Cyber Threat Surface Overview | Grey Team Foundation – Cybersecurity Assessments
C.V.I.P²-A Framework | Module C

Cyber Threat Surface Overview

The first step in the C.V.I.P²-A framework. We identify every externally visible system tied to your organization, from domains and IP addresses to cloud services and forgotten infrastructure, giving you a complete map of your internet-facing exposure before an attacker finds it first.

What Is a Cyber Threat Surface Overview?

Every organization has a digital footprint, whether you realize it or not. Your website, email servers, cloud storage, remote access tools, third-party integrations, and payment processing systems are all visible from the internet. Together, these make up your external attack surface: the collection of entry points that an attacker can see and potentially exploit from outside your network.

The Cyber Threat Surface Overview is an external reconnaissance engagement designed to discover and catalog all of these assets. We scan your domains, IP ranges, and cloud environments to build a comprehensive inventory of everything that's exposed, including the systems your own IT team may not know about.

30%
More external assets exist than most organizations have documented internally. These are forgotten test servers, legacy subdomains still pointing to live infrastructure, misconfigured cloud storage buckets, unauthorized SaaS applications, and remote access tools deployed without IT oversight.
76%
Of organizations have experienced attacks that originated from assets they didn't even know were exposed. These aren't sophisticated zero-day exploits. They're attackers walking through doors that were left open: unmonitored subdomains, forgotten cloud instances, and unpatched services that nobody on the team knew existed in the first place.

"You cannot protect what you cannot see. The Cyber Threat Surface Overview gives your organization baseline visibility, the foundation that everything else in a security program is built on."

What We Look For

During the Cyber Threat Surface Overview, our team identifies and catalogs the following categories of externally visible assets. These are the same types of information that real threat actors gather during the reconnaissance phase of an attack, except we find them first and help you close the gaps.

  • Domains and subdomains. We enumerate all domains, subdomains, and DNS records tied to your organization. This includes forgotten test environments, development servers, staging sites, and legacy entries that may still resolve to live infrastructure.
  • External IP addresses and open ports. A complete scan of your internet-facing IP space to identify live hosts, open ports, running services, and technology stack fingerprints visible from the outside.
  • Cloud resources and shadow IT. Discovery of misconfigured storage buckets, exposed APIs, and cloud services across AWS, Azure, GCP, and other platforms, especially those provisioned outside of IT's knowledge or approval.
  • Remote access points. VPN endpoints, RDP services, SSH access, and any other remote connectivity tools that are accessible from the internet and could serve as direct entry points into your network.
  • Third-party SaaS integrations. Payment processors, CRM platforms, email marketing services, analytics tools, and any other external applications connected to your infrastructure that could become supply chain attack vectors.
  • Email security configuration. Analysis of your SPF, DKIM, and DMARC records to determine whether your email infrastructure is vulnerable to spoofing, phishing impersonation, or business email compromise.
  • Credential exposure monitoring. We check public breach databases and known data dumps for any leaked login credentials associated with your organization's domains.

How the Assessment Works

The engagement follows a structured methodology that combines automated scanning tools with manual intelligence gathering. We use the same reconnaissance techniques that real-world attackers rely on: passive information collection, active discovery, and risk analysis. The difference is that we do it on your behalf, with your authorization, to strengthen your defenses.

01

Passive Reconnaissance

We start by gathering publicly available information about your digital presence without touching your systems. This includes DNS records, WHOIS data, certificate transparency logs, public archives, and search engine indexing. This phase reveals how much an attacker can learn about you without sending a single packet to your network.

02

Active Discovery

With authorization, we perform targeted scans of your domain space and IP ranges to identify live hosts, open ports, running services, and the technologies powering your external-facing systems. This is where shadow IT surfaces: the cloud instances, test servers, and third-party services that aren't in your asset inventory.

03

Risk Analysis and Scoring

Each discovered asset is evaluated for exposure risk using CVSS (Common Vulnerability Scoring System) methodology. We separate genuine threats from known, acceptable exposures so your team isn't overwhelmed with noise. Instead, you receive a clear, prioritized picture of what actually needs attention.

04

Reporting and Roadmap Delivery

You receive a comprehensive external asset inventory with risk highlights, built for two audiences: a non-technical executive summary for leadership that explains what's exposed and why it matters, and a detailed technical reference your IT team can act on immediately. We also include a recommended path forward within the C.V.I.P²-A framework based on what we found.

Why This Is the First Step

The Cyber Threat Surface Overview is intentionally positioned as Module C, the first module in the C.V.I.P²-A framework, because everything else depends on knowing what you have. You can't run a meaningful Vulnerability Assessment if you don't know which systems to scan. You can't build an effective threat intelligence program if you don't know what assets are exposed. And you certainly can't prepare for a penetration test if you haven't mapped the terrain first.

This is also why we price it as a flat-rate $1,500 engagement regardless of company size. Whether you're a single-location dental office or a multi-state financial institution, establishing baseline visibility into your attack surface is the foundational first step. We keep the barrier to entry low because every organization deserves to understand their exposure.

Who Should Get This Assessment

Any organization that depends on technology to operate, and that includes virtually every business today. This assessment is especially critical for organizations in regulated industries where compliance frameworks explicitly require understanding your external risk environment:

  • Healthcare organizations. HIPAA's Security Rule requires a comprehensive risk assessment. Patient portals, EHR systems, telehealth platforms, and connected medical devices all expand your attack surface well beyond the office walls.
  • Restaurants, retail, and hospitality. PCI DSS v4.0 mandates understanding your cardholder data environment boundaries. POS systems, online ordering platforms, loyalty programs, and guest Wi-Fi networks all create exposure.
  • Banks, credit unions, and financial services. GLBA, NYDFS 23 NYCRR 500, and SOX all require documented cybersecurity programs. Regulators are increasingly asking for evidence of external attack surface management.
  • Law firms and professional services. Client confidentiality obligations under state bar ethics rules make law firms high-value targets. Case management systems, document portals, and email archives represent concentrated sensitive data.
  • Manufacturing and supply chain. Operational technology, vendor portals, and partner integrations create external exposure that traditional IT security programs often overlook entirely.

See Your Full Attack Surface

Complete the form and a Grey Team Foundation security advisor will reach out to discuss mapping your digital exposure.

Request Assessment →