The situation
A diversified industrial enterprise (we'll call them "EntCo") with 4,000 employees across 6 Indian cities had grown through acquisitions over 12 years. The CISO had inherited a security programme but no comprehensive asset inventory. The board had asked: "How much attack surface do we actually have?"
EntCo's profile:
- 4,000 employees
- 6 Indian city offices + 3 manufacturing sites
- 14 acquired subsidiaries over 12 years (each with own IT)
- Mix of AWS + Azure + on-premise + colocation
- Existing AppCo platform + Salesforce + 30+ SaaS subscriptions
- DPDP applicability + RBI applicability (financial subsidiary)
- CISO team: 8 people
Onboarding (Weeks 1-2)
Bachao.AI's ASM onboarding established the baseline. Method:
- ASN ownership mapping (legitimate IP ranges across all subsidiaries)
- Subdomain enumeration on all known + suspected brand domains
- Certificate transparency log mining (historical certificates)
- Passive DNS analysis
- Cloud account discovery (AWS Organizations + Azure subscription graph)
- 412 internet-facing assets discovered
- EntCo's prior inventory: 248 assets
- Gap: 164 assets EntCo did not have in their inventory (40%)
First-month critical findings
Among the 412 discovered, critical exposures included:
E-001 — Forgotten staging environment from 2021 acquisition A subsidiary acquired in 2021 had a staging environment running outdated software (PHP 7.2, MySQL 5.6) with default credentials. Live for 4 years, never decommissioned. Likely already compromised based on stealer log analysis showing matching credentials.
E-002 — Three publicly accessible Jenkins servers Two subsidiaries' Jenkins servers were internet-accessible. Both running old versions with known vulnerabilities. One showed unauthorized access patterns in its access log.
E-003 — Unmanaged SSL certificates 14 SSL certificates for various subsidiary brands were nearing expiration in next 60 days, none in EntCo's central certificate management. Several were 4+ years old.
E-004 — Employee credentials on dark web 67 employee email + password pairs found on dark web from various breaches. 14 of those credentials were still valid against EntCo's Okta SSO (employees had reused passwords).
E-005 — Sub-processor with active breach One of EntCo's third-party SaaS vendors (used by HR for benefits management) had a public security incident 3 weeks before the ASM onboarding. EntCo had not received notification.
E-006 — Office Wi-Fi exposure One office's guest Wi-Fi network was misconfigured, exposing the internal employee VLAN through a hairpin route.
E-007 — Acquired entity domain in vendor inventory A subsidiary acquired in 2022 was still using its previous owner's email infrastructure. Email DMARC misconfiguration allowed external email spoofing of the subsidiary's domain.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanThe 90-day reduction sprint
EntCo's CISO worked with Bachao.AI on a 90-day attack surface reduction sprint:
Weeks 3–6 (Critical findings closure):
- E-001 (forgotten staging) decommissioned + forensic analysis (no breach found, but data exfiltration probability assessed)
- E-002 (Jenkins servers) — 2 decommissioned, 1 retained behind VPN with proper monitoring
- E-003 (SSL certificates) — all 14 certificates renewed and added to central management
- E-004 (employee credentials) — force-rotate 67 employee passwords, MFA enforcement re-validated
- E-005 (sub-processor incident) — assess impact, coordinated with vendor for remediation evidence
- E-006 (office Wi-Fi) — guest VLAN reconfigured
- E-007 (DMARC) — corrected, monitoring enabled
- 14 non-critical exposed services either decommissioned or moved behind VPN
- 23 unnecessary subdomains decommissioned
- 18 SSL certificates consolidated under central management
- 8 forgotten cloud accounts brought under central Organizations management
- Detection rules for new asset discovery (alerts within 2 hours of new asset appearance)
- Acquired entity onboarding checklist (so future acquisitions don't repeat the pattern)
- Quarterly review cadence with the security team
Results at 90 days
| Metric | Baseline | 90 days | Change |
|---|---|---|---|
| Internet-facing assets | 412 | 165 | -60% |
| Critical exposures | 7 | 0 | -100% |
| High exposures | 23 | 4 | -83% |
| Medium exposures | 84 | 31 | -63% |
| Assets in central inventory | 248 (60%) | 165 (100%) | +full coverage |
| Time to discover new asset | unknown | <2 hours | full visibility |
What it cost
| Line item | Cost |
|---|---|
| Bachao.AI ASM (Enterprise tier) | ₹5L/month × 3 = ₹15L |
| EntCo internal time for sprint | ~₹40L opportunity cost (8-person security team, 90 days) |
| Decommissioning + remediation infrastructure work | ~₹25L (DevOps time across subsidiaries) |
| Total 90-day investment | ₹80L |
What EntCo's CISO said
"We thought we had 248 assets. We had 412. That alone justified the engagement. Six months in, our security team spends meaningfully less time chasing surprises and more time on the things that actually matter. The 'where did THIS server come from?' phone calls have stopped."
Pattern this engagement followed
Common shape for Bachao.AI ASM engagements:
- Diversified enterprise with growth through acquisition
- Existing security team capable but bandwidth-constrained
- CISO needs comprehensive visibility for board reporting
- Willingness to act on findings (not just measure them)
Schedule the ASM scoping call →
Related: ASM Methodology · ASM for Indian Fintech
