Attack Surface Decay: The Hidden Risks of Forgotten Services

Most security teams are fairly certain they know what's running in their environment. Asset inventories are maintained, configurations are reviewed, and active systems are monitored. Yet what rarely gets the same attention is everything that used to run. The SaaS app from a project that ended two years ago. The subdomain that once pointed to a marketing microsite. The OAuth connection that outlived the vendor relationship it was built for.  

These forgotten assets don't just disappear when unused. They decay - and attackers know how to exploit this during attack setup. In this blog, we'll look at what attack surface decay looks like in your environment, how attackers turn forgotten infrastructure into functional attack material, why standard detection tools are structurally blind to this class of risk, and how pre-attack signals can surface it before any damage is done.

What Decay Looks Like

Asset decay is more common than most security teams expect. So is the exposure it creates. According to Gartner, organizations without centralized SaaS lifecycle management are five times more susceptible to a cyber incident or data loss due to incomplete visibility into SaaS usage and configuration.  

What does this look like, on the ground? Shadow SaaS is the most common: apps that employees spin up on their own - project tools, AI utilities, file-sharing services - that never go through procurement or IT review. These accounts have permissions and they often stay active long after the project or the person who created them is gone. The Cloud Security Alliance found that 55% of employees adopt SaaS tools without security's involvement. Those tools connect to enterprise accounts, and those connections persist.

Then there are unused licenses with live OAuth tokens still attached. For example, an integration built for a vendor who stays authorized to access your Salesforce or Google Workspace long after the relationship ends. Since no one deactivated it, the account just sits there, credentialed and reachable.

Abandoned subdomains are the third category - and the one most directly tied to attacker infrastructure. These are subdomains that once pointed to a marketing microsite, a campaign landing page, or a third-party tool. They get decommissioned at the application layer but forgotten at the DNS layer. The CNAME record stays in place, pointing to a cloud resource that no longer exists.  

These are all common situations because that's how SaaS adoption actually works - fast, distributed, and rarely governed on the way out. The result is an attack surface that keeps expanding long after the services that built it have been forgotten.

How Attackers Use Decayed Infrastructure

Attackers treat your forgotten assets as their on-ramps. These are pre-built access paths - infrastructure that's already configured, trusted, and no longer watched. Each category of decayed infrastructure offers a distinct attack path:  

• Abandoned subdomains with dangling DNS records give attackers a trusted domain to operate from. They scan for CNAME entries still pointing at decommissioned cloud resources, claim the resource on the other side, and take control of the subdomain without touching your infrastructure at all.  

• Unused SaaS licenses with live OAuth tokens require no credential theft - a decommissioned app that still holds authorized access to your Salesforce, your Google Workspace, or your cloud storage is simply an open connection.  

• Shadow SaaS accounts that employees spun up and walked away from carry the same exposure, compounded by the fact that no one in IT knows they exist.

Attackers find all of this through standard pre-attack reconnaissance. As CrowdStrike notes, adversaries run automated monitoring for DNS changes and signs of abandonment and move in the moment a resource goes unclaimed.

That reconnaissance pays off, at scale. The CrowdStrike 2026 Global Threat Report found that 82% of intrusions in 2025 involved no malware at all - adversaries moved through valid credentials, trusted identity flows, and approved SaaS integrations. Valid account abuse – for example, via shadow SaaS accounts – made up over a third of cloud incidents.

The Security Tools That Can't See What's Been Left Behind

Existing security tools can't see decayed infrastructure because standard security tooling is built around activity. SIEM rules trigger on events. EDR flags process behavior. SOC workflows begin when alerts fire. Forgotten assets produce none of that - no logs, no traffic, no flags.

Attackers don't share that blind spot. Their reconnaissance picks up exactly what detection tools ignore: the quiet signals of infrastructure being claimed, configured, and prepared. We call these Indicators of Pre-Attack (IoPAs). Even though they don’t trigger alerts, they do reflect an attack taking shape. The window to act on these signals opens during setup and closes the moment the infrastructure goes live. Detection tools aren't built to operate in that window. Pre-attack prevention is.

Your Attack Surface Doesn't Shrink When Services Go Dark

Decayed infrastructure is a gap where pre-attack prevention has the most leverage. By monitoring the signals that emerge when forgotten assets are activated for use - IoPAs that surface before any payload moves - security teams gain access to a phase of the attack lifecycle that detection tools were never built to reach.

Treating decay as an intelligence problem changes what's possible. The signals are observable. The window to act, though, is narrow. Malanta was built to operate in that window - surfacing what's been left behind before attackers put it to work.

See how Malanta identifies and neutralizes decayed infrastructure before it becomes an attack path. Get your access today.

‍