Shadow IT
Unauthorized hardware, software, or cloud services deployed without IT approval.
The original and most pervasive shadow threat in enterprise environments.
Shadow Cloud
Unapproved cloud services (AWS, Azure, GCP instances) provisioned by employees.
Often leads to data exfiltration and compliance violations.
Shadow SaaS
Third-party SaaS applications connected to corporate data without security review.
Prime vector for OAuth phishing and data leakage.
Shadow Data
Corporate data stored in unauthorized locations - personal drives, USB keys,
consumer cloud storage. GDPR nightmare material.
Shadow IoT
Rogue IoT devices on corporate networks - smart TVs, cameras, thermostats.
Perfect for lateral movement and network reconnaissance.
Shadow APIs
Undocumented or forgotten API endpoints exposed to the internet.
Often lack authentication and reveal sensitive business logic.
Shadow Admin
Unauthorized elevation of privileges or hidden administrative accounts.
Classic privilege escalation vector and insider threat indicator.
Shadow Accounts
Orphaned user accounts, service accounts without owners, or accounts that
survived offboarding processes. Perfect for persistence.
Shadow Access
Unmonitored access paths to systems - backdoors, debug interfaces,
maintenance accounts, or legacy authentication mechanisms.
Shadow Credentials
API keys, tokens, certificates stored in code repos, config files,
or CI/CD systems. GitHub scanner's favorite target.
Shadow VPN
Unauthorized VPN tunnels or remote access tools (TeamViewer, AnyDesk).
Bypasses corporate security controls entirely.
Shadow SSO
OAuth integrations and SAML connections created outside IT processes.
Token theft and session hijacking paradise.
Shadow Code
Unauthorized code repositories, forks, or development environments.
Source of IP leakage and supply chain vulnerabilities.
Shadow Deployment
Production deployments bypassing CI/CD pipelines and change control.
Often lacks security scanning and audit trails.
Shadow Containers
Docker containers running without orchestration platform visibility.
Unpatched, unmonitored, and unmaintained attack surface.
Shadow Kubernetes
K8s clusters deployed outside central management - developer laptops,
test environments promoted to production without approval.
Shadow Databases
Unauthorized database instances (PostgreSQL, MongoDB, Redis) containing
production data copies. Compliance and backup disasters waiting to happen.
Shadow Dependencies
Undocumented third-party libraries and packages in production code.
Supply chain attack entry points and licensing nightmares.
Shadow Network
Rogue wireless access points, unauthorized switches, or peer-to-peer networks.
Classic lateral movement enabler and monitoring blind spot.
Shadow DNS
Unauthorized DNS servers or zones, typosquatting domains, or DNS tunneling.
Command & control communication and data exfiltration channel.
Shadow Proxy
Unauthorized proxy servers, SOCKS tunnels, or traffic forwarding.
Bypasses DLP, firewalls, and content filtering.
Shadow Certificate
Self-signed or unauthorized SSL/TLS certificates in production.
Enables MITM attacks and breaks certificate pinning.
Shadow Firewall
Host-based firewalls with custom rules conflicting with corporate policy.
Creates security policy inconsistencies and blind spots.
Shadow Load Balancer
Unauthorized load balancers or reverse proxies (nginx, HAProxy).
Hidden entry points and traffic manipulation opportunities.
Shadow Process
Rootkits and malware hiding processes from system monitoring tools.
DKOM (Direct Kernel Object Manipulation) and process hollowing techniques.
Shadow DLL
DLL hijacking, DLL injection, and phantom DLL loading for code execution.
Classic persistence mechanism in Windows environments.
Shadow Registry
Hidden Windows registry keys for persistence and configuration.
Run keys, services, and WMI event subscriptions.
Shadow Copy
Volume Shadow Copy abuse for credential harvesting and data recovery.
VSS Admin with NTDS.dit extraction is a classic.
Shadow Stack
Return-oriented programming and stack manipulation for exploit development.
Bypasses DEP and ASLR protections.
Shadow Command
Obfuscated PowerShell, encoded bash scripts, or fileless malware execution.
Living-off-the-land binaries (LOLBins) and AMSI bypass.
Shadow SIEM
Log aggregation tools deployed without SOC integration.
Creates monitoring gaps and alert fatigue through fragmentation.
Shadow Monitoring
Unauthorized monitoring agents (Prometheus, Datadog, New Relic).
Performance impact and potential data exfiltration channel.
Shadow Backup
Unmanaged backup systems and data copies outside retention policies.
Ransomware's favorite target and compliance violation.
Shadow Encryption
Custom encryption implementations or key management outside PKI.
Weak crypto, key escrow nightmares, and audit failures.
Shadow Endpoint
Devices missing EDR agents or bypassing endpoint security.
BYOD gone wrong and management platform blind spots.
Shadow Patch
Systems excluded from patch management or manual updates.
Persistent vulnerabilities and compliance failures.
Shadow AI
Unauthorized AI/ML models and ChatGPT integrations processing corporate data.
Data leakage to OpenAI, Google Bard, or Claude APIs.
Shadow Serverless
AWS Lambda, Azure Functions deployed without governance.
Hidden compute costs and unmonitored code execution.
Shadow Blockchain
Unauthorized cryptocurrency mining or blockchain nodes on infrastructure.
Resource theft and potential ransomware payment channels.
Shadow Workflow
Zapier, IFTTT, or custom automation connecting corporate systems.
Business logic exposure and data flow outside control.
Shadow Collaboration
Slack, Discord, Teams channels with external parties and data sharing.
Information leakage and social engineering entry point.
Shadow Mobile
Personal devices accessing corporate resources without MDM.
BYOD security gaps and lost/stolen device data exposure.
Shadow Storage
Unauthorized object storage - public S3 buckets, misconfigured Azure Blob Storage.
Massive data exposure and exploding cloud bills.
Shadow Cache
Redis, Memcached instances deployed without supervision for performance.
Sensitive data in unencrypted memory without persistence.
Shadow CDN
Unauthorized CDNs (Cloudflare, Fastly) or misconfigured caches exposing data.
Data leakage via edge locations and cache purge issues.
Shadow Sync
Dropbox, OneDrive, Google Drive sync agents on workstations.
Automatic copying of corporate data to personal cloud storage.
Shadow MFA
Parallel 2FA/MFA systems or undocumented bypass methods.
Rollback to SMS, "trusted device" bypass, or silent disable.
Shadow Federation
Undocumented SAML/OpenID Connect identity federations with partners.
Hidden trust relationships and cross-tenant privileges.
Shadow Directory
Unauthorized LDAP/Active Directory replicas or alternative directories.
Credential synchronization and policy desynchronization.
Shadow PAM
Privilege Access Management bypassed via local sudo, emergency accounts.
Privileged access not recorded in centralized vault.
Shadow Email
Unauthorized SMTP servers, forwarding rules to personal emails.
Email DLP bypass and missing regulatory archiving.
Shadow Messaging
WhatsApp Business, Telegram, Signal for professional communications.
Business data on end-to-end encrypted messaging outside IT control.
Shadow Video
Unmanaged Zoom/Teams rooms, local recordings of sensitive meetings.
Unencrypted storage of confidential videos on laptops.
Shadow Voice
Unauthorized VoIP, softphones directly connected to network.
Unrecorded voice communications and QoS bypass.
Shadow Sandbox
Malware analysis environments (Cuckoo, ANY.RUN) not integrated with SOC.
Sample detonation without correlation to active incidents.
Shadow Honeypot
Honeypots/honeynets deployed without coordination with defense teams.
False positives in alerts or real attackers not tracked.
Shadow Pentest
Penetration tests launched without formal authorization or notification.
Confusion with real attacks and IR response to false incidents.
Shadow Vuln Scanner
Nessus, OpenVAS, Nuclei launched without patch management coordination.
Aggressive scans impacting production and accidental DoS.
Shadow Audit Log
Parallel logging systems for local compliance without SIEM integration.
Duplicated logs, inconsistent retention and correlation gaps.
Shadow Compliance Tool
GRC tools deployed in departmental silos.
Contradictory risk assessments and fragmented compliance status.
Shadow DLP
Non-centralized Data Loss Prevention tools - local endpoint agents.
Conflicting DLP policies and alerts not escalated to SOC.
Shadow Policy
Local security policies contradicting corporate directives.
Divergent technical standards and unapproved exceptions.
Shadow Legacy System
Forgotten mainframes, AS/400, Unix systems still connected to network.
No patches in years, lost documentation, retired experts.
Shadow Protocol
Obsolete protocols still active - Telnet, FTP, SMBv1, SSLv3.
Cleartext authentication and uncorrected known vulnerabilities.
Shadow Port
Non-standard ports open for hidden services or debugging.
Accidental backdoors and services exposed without authentication.
Shadow Cron
Undocumented scheduled tasks on servers - crontab, Task Scheduler.
Legacy scripts without ownership, hardcoded credentials.