Subdomains accumulate. Every new project gets its own. Every regional office picks up a few. Every marketing campaign launches with a fresh one. Most of those subdomains were never really retired. They were forgotten, with the DNS record left in place pointing at infrastructure that may or may not still exist. Threat actors have built entire research practices around finding and exploiting forgotten subdomains, because the patterns of misconfiguration are so reliable.
Subdomain Takeover Is Embarrassing And Common
A subdomain takeover happens when DNS still points at a service that has been deprovisioned, leaving the destination available to anyone willing to claim it on the upstream platform. The classic example is a subdomain pointing at a long-departed cloud bucket or platform account, where an attacker can register the same name on the same platform and serve their own content from your domain. The consequences range from a defaced page to convincing phishing campaigns hosted on a legitimate looking address. A focused external network pen testing engagement should enumerate every subdomain and validate that each one points at infrastructure you still control.
Certificate Transparency Reveals More Than You Think
Public certificate transparency logs record every certificate issued for your domains. That information is invaluable for finding subdomains you did not know about, including ones that bypassed normal change management because they were set up by a different team. Monitor the certificate transparency stream for your domains and treat unfamiliar entries as findings to investigate, not noise to ignore.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
The most damaging subdomain takeover I worked on involved a marketing subdomain that had been used for a campaign three years prior. The cloud account had been closed. The DNS record was never removed. An attacker registered the same account name, served convincing phishing content from the original subdomain and harvested credentials for several weeks before anyone noticed. Total cost of remediation was substantial.
Decommissioning Process Matters
A subdomain that was retired through DNS removal might still be referenced in old emails, cached search results or third party platforms. Effective decommissioning addresses both the DNS record and the upstream service. Confirm the cloud account or platform has been properly cleaned up. The protection against takeover is removing the underlying claim, not just the DNS pointer. Worth maintaining a published process that any team can follow when retiring a subdomain. The process should be quick enough not to discourage retirement and thorough enough to actually remove the exposure. The combination is what makes subdomain hygiene sustainable.
Process Catches What Tools Cannot
Tools surface candidates. Process closes the loop. Every subdomain should have an owner, an expected purpose and a decommissioning step at the end of its useful life. Pair the operational discipline with a periodic best pen testing company that probes the inventory directly and the gaps tighten over time.
Subdomains are cheap to create and inconvenient to track. That asymmetry is what attackers count on. Subdomain hygiene is unglamorous and entirely worthwhile. The threat actors who hunt forgotten subdomains will keep finding them until organisations build the habits to retire them properly. Network security has changed considerably over the last decade and the principles that survived the change tend to be the ones worth investing in. The fundamentals remain valuable even as the implementation details evolve around them.
