How many sites did I find out I could hack yesterday? – 4/3/25
It is time to play how many sites did Scott find out he could hack in a couple hours or less again.
Answer:
How Many Companies Did I Find Vulnerable in Just a Few Hours?
Five
— including one you absolutely know (a household name in the printer space).
Six if you count the recruiting platform with expired certs — surprisingly, they had better security than a casino, two SaaS products, and an AI marketing company.
I didn’t scan. I didn’t brute force. I didn’t touch the keyboard on their systems.
I just used public metadata, OSINT tools, and real-world GRC knowledge.
I am generally surprised that a recruiting site has a better security posture than: an eCommerce company (you will see the report I sent with redactions), a marketing site SaSS product using AI, a casino, another SaSS product re-seller, and a massive company who’s name that I will not mention.
Let us get into the meat of one of them below:
Passive Recon Snapshot: EcommerceTargetCo.com (redacted)
3 exposed hosts
Remote access ports open (SSH, DB)
Dev interfaces exposed
No IP restrictions, no obfuscation, no MFA
Recon Overview
This passive reconnaissance snapshot was conducted for educational and professional demonstration purposes only. No scanning, probing, or authentication attempts were made. Using open-source tools and public metadata, three cloud-hosted systems were identified with potentially exposed services relevant to remote access, development activity, and database exposure.
Tools Used
– passive OSINT only
– No active scanning or enumeration performed
Scope Target Scope
– Domain: TargetCo.com (public-facing corporate site)
– Infra Locations: Multiple cloud providers in North America and Asia
Key Findings
| Host | Provider Region | Exposed Services |
| Host A | Cloud Region 1 | SSH (22), HTTP (80), PostgreSQL (5432), Port 8000 |
| Host B | Cloud Region 2 | 28 high-range ports; common with dev/test infra and C2 patterns | | Host C | Cloud Region 1 | Matches Host A; likely load-balanced or redundant node |
Business Logic Risk
Exposing remote access and database ports to the public internet – especially on development hosts – introduces risks such as:
– Credential spraying / SSH brute force
– Unauthenticated access to debug panels
Common tongue translation:
Business Logic Risk
Exposing sensitive interfaces to the public internet — especially in development environments — creates real business risk:
Brute force attacks
Unauthorized access to dev panels
Spray attacks from botnets or threat actors using free tools like Censys or Shodan
Bigger Threat:
– Recon by threat actors using the same OSINT tools escalating into actual attacks
Without MFA, IP filtering, or obfuscation, these hosts are vulnerable to commodity scanners and botnets.
GRC Mapping & Compliance Insight:
The risks uncovered in this passive recon exercise intersect with key governance, risk, and compliance (GRC) domains:
– Governance: Indicates missing or unenforced policies on remote access, development exposure, and multi-cloud security architecture.
– Risk: Direct exposure to brute force, credential reuse, and potential data leakage or unauthorized access to dev/test systems.
– Compliance: Multiple control failures across NIST 800-53, ISO 27001, PCI DSS, and CMMC frameworks.
This exposure would impact regulatory posture, increase audit friction, and potentially delay compliance-driven sales (e.g., DoD contracts, PCI merchant levels, or B2B partnerships requiring ISO/SOC2 compliance).
GRC Mapping (translated for ease of reading):
Governance Failure: No access policy enforcement
Risk Mismanagement: Exposure without compensating controls
Compliance Impact: Violates NIST 800-53, ISO 27001, PCI DSS, and CMMC
These findings would impact audits, delay contracts, and put data at risk.
Recommendations
– Implement IP-allow listing for remote services
– Review unused open ports and shut down unnecessary services
– Consider obscuring metadata on public-facing systems
– Monitor external exposure using tools like Censys or Shodan continuously
Your Q and A (I am just going to read your mind here, okay?):
So Why Did I Find This Before Their Security Teams?
Because I’m purple team.
I don’t wait for logs. I don’t hope an alert will catch it.
I hunt, and then I map the risk to frameworks and dollars.
This is the kind of work a GRC officer, pentester, and VCISO does.
And yes — it saves companies from lawsuits, fines, and customer churn.
What’s a report like this worth?
Anywhere from $1K–$3K per company, depending on scope and industry.
Can I do this for your business? Yes.
Contact me here (comment below) or drop a message on LinkedIn (linkedin.com).
