Your Personal Attack Surface Is Wider Than You Think

You spend your workday hardening production systems, rotating credentials, and reviewing threat models. Then you go home, log into your personal email with a password you set in 2014, and push side-project code from the same machine that has your brokerage account open in the next tab.

The irony of the security-savvy engineer with terrible personal hygiene is so common it's practically a meme in red team circles. But the consequences are real: your personal accounts are the soft underbelly that attackers exploit to pivot into your professional life—or to compromise you directly.

Defining Your Personal Attack Surface

Your personal attack surface includes every system, account, device, identity, and data store that an adversary could target to harm you personally. This extends far beyond your laptop:

• Accounts: Email, social media, banking, brokerage, cloud storage, gaming, forums, package managers (npm, PyPI), DNS registrars, domain hosting
• Devices: Phones, tablets, laptops, smart home devices, routers, NAS, security cameras
• Identities: Real name, usernames, email addresses, phone numbers, physical addresses, employer association
• Data stores: Cloud backups, local drives, USB devices, old hard drives, paper documents
• Network presence: Home IP, DNS queries, ISP metadata, VPN exit nodes

The Work-Personal Overlap Problem

The most dangerous area of your attack surface is where work and personal life intersect:

┌─────────────────────────────────────────────┐
│              YOUR RISK SURFACE              │
│                                             │
│  ┌──────────┐    ┌───────────┐              │
│  │  WORK    │    │ PERSONAL  │              │
│  │          ├────┤           │              │
│  │ Corp SSO │    │ Gmail     │              │
│  │ Slack    │ ▲  │ GitHub*   │              │
│  │ AWS Prod │ │  │ Side proj │              │
│  └──────────┘ │  └───────────┘              │
│               │                             │
│          OVERLAP ZONE                       │
│    - Same password manager?                 │
│    - Same browser profile?                  │
│    - Same SSH keys?                         │
│    - Same device?                           │
└─────────────────────────────────────────────┘

When an engineer's personal GitHub account is compromised, the attacker may find SSH keys, .env files, or access tokens that lead directly to employer infrastructure. The 2022 LastPass breach cascaded precisely because an engineer's personal development environment was targeted.

Starting Your OPSEC Audit

Before you can fix anything, you need to inventory what you have. Start by asking:

1. How many email addresses do I have, and what are they used for? Most engineers have 3-8 active email addresses scattered across services.
2. What's discoverable about me from a simple OSINT search? Try running yourself through tools like sherlock, theHarvester, or even just Google dorking your name.
3. What accounts use the same credentials or recovery paths? A single compromised email that serves as recovery for 40 other accounts is a catastrophic single point of failure.
4. What devices on my network can reach the internet? You may be surprised. Run nmap -sn 192.168.1.0/24 on your home network.

# Quick OSINT self-check
sherlock your_username --print-found

# Google dork yourself
# site:github.com "your_email@gmail.com"
# "your_real_name" filetype:pdf
# "your_username" site:pastebin.com

The output of this audit is your personal asset inventory—the foundation for every OPSEC decision that follows. You can't protect what you don't know about.

The Mindset Shift

OPSEC isn't a tool you install. It's an operational discipline: the habit of continuously evaluating what information you're exposing and whether that exposure creates unacceptable risk. In the next lessons, we'll build the frameworks and systems to make this sustainable, not just a one-time audit.