[lbriner]

I think it's great that more companies are open about what they are doing for security. It makes it sound like they are confident in their abilities unlike other people who are nervous to mention things like "We use Octopus" or "We use AKS" because we are less confident that the information is not an invitation to a hacker!

Now all we need is to somehow capture some of this "best practice" and make it normal practice, enabled by default and documented well so that organisations don't set stuff up and then disable all the controls because it is too hard to understand.

[878654Tom]

One reason why companies would not do this is to give a little bit of protection against zero-days. When a zero-day is released all providers notice a huge scan for the vulnerability. Scanning huge blocks of the internet takes time but if a hacker has a list of companies using which tools and where it can be narrowed down a lot.

AWS/Azure/GCP/... for example have published IP-ranges of services. If a zero-day for any of those services is released a hacker can already narrow down the attack-range and gain a lot of time.

[NicolaiS]

That seems like a bad reason. With a good enough connection and `masscan` you can "scan the whole internet" (single port) in 5 min. Security through obscurity on IPv4 make no sense.