All guides
Info ISO 27001 A.8.9 CIS Controls CIS 1

Know and shrink your subdomain attack surface

Every subdomain is another way in. Forgotten staging, admin and legacy hosts are a favourite attacker foothold.

Why it matters

Certificate-transparency logs make your subdomains public. Old or unmaintained hosts often run outdated software or point at services you no longer control — a classic route to takeover.

How to fix it

Inventory your subdomains regularly, decommission what you do not need, and make sure staging and admin hosts are not publicly reachable.

Is your domain affected?

Prove ownership and run a scan for a graded, verifiable report.

Related guides

Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.