How to tell if your website is exposed or compromised

By the zmam.ai team · 29 May 2026

There is a useful distinction buried in the question “is my site secure?” Exposed means an attacker can see a way in. Compromised means they already took it. You can learn a surprising amount about both from outside the building — which is exactly where the attacker is standing.

The recurring lesson of the past two years is that breaches rarely begin with inside knowledge. They begin with reconnaissance of the public surface: an expired certificate, an unauthenticated mail domain, a forgotten subdomain, an exposed admin panel. The CitrixBleed 2 campaign hit internet-facing appliances eleven days before a public exploit even existed. The Hazy Hawk group turned the CDC’s own forgotten DNS record against it. None of that required getting inside first.

Signs you are exposed

• The browser says “Not secure.” Your TLS certificate is missing, expired, or misconfigured — see How to check your SSL/TLS certificate .
• Anyone can send mail as you. No SPF, DKIM, or DMARC means your domain is open to impersonation.
• Forgotten subdomains. Old staging, campaign, or vendor subdomains often run outdated software or point at abandoned services — a favourite entry point, and the heart of the dangling-DNS attacks.
• Exposed admin or service interfaces. Databases, dashboards, file-transfer tools, or VPN portals reachable from the public internet.
• Missing security headers. Their absence makes common browser attacks easier — see HTTP security headers, explained .

Signs you are already compromised

• Redirects, pop-ups, or content you did not publish.
• A browser or search-engine “this site may be hacked” warning.
• An unexplained spike in outbound email or traffic.
• New files, user accounts, or scheduled tasks nobody created.

If you see signs of an active compromise, treat it as an incident: preserve logs, isolate the affected system if you can, and bring in someone who does incident response. Do not quietly “clean it up” and move on — attackers leave more than one door.

What you can check yourself

From the outside you can review your certificate, your DNS and mail authentication, your HTTP security headers, and which subdomains and services are publicly reachable. Those signals together are your external attack surface — see What is external attack surface management?

How zmam.ai helps

zmam.ai runs an external, non-intrusive review of your public configuration — DNS, TLS, HTTP security headers, and mail authentication — and emails you a plain-language report of what is worth fixing. It never tests passwords, submits forms, or changes anything; it only reads what is already public. Deeper checks, such as port and service discovery and known-vulnerability lookups, are in development.

Related

• Free website security checks: what they cover and what they miss
• What is external attack surface management?
• Field note: Eleven days, 11.5 million tries