and aren’t now. A security group that got widened during an incident and never narrowed back. A bucket policy that loosened during a migration. A 0.0.0.0/0 rule added “temporarily” to debug something at midnight. Drift means a clean audit six months ago tells you nothing about today, which is why a one-time inventory is worth less than a question you can re-ask. Configuration moves in one direction by default, toward more open, because opening something solves an immediate problem and closing it solves a hypothetical one. Nobody gets paged for a port that’s too open until the day they very much do.
Mapping it as a conversation
Here is the part single-tool attack surface scanners can’t do: they see one view. An external scanner knows what’s reachable from the internet but nothing about which account owns it. A cloud config tool knows your declared resources but not whether the wider world can actually reach them. The gap between those two views is exactly where forgotten assets live.
Kikimora connects both views in one thread. Start from the outside, the way an attacker would. Kikimora uses Shodan to see your infrastructure the way the internet sees it, and Shodan is a built-in capability, so there’s no third-party account to set up before you can ask:
What does Shodan know about our public IP ranges?
That comes back as a list of what’s actually visible from the public internet: open ports, service banners, exposed admin panels you didn’t know were reachable. Now correlate it with what you think you own:
Cross-reference that with my AWS and Azure public IPs. Anything Shodan sees that I don’t manage in either cloud?
This is the question that finds the staging box. Anything the internet can see that doesn’t map back to a managed cloud resource is, by definition, something outside your control. The mismatch is the signal: a Shodan hit with no corresponding AWS or Azure resource means either the asset belongs to a cloud account you haven’t connected, or it belongs to nobody who’s still paying attention. Both are worth a hard look, and both are invisible to a scanner that only knows one side of the equation.
If the built-in Network Scanner is part of your setup, you can also turn the same instinct inward. External tools see what faces the internet; the Network Scanner maps internal networks from the inside, with no VPN or port forwarding, because it runs locally and calls outbound only:
Scan the office subnet and list any host exposing a service we don’t recognize.
Internal exposure is its own category of forgotten asset: the printer with a web admin panel, the lab box someone left running, the internal service that’s one misconfigured firewall rule away from being external. Mapping both sides means a drift event that flips an internal host to public doesn’t catch you blind.
Then chase the DNS layer, where dangling records are a classic subdomain-takeover setup. Kikimora reads Cloudflare zones directly, which is how it catches stale or dangling DNS entries:
Show me Cloudflare DNS records pointing at origins that no longer respond.
A record pointing at a dead origin isn’t just clutter. If that origin was a cloud resource someone else can now re-provision under the same address, it’s a takeover waiting to happen. An attacker registers the abandoned resource, your DNS record happily points traffic at it, and now they’re serving content from your subdomain with a valid certificate. Dangling DNS is one of the most reliable footholds in the book precisely because it hides in plain sight: the record looks fine, it resolves, and nothing about it looks broken until someone hostile claims the other end.
One honest caveat: discovery is only ever as complete as the data sources you’ve connected. If a forgotten asset lives in a cloud account Kikimora isn’t connected to, or behind a domain registrar it can’t see, it won’t surface. Attack surface mapping narrows the unknown; it doesn’t promise zero unknowns. Connect more of your stack and the blind spots shrink, but treat any “this is everything” claim, from any tool, with the skepticism it deserves.
From a list to a priority
A raw list of exposed assets is a to-do list with no order, and an unordered to-do list is how you end up fixing the harmless thing while the dangerous one waits. The next question is which of these actually matters. Fold in vulnerability data to rank by real risk instead of mere existence. Kikimora pulls from Tenable to cross-reference exposed services with known CVEs:
Of everything exposed, which assets have a known critical vulnerability?
Now the list reorders itself. An exposed service with no known vulnerability is worth noting; an exposed service running something with a public exploit is worth doing tonight. That is the difference between a wall of findings and a plan.
The reason this correlation is powerful is that neither signal means much alone. Exposure without a vulnerability is just a service doing its job. A vulnerability on an asset nobody can reach is a paperwork problem, not an emergency. It’s the intersection, internet-facing and exploitable, that defines real risk, and that intersection is exactly what falls through the cracks when your attack surface tool and your vulnerability scanner are two different products that never talk. One knows what’s reachable; the other knows what’s broken; only together do they know what’s dangerous.
Keep it from happening again
The trap with attack surface work is treating it as a project: a big audit, a clean report, a sense of completion that lasts until the next thing drifts. The internet doesn’t take a quarter off. New infrastructure goes up daily, DNS changes daily, and last week’s clean map is already stale.
The fix is repeatability, not heroics. Save the discovery prompts and re-run them on a schedule:
Re-run last week’s exposure check and show me only what’s new or changed.
The value isn’t the single perfect audit. It’s that next week’s check is the same sentence, so the work that usually slips never gets a chance to. Once you’ve found something genuinely exposed, the next move is to fix it without breaking what’s supposed to be public, and that’s its own discipline: see how to close a public S3 bucket in three sentences for the remediation side of this.
What the spirit watches
In Slavic folklore, the kikimora is the household spirit that keeps watch through the night, noticing what changed while everyone slept. That is the right mental model for your attack surface. The internet never stops looking at your infrastructure, so your inventory can’t be a thing you check once and file away. It has to be something that watches back.
You can map your own attack surface free. The free tier gives you 30 assets and unlimited integrations with no card, and setup takes about five minutes: start with 30 assets, no card. Point it at your public IP ranges and ask what the internet already knows. The answer is usually more than you expected, which is exactly why it’s worth asking.