It could be some subdomain that’s hard to guess. You can’t (generally) enumerate all subdomains through DNS, and if you use a wildcard TLS certificate (or self-signed / no cert at all), it won’t be leaked to CT logs either. Secret hostname.
Examples:
github.internal.companyname.com
or
jira.corp.org
or
jenkins-ci.internal-finance.acme-corp.com
or
grafana.monitoring.initech.io
or
confluence.prod.internal.companyx.com
etc
These, if you don't know the host, you will not be able to hit the backend service. But if you know, you can start exploiting it, either by lack of auth, or by trying to exploit the software itself
