The 5-Minute Asset Exposure Checklist

Quick steps to uncover what your business may have left visible to the world.

Most small and mid-sized companies aren’t ready for a full-blown security audit — and that’s perfectly fine. But if you want to take one simple step today to make your company safer, this 5-minute checklist is for you. You don’t need a cybersecurity degree: just a browser, some common sense, and five focused minutes.

1. Subdomains: What’s Still Out There?

Why it matters

Subdomains often outlive the projects they were built for. Attackers know this — and actively look for abandoned ones.

Quick check

  • Go to dnsdumpster.com
  • Enter your main domain (e.g., yourcompany.com)
  • Review the list of subdomains. Anything unfamiliar?

What to watch for

  • Subdomains pointing to services you no longer use
  • Default hosting pages or errors
  • Names like admin., dev., test., or old.

2. Google Yourself (Seriously)

Why it matters

Your documents, folders, and admin pages might be visible — and indexed — without your knowledge.

Quick check

Search in Google:

site:yourcompany.com filetype:pdf
site:yourcompany.com intitle: "index of"
"yourcompany" + "view file"

Also, try your brand name + keywords like login, admin, and dashboard.

What to watch for

  • Publicly accessible PDFs, invoices, or decks
  • Shared folders from Google Drive or Dropbox
  • Screenshots of internal tools

3. Admin Panels: What’s Publicly Exposed?

Why it matters

Attackers scan the internet for default login pages — and they often find them.

Quick check

  • Open your site in incognito mode
  • Add /admin, /login, /wp-admin, /dashboard to the URL
  • See if anything loads

What to watch for

  • Login pages with no 2FA
  • Generic or unbranded pages
  • Tools or plugins that were never removed

4. Who Still Has Access?

Why it matters

Old accounts can quietly stay active — even after people leave or projects end.

Quick check

  • Open your CRM, cloud tools, analytics, etc.
  • Look at the user list or “invited users”
  • Remove anything inactive or suspicious

What to watch for

  • Personal emails of ex-employees or contractors
  • Generic addresses like marketing@ or test@
  • Dormant accounts with admin rights

5. What Can Strangers See About Your Company Online?

Why it matters

Even if you’re not checking, someone else might be. Search engines, bots, and even attackers regularly scan what’s publicly visible about your business.

Quick check

Try these free tools:

  • urlscan.io: shows what someone sees when they visit your site
  • shodan.io: scans the internet for devices and open services

Just type in your website or IP address — and see what comes up.

What to watch for

  • Information about servers or systems that should stay private
  • Login pages or dashboards that appear without logging in
  • Error messages, test environments, or old tools still online

Final Thoughts

This isn’t a full audit — but it’s a powerful start.

Most digital incidents don’t begin with malware. They begin with visibility gaps. Forgotten subdomains. Exposed documents. Leftover logins.

You can’t protect what you don’t see.
Spend five minutes today.
It might save you weeks of firefighting later.

Next article: The 5 biggest mistakes companies make when “cleaning up” digital assets — and how to avoid making them yourself.