Back to Blog
March 8, 20266 min readRampart Security Team

Security Through Obscurity Is Dead. AI Killed It.

Security through obscurity has always been a bad strategy. Every textbook says so. Every conference talk warns against it. Practically a cliché.

And yet it worked. Kind of. For a while.

Not as a strategy anyone would write down. But as practical reality, obscurity provided real protection. Your weird internal API on port 8443 with a non-standard path? Nobody finding that by accident. Your staging environment on an unlinked subdomain? Functionally invisible. Your misconfigured S3 bucket with a random name? You'd have to be specifically looking.

The vastness of the internet was its own security layer. Too many targets, too many ports, too many paths for any human to enumerate thoroughly. Most hidden things stayed hidden. Not because they were secure, but because nobody looked hard enough.

AI agents look hard enough.

"Looking hard enough" is trivially cheap when automated agents run 24/7 across millions of targets. What protected you wasn't a lock. It was the assumption that nobody would walk down your particular hallway. AI walks down every hallway.

Subdomain enumeration used to be manual. Check DNS records, run a wordlist, search certificate transparency logs. Thorough work took hours and still missed things. AI agents combine passive recon, active scanning, permutation generation, and machine learning to enumerate subdomains comprehensively. They find the staging server. The internal tool. The thing someone deployed to a random subdomain for a 2024 demo and forgot about.

Same with path discovery. Traditional directory brute-forcing runs a wordlist and looks for non-404 responses. Finds /admin, /api/v1, maybe /backup. AI agents go further. They analyze JavaScript bundles to extract API endpoints. They read robots.txt (basically a map of things you want to hide). They infer path structures from patterns. They find endpoints that aren't in any wordlist because they're custom to your app.

Secret scanning has exploded. GitHub scans for exposed keys in public repos. But AI agents scan everything: JavaScript bundles, source maps (why are those in production?), error messages, API responses. They correlate across sources. A partial AWS key in a JS file plus a region hint in an error message plus a bucket name in a config equals full access.

None of these attack vectors are new. Subdomain takeovers, exposed client-side secrets, misconfigured cloud storage. Known risks for years. On every checklist.

AI didn't create these weaknesses. Your misconfigured CORS headers were always a problem. Your exposed admin panel was always reachable. Your leaked API key was always in that bundle.

AI removed the obscurity that made them tolerable.

When a human attacker manually tested each endpoint, most were safe. Not secure. Untested. When an AI agent tests every endpoint, there's nowhere to hide.

Security teams have been quietly triaging vulnerabilities with an implicit assumption: "this is technically exploitable, but an attacker would have to find it first, and that's unlikely." That assumption was always shaky. Now it's dead. If it's on the internet, AI will find it, test it, and exploit it.

A lot of "low priority" items in your vulnerability backlog just became urgent.

That staging environment with default credentials? An AI agent finds the subdomain, detects the login page, tries admin/admin, and has access in thirty seconds. That internal API without authentication because "it's only accessible from our office IP"? Hope your allowlist is actually configured correctly.

The takeaway is painful but simple: assume everything is visible.

Every subdomain will be discovered. Every endpoint probed. Every piece of client-side code analyzed. Every misconfiguration found.

Build on that assumption. If a service doesn't need to be public, don't put it on the internet at all. Not "hidden" on a weird port. Off the internet entirely. If an endpoint requires auth, enforce it at every layer. If you have secrets, keep them server-side, in a secrets manager, rotated regularly.

Every external-facing surface is being tested by a thorough, tireless, infinitely patient auditor. Right now.

Obscurity was never a real defense. But it was a real comfort. Now it's gone.

What actually protects you is the work: proper authentication, proper authorization, proper configuration, proper monitoring. No shortcuts. No "nobody will find this." No "it's just a staging server."

If it's on the internet, it's being tested. Right now.

See what attackers see

Run a free Rampart scan on your domain and get a full security report in minutes.