Public Data
Exposure Audit
Most breaches don't start with hacking. They start with something your team accidentally made public: a key in a commit, a bucket left open, a database bound to the wrong IP, a Notion page anyone with the link can read. We find yours before someone else does it for free.
23.8m
SECRETS LEAKED ON GITHUB IN 2024
£3.29m
AVERAGE UK BREACH COST
158 days
AVERAGE TIME TO SPOT A BREACH
Sources: GitGuardian State of Secrets Sprawl 2025. IBM Cost of a Data Breach 2025.
You're not getting hacked. You're being indexed.
The Hollywood version of a breach involves a hooded teenager and a green terminal. The boring version is a bot that scans every IPv4 address every few hours, walks past the front door, and finds the back gate nobody knew was open.
In 2024 alone, a single extortion campaign harvested keys from exposed .env files across 110,000 domains. The attackers didn't break anything; they typed the URL.
An audit asks the question your team forgot to: what does the internet already know about you?
WHAT YOU THINK IS PRIVATE
- Internal admin panels
- Staging and dev environments
- API keys, database passwords
- Customer files in cloud storage
- Internal Notion, Trello, Drive
- Old microsites you forgot about
WHAT'S ACTUALLY PUBLIC
- Anything Shodan or Censys can see
- Anything subdomain bots can guess
- Anything ever pushed to a public repo
- Anything in a misconfigured bucket
- Anything shared with "anyone with the link"
- Anything sitting on a dangling DNS record
Five places your data is already showing.
We've run this audit for SaaS companies, agencies, recruiters, financial services and manufacturers. The patterns repeat. The danger is the part nobody was watching.
Secrets in code
AWS keys, Stripe secrets, OpenAI tokens in public repos, in old commits, in Docker images on Hub. GitGuardian says 70% of secrets leaked in 2022 still work today. Force-pushing doesn't help.
Open buckets and disks
S3, Azure Blob, GCS containers set to "Public" by a developer in a hurry, then forgotten. Old backups served by Apache. .git/ and .env directories one URL away.
Databases on the open internet
MongoDB, Elasticsearch, Redis or Postgres bound to 0.0.0.0 with no firewall. Supabase with Row Level Security turned off, so the anon key reads every row.
SaaS oversharing
"Anyone with the link" Notion pages, Trello boards, Google Docs and Drive folders. Public Slack invites. Shared ChatGPT chats that Google indexed before OpenAI pulled the feature in August 2025.
Dead estate, live risk
Forgotten dev sites, retired microsites still answering DNS, subdomains pointing at a CDN nobody owns any more. SubdoMailing hijacked 8,000 trusted domains this way in 2024.
Where we come in.
We look at your company the way an attacker would. Outside in, no credentials, no insider help. Then we hand back a one-page report you can act on, and we fix the urgent stuff with you.
Fixed-fee per phase. No twelve-week procurement dance, no PDF deliverable nobody reads.
BOOK AN AUDITMap the attack surface
Domains, subdomains, IPs, certificates, cloud accounts you've forgotten. Shodan, Censys, amass, the Wayback Machine. We tell you what's yours before we tell you what's broken.
Hunt the leaks
Public repos, Docker Hub, pastebins, ChatGPT shares, the dark web for staff credentials, exposed SaaS pages. TruffleHog and GitLeaks on the code side, HaveIBeenPwned on the human side. We tell you which keys still work.
Triage and fix the urgent things
A prioritised report by blast radius and likelihood, not CVSS theatre. Then we rotate the live secrets, close the open buckets, lock the databases and pull the SaaS pages with you on the same day.
Leave you something to run
A short closing checklist for your team. Optional monitoring so you get an alert the next time a key hits GitHub or a new subdomain wakes up. Re-audit quarterly if you want it on a calendar.
Recent reminders.
None of these involved hacking. All of them involved data the company didn't realise was on the public internet.
Capita
The ICO fined Capita £14m for the March 2023 cyber attack. A malicious file landed on an employee laptop, the device wasn't quarantined for 58 hours, and the attackers walked out with personal data on 6.6 million people.
Post Office
The ICO reprimanded the Post Office after an unredacted legal document listing 502 postmasters' addresses sat on its own website for nearly two months. The regulator had considered a £1m fine.
The .env extortion sweep
Unit 42 documented a campaign that scraped exposed .env files across 110,000 domains and walked away with 90,000 secrets, including 1,185 AWS keys and 333 PayPal OAuth tokens.
Sources: ICO, Palo Alto Unit 42, GitGuardian, BleepingComputer, The Register.
"We didn't know" stopped working in 2018.
Under UK GDPR, the ICO can fine you up to £17.5m or 4% of global turnover, whichever is higher. The clock starts the moment you become aware of a breach: you have 72 hours to notify.
In the first half of 2025 the ICO issued £5.6m in fines across six cases. That's already double the whole of 2024. The trend is up and to the right.
An audit gives you the answer to "what's exposed?" before a regulator, a journalist or a researcher asks you.
Maximum UK GDPR fine, or 4% of global turnover. ICO fining guidance.
To notify the ICO once you're aware a breach is likely to risk individuals' rights.
Capita, October 2025. Cause: a 58-hour delay quarantining a compromised employee device.
PSNI, 2024. Cause: a staff spreadsheet posted to a public FOI portal.
The ones we get asked first.
Isn't this just a pen test?
No. A pen test attacks a defined target. We map everything the internet thinks belongs to you, then find what's already public. They're complementary. Most clients haven't done either, but if you're choosing one first, choose this one. You can't pen test an asset you didn't know you had.
We're a small company. Are we really a target?
You're not a target. You're a result. The bots that scan the internet aren't looking for you specifically. They scan everyone, then sort the loot afterwards. The Unit 42 sweep hit 110,000 domains in one go. Your size is irrelevant to a script.
What do you need from us?
For the audit, almost nothing. Your domain and a short list of brands or trading names. We work the outside, no credentials. To act on the findings we'll need someone with the keys to your DNS, cloud and code, but that's after you've seen the report.
Is this legal? Don't you need permission to scan things?
We work from public data and sources designed to be queried: Shodan, Censys, GitHub search, the Wayback Machine, HaveIBeenPwned. We don't exploit, we don't break things, we don't log in. If a finding needs a confirmation that crosses a line, we ask you first, in writing.
How long does it take?
A standard audit runs in days end to end. Faster turnaround if you've already seen something worrying and want a quick read. If we find something live and dangerous on day one, we tell you on day one, not at the end.
What about Cyber Essentials and our ISO?
Cyber Essentials covers what you said you have. The audit covers what you've actually got. The findings map cleanly to the NCSC's External Attack Surface Management guidance and to the boundary firewalls and secure configuration controls in Cyber Essentials v3.2. Useful evidence for an ISO 27001 audit too.
What if you find something serious?
We stop the bleeding with you first, before we write the report. Rotate the live keys, close the bucket, take the page down. If it looks like the data has already been accessed, we'll help you scope what's been taken and draft the 72-hour ICO notification. We've done it. You don't want to do it alone.
How much?
Fixed-fee for the standard audit. Remediation priced per finding once you've seen the report. Monitoring is a small monthly retainer. We tell you the number before we start.
Find out what the internet knows.
Give us your domain. You'll have a one-page report of what's exposed today, what to fix first, and what to leave alone. Thirty-minute kickoff call.