Skip to main content
Success
[PRO SERVICES / SECURITY & GOVERNANCE]

Public Data
Exposure Audit

A growing cloud and SaaS estate accumulates forgotten sites, shared links, public storage and credentials in old code. We identify what an outsider can reach and give the security owner a ranked remediation plan.

Find it before they do

23.8m

SECRETS LEAKED ON GITHUB IN 2024

£3.29m

AVERAGE UK BREACH COST

158 days

AVERAGE TIME TO SPOT A BREACH

Sources: GitGuardian State of Secrets Sprawl 2025. IBM Cost of a Data Breach 2025.

[THE OPERATING PROBLEM]

Exposed data is often found through automated scans

The Hollywood version of a breach involves a hooded teenager and a green terminal. The boring version is a bot that scans every IPv4 address every few hours, walks past the front door, and finds the back gate nobody knew was open.

In 2024 alone, a single extortion campaign harvested keys from exposed .env files across 110,000 domains. The attackers didn't break anything; they typed the URL.

An audit asks the question your team forgot to: what does the internet already know about you?

WHAT YOU THINK IS PRIVATE

  • Internal admin panels
  • Staging and dev environments
  • API keys, database passwords
  • Customer files in cloud storage
  • Internal Notion, Trello, Drive
  • Old microsites you forgot about

WHAT'S PUBLIC

  • Anything Shodan or Censys can see
  • Anything subdomain bots can guess
  • Anything ever pushed to a public repo
  • Anything in a misconfigured bucket
  • Anything shared with "anyone with the link"
  • Anything sitting on a dangling DNS record
[WHAT WE LOOK FOR]

Where exposed data usually turns up

The audit follows the public footprint across domains, cloud services, code, documents and third parties. The scope is based on the assets and data connected to your company.

01

Secrets in code

AWS keys, Stripe secrets, OpenAI tokens in public repos, in old commits, in Docker images on Hub. GitGuardian says 70% of secrets leaked in 2022 still work today. Force-pushing doesn't help.

02

Open buckets and disks

S3, Azure Blob, GCS containers set to "Public" by a developer in a hurry, then forgotten. Old backups served by Apache. .git/ and .env directories one URL away.

03

Databases on the open internet

MongoDB, Elasticsearch, Redis or Postgres bound to 0.0.0.0 with no firewall. Supabase with Row Level Security turned off, so the anon key reads every row.

04

SaaS oversharing

"Anyone with the link" Notion pages, Trello boards, Google Docs and Drive folders. Public Slack invites. Shared ChatGPT chats that Google indexed before OpenAI pulled the feature in August 2025.

05

Dead estate, live risk

Forgotten dev sites, retired microsites still answering DNS, subdomains pointing at a CDN nobody owns any more. SubdoMailing hijacked 8,000 trusted domains this way in 2024.

[HOW WE WORK]

What the review gives you

We assess the public surface without credentials or internal assumptions. Confirmed findings include evidence, severity, ownership and a practical remediation route.

The scope, test boundaries, reporting route and urgent-notification process are agreed before the audit begins.

BOOK AN AUDIT
01

Map the attack surface

Domains, subdomains, IPs, certificates, cloud accounts you've forgotten. Shodan, Censys, amass, the Wayback Machine. We tell you what's yours before we tell you what's broken.

02

Hunt the leaks

Public repos, Docker Hub, pastebins, ChatGPT shares, the dark web for staff credentials, exposed SaaS pages. TruffleHog and GitLeaks on the code side, HaveIBeenPwned on the human side. We tell you which keys still work.

03

Triage and fix the urgent things

A prioritised report based on blast radius and likelihood. Then we rotate the live secrets, close the open buckets, lock the databases and pull the SaaS pages with you on the same day.

04

Leave you something to run

A short closing checklist for your team. Optional monitoring so you get an alert the next time a key hits GitHub or a new subdomain wakes up. Re-audit quarterly if you want it on a calendar.

[PUBLISHED EXAMPLES]

Recent exposure incidents

None of these involved hacking. All of them involved data the company didn't realise was on the public internet.

OCT 2025 / £14M

Capita

The ICO fined Capita £14m for the March 2023 cyber attack. A malicious file landed on an employee laptop, the device wasn't quarantined for 58 hours, and the attackers walked out with personal data on 6.6 million people.

DEC 2025 / REPRIMAND

Post Office

The ICO reprimanded the Post Office after an unredacted legal document listing 502 postmasters' addresses sat on its own website for nearly two months. The regulator had considered a £1m fine.

AUG 2024 / 110K SITES

The .env extortion sweep

Unit 42 documented a campaign that scraped exposed .env files across 110,000 domains and walked away with 90,000 secrets, including 1,185 AWS keys and 333 PayPal OAuth tokens.

Sources: ICO, Palo Alto Unit 42, GitGuardian, BleepingComputer, The Register.

[THE REGULATOR]

Reporting and notification duties

Under UK GDPR, the ICO can fine you up to £17.5m or 4% of global turnover, whichever is higher. The clock starts the moment you become aware of a breach: you have 72 hours to notify.

In the first half of 2025 the ICO issued £5.6m in fines across six cases. That's already double the whole of 2024. The trend is up and to the right.

An audit gives you the answer to "what's exposed?" before a regulator, a journalist or a researcher asks you.

£17.5m

Maximum UK GDPR fine, or 4% of global turnover. ICO fining guidance.

72hrs

To notify the ICO once you're aware a breach is likely to risk individuals' rights.

£14m

Capita, October 2025. Cause: a 58-hour delay quarantining a compromised employee device.

£750k

PSNI, 2024. Cause: a staff spreadsheet posted to a public FOI portal.

[A USEFUL FIRST CONVERSATION]

When this is worth discussing

We work best when there is a real operating problem, enough volume to measure and people from the affected teams who can make decisions.

Usually a good fit

  • An established UK business, usually with annual revenue above £10m
  • A repeated process with a known cost, delay, error rate or capacity problem
  • A senior sponsor and a day-to-day owner who understand the work
  • Access to the relevant staff, systems, sample records and security requirements

We may point you elsewhere

  • A standard product already covers the process well
  • The requirement is a one-off small build with no wider operating case
  • There is no owner or access to the people and data needed to test the result
  • The plan relies on AI making high-impact decisions with nobody responsible for review
[QUESTIONS]

Questions from IT, legal and compliance

Q.01

Isn't this just a pen test?

They answer different questions. A penetration test attacks a defined target. This audit maps the public assets and data associated with the company, including items the security team may not know about. The right order depends on your current asset inventory and testing programme.

Q.02

We're a small company. Are we really a target?

Automated scanners test large numbers of domains rather than selecting companies by reputation. The Unit 42 research covered 110,000 domains in one sweep, so a company can be exposed without being individually targeted.

Q.03

What do you need from us?

For the audit, almost nothing. Your domain and a short list of brands or trading names. We work the outside, no credentials. To act on the findings we'll need someone with the keys to your DNS, cloud and code, but that's after you've seen the report.

Q.04

Is this legal? Don't you need permission to scan things?

We work from public data and sources designed to be queried: Shodan, Censys, GitHub search, the Wayback Machine, HaveIBeenPwned. We don't exploit, we don't break things, we don't log in. If a finding needs a confirmation that crosses a line, we ask you first, in writing.

Q.05

How long does it take?

The timetable depends on the number of domains, cloud accounts and public products in scope. We agree the coverage before testing and report any live high-risk exposure as soon as it is confirmed rather than waiting for the final report.

Q.06

What about Cyber Essentials and our ISO?

Cyber Essentials covers what you said you have. The audit covers what you've got. The findings map cleanly to the NCSC's External Attack Surface Management guidance and to the boundary firewalls and secure configuration controls in Cyber Essentials v3.2. Useful evidence for an ISO 27001 audit too.

Q.07

What if you find something serious?

A confirmed live exposure is reported immediately so your owner can rotate credentials, restrict access or remove the material. We preserve the evidence and help scope what may have been accessed. Your privacy and legal owners decide whether the ICO, customers or other parties must be notified.

Q.08

How much?

The standard audit is fixed-fee. Remediation is priced against the findings once you have seen the report, and ongoing monitoring is quoted separately with its coverage and response terms.

Vu Agency security audit session

Book a public data exposure audit

Give us the company domains, public products and known cloud estate. We will define the external surface, reporting route and immediate escalation process before testing begins.

Instant AI Chat Message us on WhatsApp