Most companies don't know what of theirs is reachable from the internet. Not out of negligence: because the exposed surface grows on its own, one subdomain at a time, one deploy at a time. Here's what a typical passive scan surfaces, reconstructed from real cases and anonymised.
01Passive means passive
First a technical clarification that matters. HUGIN attacks nothing. It sends no packets to your servers, tries no exploits, makes no noise. It only gathers what is already public: DNS records, certificate transparency logs, open code repositories, internet scan databases.
It's the same information an attacker gathers in the reconnaissance phase, before even touching you. The difference is that we show it to you, and they don't.
02The domain you thought you knew
You start from the main domain and enumerate. Almost always the number of active subdomains surprises the client. Here's a typical output, reconstructed:
Twenty-four subdomains, of which the client perhaps remembered eight. The rest are the residue of old projects, test environments, suppliers who created a host and never shut it down.
03The three problems that always surface
The forgotten port
vpn-test.acme-spa.it with port 3389 open means a remote desktop service (RDP) reachable from the internet. It was a test, meant to last an afternoon, it's been online for two years. Exposed RDP is one of the most exploited ransomware vectors of all. Cost to close it: five minutes. Cost if someone else finds it first: potentially the company.
The expired certificate
acme-staging.it with a certificate expired for months tells two things. First, that the environment isn't monitored. Second, that it probably runs an old, unpatched version of the application. Forgotten staging environments are a classic side door: less protected than the main site, but often with access to the same data.
The keys in the code
Three API keys found in a public repository on GitHub. It happens when a developer commits a test configuration without noticing. If those keys are still valid, anyone who reads them can use the services they protect. It's the finding that keeps a CISO up at night.
04Why the snapshot matters
The point of the scan isn't to scare. It's to make visible something that already exists. The attack surface doesn't grow because someone targets you. It grows on its own, like dust, while the team does its job and creates hosts, deploys, integrations.
05How to close it, in order
Once you have the list, remediation is trivial in form, disciplined in substance:
- Shut down what you don't need. Every live host is a surface. If no one uses it, it should be shut down, not left "just in case".
- Close the management ports. RDP, SSH, admin panels should never be exposed directly. You reach them over VPN, not the open internet.
- Rotate exposed secrets. A key that's gone public is burned. It should be revoked and regenerated, not "kept an eye on".
- Put monitoring in place. The surface changes every week. A single snapshot ages. You need to watch it continuously.
The last point is why HUGIN exists as a service and not just a demo. The free scan is the first snapshot. The real value is never losing sight of what you expose, while the company keeps growing.