When a security team says "we monitor our external attack surface," they almost always mean "we monitor the external assets we know about." The two aren't the same. The gap between them is where most exposure incidents live.
The shape of the gap varies by organization, but a few patterns recur:
M&A inheritance
Companies that grow through acquisition inherit infrastructure that doesn't always show up in central inventories. The acquired company's main domain gets noticed. The acquired company's regional subsidiary, partner-integration platforms, marketing-event microsites, and acquired-company's-own-acquired-company's infrastructure routinely don't. The infrastructure persists; the documentation doesn't catch up.
Marketing and event sprawl
Microsites for product launches, conference sites, regional campaigns, and short-lived promotions get registered fast and forgotten faster. The team that registered them moved on. The DNS records still resolve. The certificates still renew. The infrastructure is live and reachable; the inventory is silent.
Legacy systems with second lives
A system retired five years ago technically still answers DNS queries because no one removed the records. A subdomain pointing to a third-party service whose contract ended two years ago still routes traffic somewhere: sometimes to the third party's new tenant, sometimes to abandoned infrastructure that's been re-registered by someone else.
Subsidiary and group structures
Large groups with subsidiary brands often run separate IT operations per subsidiary. The group-level CISO has visibility into the parent; subsidiary visibility is uneven. Attackers don't honor the boundary; they treat subsidiary breaches as a path into the parent.
Shadow IT
Individual teams spinning up cloud infrastructure with corporate credit cards. Marketing teams running their own analytics platforms. Engineering teams maintaining experimental services. Each instance is plausible in isolation; in aggregate, the unmonitored count is significant.
Discovery is not scanning
The inventory gap is what makes "discovery" different from "scanning." Scanning runs against an inventory. Discovery surfaces what the inventory missed. Both are necessary; treating discovery as a one-time onboarding step rather than a continuous capability misses the recurring nature of the gap.
For organizations starting an exposure-management program, the practical first move is a discovery scan against the parent domain: not because you don't already know the domain, but because the discovery output reveals the gap. The pattern we see most often: discovered inventory is significantly larger than starting inventory. The percentage varies by organization size and history; the direction is consistent.
The starting inventory is the floor, not the ceiling. The work is closing the gap continuously, because the gap reopens continuously.