Today, we’re thrilled to sit down with Vernon Yai, a renowned data protection expert with deep expertise in privacy protection and data governance. With a career dedicated to risk management and pioneering detection and prevention techniques, Vernon has become a trusted voice in the cybersecurity industry. In this conversation, we dive into the eerie world of “zombie projects”—forgotten or abandoned assets that continue to haunt organizations by undermining their security. From outdated code and unmanaged hardware to neglected cloud services and APIs, Vernon sheds light on how these undead elements expand attack surfaces, the challenges companies face in managing them, and the strategies needed to keep these risks buried for good.
Can you explain what “zombie projects” or “zombie assets” are in the context of cybersecurity, and why they’re such a persistent problem?
Absolutely. Zombie projects or assets refer to elements within an organization’s IT environment—be it software, hardware, services, or even code—that have been abandoned or forgotten but are still active in some way. Think of old servers that no one monitors, outdated applications still running in the background, or cloud storage buckets left unsecured. They’re called “zombies” because they’re essentially dead to the organization in terms of oversight, yet they’re still “alive” and connected to the network. They’re a problem because without active management, they don’t get patched or updated, making them easy targets for attackers. Over time, they become ticking time bombs, just waiting for someone to exploit their vulnerabilities.
What kinds of assets typically fall into this “zombie” category in modern companies?
You see a wide range. It could be old hardware like servers or devices that were set up for a specific project and then forgotten when the project ended. Then there’s software—think legacy applications or codebases with outdated components that no one’s touched in years. Cloud infrastructure is a big one too, like unused S3 buckets or domains that haven’t been decommissioned. Even APIs can become zombies when they’re left active for compatibility reasons but aren’t monitored. Basically, anything that’s out of sight, out of mind, but still operational can turn into a zombie asset.
How do these forgotten assets specifically increase a company’s risk of cyber threats?
The biggest issue is that they’re unmanaged. If no one’s looking after a device or service, you’re not applying security patches, updating software, or even monitoring for unusual activity. That means if it’s compromised, you might not notice until it’s too late. These assets also expand what we call the attack surface—the total number of points an attacker can target. Every forgotten server, unpatched piece of software, or exposed API is a potential entry point. And since many of these zombies are old, they often have known vulnerabilities that attackers can easily exploit using publicly available tools or exploits.
Focusing on zombie code, why is outdated or abandoned code such a significant issue for organizations?
Zombie code is a massive headache because it’s often deeply embedded in an organization’s systems, yet completely overlooked. A lot of it involves open-source components that haven’t been updated in years, sometimes a decade or more behind the current version. These outdated pieces are riddled with known vulnerabilities—critical flaws that attackers can exploit. Plus, as applications grow, the sheer volume of code increases, and it’s easy for developers to lose track of what’s still in use versus what’s just lingering. That hidden, unmaintained code becomes a liability, especially since it’s often tied to critical systems where a breach could do serious damage.
Let’s talk about hardware. What challenges do companies face with unmanaged hardware, and why is it often so hard to track down?
Unmanaged hardware is tricky because it’s not just about the device itself—it’s about the lack of visibility. Often, these are devices set up for a one-off purpose, like a test server or a temporary workstation, and then left behind. The challenge is that no one may know it exists anymore, especially if the employee who set it up has left the company. Without documentation or a centralized inventory, it’s like looking for a needle in a haystack. And even when you find it, deciding what to do—whether to decommission or secure it—takes resources and manpower that companies often don’t prioritize until a breach forces their hand.
Cloud infrastructure seems to create its own set of zombie problems. Can you explain how forgotten cloud services or domains contribute to security risks?
Cloud environments are a breeding ground for zombie issues because they’re so easy to spin up and so hard to keep track of. You might have a team set up a storage bucket or a web service for a project, and when the project ends, they forget to shut it down. Or you’ve got expired domains that still have automated processes trying to renew certificates, wasting resources and creating noise that can mask real threats. These forgotten cloud assets often remain publicly accessible, which is a goldmine for attackers looking to steal data or distribute malware. The scale of cloud usage today means even a small percentage of zombie services can create a big problem.
APIs are another area of concern. Why are forgotten or shadow APIs particularly dangerous for companies?
Forgotten or shadow APIs are dangerous because they’re often undocumented and unmonitored, yet they still provide access to sensitive data or business logic. A zombie API might be an old version left running for backward compatibility, written with outdated security practices, making it an easy target. Shadow APIs, on the other hand, are ones that developers create without IT’s knowledge, so there’s no oversight at all. Both can be exploited without anyone noticing since they’re outside the usual security perimeter. Attackers can use them to manipulate systems or extract data, and because they’re hidden or forgotten, the breach might go undetected for months.
With the rise of AI projects, how are companies inadvertently creating new zombie risks, and what makes these especially concerning?
AI projects are adding a new layer of complexity to the zombie problem. Many companies rush to pilot AI tools or services, connecting them to real data without fully securing them. When they move on to other solutions, these endpoints or agents are often left behind, still accessible over the internet. What’s concerning is that AI services can span multiple environments—cloud, endpoints, third-party integrations—and often handle sensitive data. A forgotten AI agent could be queried by anyone, leaking proprietary information. Plus, the rapid deployment of AI means security teams are struggling to keep up, leaving these zombies as potential backdoors for attackers.
What strategies or approaches do you recommend for organizations to tackle the issue of zombie assets across their systems?
The key is visibility and automation. First, companies need to map out their entire attack surface—every device, service, piece of code, and API—and maintain an up-to-date inventory. Automated scanning tools can help identify zombie assets by flagging outdated components, unpatched systems, or unused services. Prioritize remediation based on risk—focus on critical vulnerabilities first. Regular audits and strict update cadences, especially for open-source software, are crucial. Also, enforce decommissioning policies; when a project ends, ensure resources are shut down or repurposed. Finally, foster collaboration across teams—security, IT, and development need to work together to hunt down and eliminate these risks before they’re exploited.
Looking ahead, what is your forecast for how the challenge of zombie assets will evolve in the coming years?
I think the challenge will only grow as companies adopt more complex technologies like AI, IoT, and multi-cloud environments. The sheer volume of assets will make it harder to maintain visibility, and the speed of deployment will outpace traditional security measures. We’ll likely see more sophisticated attacks targeting these forgotten elements, as attackers know they’re low-hanging fruit. On the flip side, I expect advancements in automation and AI-driven security tools to help detect and mitigate zombie risks faster. But it’ll be a race—organizations that don’t prioritize asset management and proactive security will find themselves increasingly vulnerable to breaches stemming from these undead assets.
