Most beginners think a company's website is just a single website.
For example:
company.com
Simple, right?
Not exactly.
In reality, modern organizations are more like massive castles with dozens of gates, towers, secret passages, storage rooms, and sometimes even forgotten buildings that nobody remembers anymore.
Understanding this idea is one of the most important concepts in cybersecurity: Attack Surface.
Let's explore it through a castle.
Imagine a Castle
Suppose you're standing outside a medieval castle.
From the outside, you can only see the main entrance.
Castle
│
└── Main Gate
If someone asked you how many ways there are to enter the castle, you might answer:
"Just the main gate."
But that's rarely true.
A large castle may also have:
Castle
│
├── Main Gate
├── Side Gate
├── Merchant Entrance
├── Guard Entrance
├── Secret Tunnel
├── Storage Building
└── Watch Tower
Every additional entry point increases the number of places that must be protected.
This is exactly how modern organizations work.
The Website You See Is Usually Just the Main Gate
When you visit:
www.company.com
you're usually seeing the main entrance.
Most people stop there.
But security researchers know that there are often many more systems behind the scenes.
For example:
www.company.com
api.company.com
mail.company.com
vpn.company.com
dev.company.com
staging.company.com
These are called subdomains.
Think of them as different buildings or entrances inside the castle.
What Is Attack Surface?
Attack Surface is simply the total number of places that could potentially be interacted with, accessed, or misconfigured.
A small attack surface:
Castle
│
└── Main Gate
A larger attack surface:
Castle
│
├── Main Gate
├── Side Gate
├── Secret Tunnel
├── Watch Tower
├── Storage Room
└── Guard Entrance
More entrances don't automatically mean insecurity.
However, they do mean there are more things that must be managed and monitored.
The Forgotten Tower Problem
Now imagine a castle that has been expanding for twenty years.
Every new king builds something.
Year 1 -> Main Gate
Year 5 -> Watch Tower
Year 8 -> Storage Building
Year 12 -> Secret Passage
Year 15 -> Merchant Entrance
Year 20 -> New Tower
Over time, some structures stop being used.
Maybe nobody visits the old watch tower anymore.
Maybe the storage building is abandoned.
Maybe everyone forgot the secret passage even exists.
The same thing happens in technology.
Developers create systems such as:
dev.company.com
test.company.com
old.company.com
legacy.company.com
Projects end.
Teams move on.
Employees leave.
The systems remain.
Why Attackers Look Beyond the Main Website
Imagine you're trying to enter a castle.
Would you attack the heavily guarded main gate?
Or would you look for:
- An unlocked side door
- A forgotten tunnel
- An abandoned watch tower
Most people would choose the easier path.
Attackers think the same way.
The main website is often heavily monitored and regularly updated.
Forgotten systems may not be.
This is why security professionals spend significant time identifying all assets that belong to an organization.
Real-World Example
A company may actively maintain:
www.company.com
with the latest security updates.
However, there could also be:
old.company.com
running software that hasn't been updated in years.
From a business perspective, it may have been forgotten.
From an attacker's perspective, it may be the most interesting system the company owns.
Visibility Comes Before Security
One of the most important lessons in cybersecurity is:
You cannot secure what you don't know exists.
Before defending systems, organizations must first discover and inventory them.
Security teams often perform asset discovery to answer questions such as:
- What systems do we own?
- Which services are publicly accessible?
- Which environments are still active?
- Which systems should be retired?
Without visibility, security becomes guesswork.
The Modern Castle
Today's organizations are no longer simple websites.
They are ecosystems.
A single company might have:
www.company.com
api.company.com
auth.company.com
mail.company.com
vpn.company.com
staging.company.com
dev.company.com
blog.company.com
Each one serves a purpose.
Each one must be maintained.
Each one becomes part of the organization's attack surface.
The challenge isn't building the castle.
The challenge is remembering every door you've ever added.
Final Thoughts
When people first learn cybersecurity, they often focus on vulnerabilities.
But before vulnerabilities come assets.
Before assets come visibility.
And before visibility comes understanding how organizations are structured.
The next time you visit a website, don't think of it as a single page on the internet.
Think of it as a castle.
Because in cybersecurity, the most interesting discoveries are rarely behind the main gate-they're usually hidden somewhere deeper inside the walls.
Top comments (0)