CGNAT and the Empty Map

Walking through the Fes medina I started counting. A dome camera above a doorway. A DVR behind the glass of a bakery. A router taped to a windowsill next to a balcony. Back in the room that evening I asked the question that should have come first: how much of this is visible from the Internet?

The answer, run through the standard tools that an analyst would use from anywhere in Europe, is almost nothing. Shodan, Censys, GreyNoise all return clean results for a tourist quarter that should, by any reasonable count, be full of exposed devices. The methodology is not broken; it is calibrated for a different geography, built around assumptions that hold in Amsterdam or Frankfurt but fail in Fes or Tunis.

In Morocco, Algeria, Tunisia and parts of the wider MENA region, Carrier-Grade NAT can make remote enumeration understate the local device surface. A single public IP may serve many subscribers simultaneously. From the open Internet, devices inside a single riad can be invisible or collapsed behind a shared address that Shodan reads as one router. A pre-investment cyber assessment built only on remote enumeration tools can produce a defensible deliverable that misses much of the local picture.

The exposure does not disappear. It moves to a different layer. A laptop on the same wifi network, a device that walks within range of the building's signal, an installer who returns once a year to service the DVR, can reach what the Internet scan cannot. The threat model is no longer remote but proximate, social, and embedded in how the building actually operates.

This matters specifically for digital due diligence: a report that says "low exposure" is not wrong about what its methodology can see, but it is wrong about which methodology was needed, and the distinction is not a minor technical point.

The map an analyst trusts is the map their tools draw.