Secure Subsidiaries, Acquisitions, and Mergers

When your company acquires another, merges, or spins off a business unit, its attack surface expands fast, often faster than you can track it. Unknown assets may constitute unmonitored vulnerabilities.

Censys Attack Surface Management (ASM) provides visibility and attribution tools to stay ahead of risks, even in chaotic merger and acquisition (M&A) scenarios. Censys ASM provides the tools to take control of your expanding attack surface during mergers, acquisitions, and restructuring. Start with seeds, let the system discover and attribute, then monitor continuously.

Prerequisites

• Access to Censys ASM.
• You know which business units/domains/cloud accounts are involved.

Who should use this guide

• Security teams and analysts
• M&A integration teams
• IT operations
• CISOs and security leaders

Step 1: Add new seeds

If you have an existing attack surface inventory, immediately add known seeds for the company being acquired, including all subsidiaries and legacy domains. Leverage continuous seed discovery (CSD) to its full potential. This step is essential for successful M&A discovery. By providing accurate initial seeds, you kickstart automated discovery, allowing CSD to identify and map the acquired entity's attack surface. The more comprehensive and accurate your initial seeds, the more relevant and complete your results will be.

Reference the documentation on seeding your attack surface for step-by-step instructions on seed management.

Step 2: Set up ASM and connect your cloud

When your company acquires another business, one of the first security priorities should be understanding what cloud assets you’ve just inherited. With Censys ASM, you can quickly connect the acquired company’s cloud environments, whether they’re using AWS, Azure, or GCP, using built-in Cloud Connectors. This gives you deeper visibility beyond external scanning, helping you surface assets that might otherwise go unnoticed, like temporary services or internal-only resources that don’t appear in DNS or certificate records.

Refer to AWS, Azure, and GCP Cloud Connectors for more information.

Step 3: View discovered assets

As part of the due diligence process during a merger or acquisition, it’s critical to understand the full scope of the digital environment you're inheriting. Censys helps eliminate blind spots by continuously discovering assets across the internet, even those that might be unknown to the target organization itself.
Censys identifies assets through a variety of data sources, including:

• DNS and WHOIS records: Mapping domain ownership and changes across organizations.
• SSL/TLS certificates: Detecting active services and validating ownership via certificate transparency logs.
• Passive DNS: Reconstructing historical DNS data to uncover previously active or misconfigured systems.
• Cloud provider integrations: Pulling in real-time asset data directly from environments like AWS, Azure, and GCP.
• Crunchbase: Utilizing Crunchbase's organizational intelligence, Censys enhances the breadth and accuracy of attack surface discovery, ensuring a more comprehensive view for security teams. Censys uses Crunchbase’s data on subsidiaries and acquisitions to automatically expand its initial list of internet-facing assets to scan.
• Continuous seed discovery: An automated process within attack surface management that actively and continuously identifies new and related internet-facing assets (seeds) associated with an organization.

This process creates an always up-to-date inventory of all internet-facing assets, even the hidden, orphaned, or legacy systems that might not show up in internal records. During a merger or acquisition, having this level of visibility is key to understanding your risk exposure and making sure nothing gets overlooked during integration.

Step 4: Attribute and segment assets

Once you've identified the full scope of internet-facing assets, the next step is making sense of who owns what. This is especially important in the context of a merger or acquisition as different subsidiaries, regions, or business units may have vastly different risk profiles, compliance obligations, or operational needs.

Censys helps streamline this process by using metadata and the initial seed data you provide to automatically attribute assets to the appropriate part of the organization. Segmenting attack surfaces via workspaces allows you to quickly organize assets based on logical ownership. You can take this even further by applying custom tags or leveraging API enrichment to integrate internal business context.

Step 5: Identify and prioritize risks

As part of the due diligence process, it’s critical to uncover and assess cybersecurity risks that could impact the success of the merger or acquisition. Censys automates risk identification across the digital footprint of the target organization, enabling security teams to act quickly and confidently. This step involves surfacing and evaluating potential vulnerabilities that could expose the organization to threats or compliance issues post-acquisition. Common issues include:

• Exposed ports/services
• Shadow IT
• Misconfigured cloud storage buckets
• Expired or misconfigured SSL certificates

Explore the full list of risks Censys can detect and details on how they’re prioritized.

Step 6: Enforce security policies

Set alerts for new risks or unknown infrastructure and push findings into:

• SIEMs (Splunk, Microsoft Sentinel, Google Security Operations)
• Ticketing systems (Jira, ServiceNow)
• SOARs (Swimlane)
• IT Service Management (ITSM) (ServiceNow CMDB)

Step 7: Monitor continuously

Mergers and acquisitions can span months, with risks emerging unexpectedly. Censys ASM provides a robust alerting system that integrates with various platforms to keep your security team updated on changes to your digital footprint.

CSD automates the identification of new assets across your attack surface. By continuously scanning for infrastructure linked to your known digital entities, CSD ensures no asset goes unnoticed—feeding directly into your alerting mechanisms for faster response to emerging risks.

In addition to standard email notifications, Censys supports seamless integrations with collaboration tools like Slack, Microsoft Teams, and Cisco Webex, delivering real-time alerts within your team’s preferred communication channels.

Alert integrations

• Email Notifications: Stay informed with detailed alerts delivered directly to designated email addresses. There are two types of email notifications available:
  • Risk Digests: Receive regular summaries (either in real-time or daily) of newly identified or resolved risks related to your integrated services. These digests are configured on the integrations page.
  • Saved Query Automation Alerts: Get notified about new or removed assets that match your saved search queries. This separate alerting feature can also send notifications to the same destinations as the risk digests, but is configured independently through the Saved Query Automation settings.
• Rapid Response Email Notifications: Real-time alerts about potential risks related to newly identified vulnerabilities and other trending issues.
• Slack Integration: Set up alerts to post in specific Slack channels, enabling instant awareness and team discussions.
• Microsoft Teams: Configure alerts in Microsoft Teams by choosing an authentication method (Application or OAuth 2.0) and selecting target channels for notifications.
• Cisco Webex: Route alerts to designated Webex Spaces, ensuring relevant teams receive timely updates on attack surface changes.

These integrations optimize security operations by delivering critical alerts through your team’s existing tools, enhancing responsiveness to risks, and strengthening your organization’s security posture.