What attackers see when they scan your SaaS domain

You ship a feature. You move on. An attacker scans your domain that same night.

Here is what they find on a typical SaaS:

• Postgres on 5432 exposed to the internet. Redis on 6379 same. One firewall rule away from gone.
• OpenAI keys sitting in your frontend JS bundle. Cursor wrote them there. Nobody noticed.
• A CNAME pointing to a service you stopped paying for six months ago. Subdomain takeover waiting to happen.
• Response headers announcing your exact framework and version. Free CVE lookup for anyone paying attention.

I kept finding this stuff manually across projects so I built a scanner to automate it. Still in waitlist but if you want early access: threatlocator.com

What is the worst thing you have found exposed on your own infra?