Info
ISO 27001 A.8.9
CIS Controls CIS 1
Know and shrink your subdomain attack surface
Every subdomain is another way in. Forgotten staging, admin and legacy hosts are a favourite attacker foothold.
Why it matters
Certificate-transparency logs make your subdomains public. Old or unmaintained hosts often run outdated software or point at services you no longer control — a classic route to takeover.
How to fix it
Inventory your subdomains regularly, decommission what you do not need, and make sure staging and admin hosts are not publicly reachable.
Is your domain affected?
Prove ownership and run a scan for a graded, verifiable report.
Related guides
- Set up SPF, DKIM and DMARC to stop email spoofing
- Add the HTTP security headers every site should send
- Fix TLS: valid certificate and modern protocols only
- Remove exposed .git, .env and backup files
Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.