Attack surface management rests on a quiet assumption: that the surface can be inventoried. Vendors scan the domains a company registers, the cloud assets it provisions, the endpoints it enrols. The premise is that you can see what you are defending.
The assumption holds for infrastructure. It breaks for people. A growing share of the access that matters to an organisation does not live on anything the organisation owns or can see. It lives on a personal phone with the corporate mail app installed. On a home laptop with a saved single sign-on session. On a personal email address quietly set as the recovery path for a work account. None of these appear in an asset inventory, because the company neither bought them nor enrolled them.
This is not a gap in the tooling. It is structural. You cannot manage an asset you do not own, and you cannot see an account you were never told about. The boundary a company draws around its attack surface is an ownership boundary. The boundary an attacker works across is a person. The two do not match, and the space between them is where a large share of modern intrusions now begin.
There are two kinds of blindness in that space. The first is about assets: the unmanaged devices and personal accounts that hold corporate access. The second is about behaviour: the events in a person's work life and personal life that cross the seam between the two and become raw material for targeting. Both widen with seniority. The people with the most access and the most public exposure are, as a rule, the least subject to device policy.
What attack surface management can and cannot see
The category has matured into an alphabet. External attack surface management (EASM) scans what faces the internet: domains, subdomains, exposed services, certificates, leaked keys. Cyber asset attack surface management (CAASM) correlates internal inventory across the tools a company already runs, so a security team can ask which managed endpoints are missing a control. Both are useful, and both share the same horizon. They map assets the organisation owns, provisions, or enrols.
We have written before about what infrastructure-focused tooling misses at the level of the individual identity. The device-and-account version of that blind spot is narrower and easier to state: the access exists, the credential is valid, and the asset holding it was never in scope to begin with. A scanner cannot flag a home laptop it has no way to reach. A correlation engine cannot reconcile a personal phone against an inventory it never joined.
So the question worth asking is not what our attack surface looks like. It is where our access actually lives. Those produce different maps.
Where corporate access actually lives
By Microsoft's own figures, roughly 67% of employees use personal devices for work, whether or not their employer has a policy that permits it. The policy is close to irrelevant to the exposure; the behaviour happens either way. The access lands in predictable places:
- Corporate mail and SSO on a personal phone. The most common case. The mail app holds a live, authenticated session, and the authenticator app often sits on the same device.
- A saved work session on a home computer. "Keep me signed in" turns a one-time login into a standing credential that survives on disk.
- Personal email as the recovery path for a work account. A reset link or backup code routed to an inbox the company does not control.
- Collaboration apps on personal devices. Messaging and conferencing tools installed for convenience, each carrying its own session token.
- BYOD without enrolment. A device that does real work but never touched mobile device management, so there is no policy, no remote wipe, and no visibility.
None of these are misconduct. They are how work happens. But each one moves a piece of corporate access onto an asset the security team cannot inventory, patch, or revoke at the device level. The Verizon 2025 Data Breach Investigations Report put a number on the result: of the systems found carrying corporate login credentials in infostealer logs, 46% were unmanaged devices. Close to half of the corporate-credential exposure that turns up in criminal datasets comes from machines no employer was watching.
Why a rotated password is not the end of it
The mechanism that turns an unmanaged device into a corporate intrusion is the infostealer: lightweight malware that, on execution, sweeps a machine for saved passwords, browser-stored credentials, authentication cookies, and session tokens, then exfiltrates the lot to a marketplace. We have covered how the modern infostealer chain runs end to end; the relevant point here is what it harvests and where. Verizon found that 54% of ransomware-victim domains had appeared in infostealer logs before the attack, and 40% of those logs held a corporate email address.
The scale is no longer marginal. Constella's 2026 Identity Breach Report tracked 24.8 million unique infected devices and 2.3 billion stolen passwords across 2025. SpyCloud's 2026 report recaptured 8.6 billion stolen cookies and session artefacts, and found that 80% of exposed corporate credentials contained a plaintext password. A meaningful share of this originates on the personal devices described above, because that is where consumer-grade habits and corporate-grade access overlap.
Two findings matter most for an organisation trying to understand its real surface.
First, the corporate yield is rising. Flare's 2026 analysis of 18.7 million infostealer logs found that more than one in ten infections already carried enterprise single sign-on or identity-provider credentials in 2025, up from around 6% in early 2024, and on track for one in five by the third quarter of 2026. An infostealer infection is no longer just a consumer problem that happens to land on a work-adjacent machine. Increasingly it is a corporate-access event.
Second, and the part that defeats the standard response: stealing a live session cookie bypasses multi-factor authentication entirely. A session cookie is proof that authentication already happened. An attacker who replays it is never asked to log in again, because as far as the service is concerned, the user already did. Flare found 1.17 million logs that contained both enterprise credentials and a session cookie. This is why the reflexive "we reset the password" so often misses the actual problem. Rotating a password does nothing to a session captured while it was still valid. The attacker is already through the door; changing the lock does not help.
The documented cases follow the same shape:
- Snowflake (2024). Attackers used credentials harvested by infostealers to reach roughly 165 customer environments that had not enforced multi-factor authentication. Mandiant noted that several of the initial compromises occurred on contractor systems used for both work and personal activities. The credentials were old, some dating to 2020. They still worked.
- Electronic Arts (2021). A stolen session cookie, bought from a marketplace for about ten dollars, gave intruders a foothold in EA's internal Slack, which they used to talk an IT administrator into issuing access. Roughly 780GB of source code left the building.
- CircleCI (2023). Malware on a single engineer's laptop, undetected by antivirus, lifted a valid, two-factor-backed single sign-on session. The attacker inherited the live session and reached production systems and customer secrets.
In each, the perimeter held. The session did not. And where the chain begins on a personal device, the perimeter was never the relevant boundary in the first place.
A rotated password does not close a session stolen while it was still live. A Lockdown establishes what an attacker actually captured, which sessions remain valid, and what they can still reach.
Talk to an AnalystThe seam: one person, two domains
The asset blind spot is half the picture. The other half is behavioural, and it has nothing to do with devices. It is the simple fact that the same person exists on both sides of the work and personal boundary, and that events in one domain become usable intelligence in the other.
Attackers read both. A work event creates a pretext for a personal-side approach; a personal event creates an opening for a corporate-side one. This is the seam, and it is invisible to any tool that scans only what the company owns, because the signal lives in public records, social feeds, and breach data that belong to the individual, not the employer. This section completes the treatment promised in our four executive threat models.
When a work event becomes a personal-side attack
- A leaked corporate email becomes the key to a personal account. Corporate address formats are trivially inferred from a name. Once an attacker has the work email, they test it as the recovery address or login on personal services, where reuse and weaker protection are common.
- A job change becomes a tailored lure on a personal inbox. A new role announced publicly is a gift to a spear-phisher. Security vendor Trellix documented a 2025 campaign in which attackers impersonated a recruiter to target a chief financial officer, the kind of approach that lands cleanly on a personal email precisely because it looks like personal business.
- A vendor breach becomes reused credentials elsewhere. A breach at a service an executive uses personally exposes a password that, often enough, unlocks something that matters more.
When a personal event becomes a corporate-side attack
A note on how this is described. The patterns below are set out so that an organisation can recognise the exposure that enables them and reduce it. They are not a procedure to run. The examples are pattern-typical, drawn from publicly documented attacker behaviour, not from any individual, and we work only with informed consent and identity verification.
- A public absence becomes a business-email-compromise window. An executive's travel, visible from a conference agenda or a social post, tells an attacker exactly when the person is hardest to reach for a quick verification. A forged "I'm in meetings, please handle this payment" lands during the documented gap.
- Public-record and life events become vishing pretexts. Information that establishes a plausible, specific context makes a phone-based approach more convincing. The attacker does not need the detail to be sensitive; they need it to be true.
- Reconnaissance on employees becomes a path through the help desk. This is the most consequential personal-to-corporate pivot, because it does not require compromising the executive at all. In the Caesars Entertainment breach (2023), attackers used identity details gathered on staff to social-engineer an outsourced IT support vendor, a chain that ended in an eight-figure payment. In the Twitter breach (2020), attackers phoned employees posing as internal IT, directed them to a fake VPN portal, and used the harvested credentials to reach internal tools and hijack 130 high-profile accounts. In both, the corporate perimeter was bypassed by way of people, using information about them that no asset scanner would ever surface.
The seam is not a tooling problem. It is a consequence of the fact that employees, officers, and directors have lives, those lives are partly public, and attackers treat the public part as reconnaissance.
The exposure rises with seniority
Both blind spots, the unmanaged asset and the behavioural seam, sharpen as you move up the organisation. This is the part that most surprises the people it describes.
The most senior people hold the most access. They also carry the most public exposure: their names, roles, and movements are documented in filings, press, conference billing, and the data-broker and people-search ecosystems we map in what the internet knows about a person. And they are, in practice, the least subject to device policy. Enrolment requirements get waived for convenience. A board member reads sensitive material on a personal tablet. A founder declines mobile device management on the phone they actually use.
The numbers confirm the targeting. GetApp's 2024 executive cybersecurity survey of 2,648 IT and security professionals found that 72% said a senior executive at their company had been targeted by at least one cyberattack in the prior 18 months, that 27% of those attacks involved AI-generated deepfakes, and that 37% of firms still provide their executives no specialised security training. Microsoft's Digital Defense Report (2024) put the structural figure starkly: in more than 90% of ransomware attacks that reached the ransom stage, the attacker had used an unmanaged device, either to gain initial access or to encrypt remotely. The category most often exempted from oversight is the category most present when an attack succeeds.
The hardest case is the non-employee director. An independent board member is, by definition, on a personal device and frequently a personal email, because they are not on the company's systems at all. They receive board packs, deal material, and strategic documents, and they hold a credential of real value. They sit almost entirely outside any inventory the security function could build. From an attack-surface perspective, a board is a set of high-value identities the organisation can neither see nor manage.
What an organisation can actually do
The instinct is to extend control: enrol everything, mandate device management, ban personal devices. It is the right instinct and an incomplete one, because the defining property of this surface is that the organisation does not own it. You cannot enrol a director's personal phone, a contractor's home laptop, or the personal inbox an employee set as a recovery address. Policy reduces the surface; it does not close it.
Two levers do more.
The first is knowing which individuals carry which access, and where that access lives off the managed estate. This is an exercise in mapping people and their exposure, not scanning infrastructure, and it is precisely the part that EASM and CAASM are built not to do. For the people who matter most, it means establishing what corporate access touches their personal devices and accounts, which personal addresses are wired into work systems, and what an attacker would find by searching them.
The second is reducing the public exposure that makes a person targetable in the first place. The seam runs on findable information. The less of it there is, the harder both pivots become: fewer breach records to reuse, fewer broker listings to mine for a pretext, fewer public signals to time an approach against. This connects the personal and the corporate directly, which is why we treat executive digital exposure as an organisational risk, not merely a personal one.
Neither lever is a product you buy. Both are an act of looking at the organisation the way an attacker does: as a set of people, each with a work life and a personal life, each carrying access across a boundary the company drew but the attacker ignores.
The surface you can see is the part you already manage. The risk lives in the part you do not own.
Sources
Infostealers, credential and session theft
- Verizon, 2025 Data Breach Investigations Report — unmanaged-device share of corporate-credential exposure; ransomware victims appearing in infostealer logs.
- Flare, 2026 infostealer research — enterprise SSO/identity-provider credential trend; logs containing credentials and session cookies.
- SpyCloud, 2026 Identity Exposure Report (statistics) — stolen cookies and session artefacts; plaintext corporate credentials.
- Constella, 2026 Identity Breach Report — infected devices and stolen passwords.
Unmanaged devices and executive targeting
- Microsoft, Digital Defense Report 2024 — share of ransomware attacks reaching the ransom stage that involved unmanaged devices.
- GetApp, 2024 Executive Cybersecurity survey — executives targeted; deepfakes; specialised-training gap.
Documented incidents
- Snowflake customer-environment intrusions (Mandiant / Google Cloud, 2024).
- Electronic Arts Slack session-cookie compromise (2021).
- CircleCI session-token theft incident report (2023).
- Twitter internal-tools compromise (2020); Caesars Entertainment help-desk social engineering (2023).