What Over 2 Million Assets Reveal About Industry Vulnerability

Today we’re releasing findings from a statistical sample of over 2 million internet-exposed assets, across on-prem, cloud, APIs, and web apps, discovered and analyzed by the CyCognito platform. 

The analysis focused on identifying exploitable assets across several key industries, using techniques that simulate real-world attacker behavior, including:

• Black-box pentesting using 90,000+ exploit modules, credential stuffing simulations, data exposure detection, etc.
• Dynamic Application Security Testing (DAST) to identify runtime web application vulnerabilities.
• Active vulnerability scanning of internet-facing services to detect CVEs, misconfigurations, and exposed assets.

In a year defined by rising geopolitical tensions, stricter cyber disclosure mandates, and a series of high-profile breaches, the timing of this research is no coincidence.

As security leaders face growing pressure to demonstrate control over their digital perimeter, internet-facing assets remain the biggest unknown – often invisible until it’s too late.

By sharing these findings our goal isn’t just to highlight where vulnerabilities concentrate, but to expose why surface scans and static inventories continue to miss the risks that turn into tomorrow’s headlines.

---

Methodology

This analysis is based on a random sample of over 2 million internet-exposed cloud assets, drawn from a broader dataset identified and analyzed by the CyCognito platform between January 1, 2024, and June 2025. The sample is meant to provide statistically meaningful insights into vulnerability patterns across different industries, focusing on three commonplace asset types: APIs, web applications, and cloud infrastructure.

Each of the assets was attributed to its rightful business owner using CyCognito’s proprietary attribution engine, and its respective industry, aligned with the Global Industry Classification Standard (GICS).

Vulnerable assets were flagged based on a combination of known exploitable issues, exposed sensitive data, outdated software, and other misconfigurations validated through non-intrusive automated testing, etc.

---

What’s Exposed? A Cross-Asset View

Zooming out, here’s how vulnerability breaks down across the three asset types:

• Cloud assets: 13.6%
  
• APIs: 20.8%
  
• Web applications: 19.6%

As one would expect, APIs and web applications represent the highest concentration of risk. Their proliferation – especially via shadow IT and third-party integrations – makes them easy to introduce and hard to govern.

When viewed industry by industry, the distribution of vulnerable vs. non-vulnerable assets varies – sometimes dramatically:

Industry	Vulnerable Assets	Non-Vulnerable Assets
Construction	18%	82%
Education	31%	69%
Energy	18%	82%
Finance	5%	95%
Government	26%	74%
Health Care & Insurance	16%	84%
Hospitality	15%	85%
Manufacturing	19%	81%
Media	21%	79%
Professional Services	28%	72%
Retail	27%	73%
Technology	15%	85%
Telecommunications	15%	85%
Transport	12%	88%

Top 5 Most Exposed Industries: Beyond the Statistics 

Importantly, these numbers are more than abstract statistics, they’re signals of real-world consequences already unfolding. 

Each percentage point represents a potential incident, a compromised system, or a breach waiting to happen. Behind the data are actual events – many recent, some still under investigation – that validate these findings and suggest that without urgent improvements, more headlines are inevitable.

Here is how this comes into play across top top five most vulnerable industries:

1. Education

• Cloud: 17.6% | APIs: 37.7% | Web Apps: 35.3%
  

Rising digital adoption, limited security investment, and sprawling infrastructure make education a perfect storm for attackers. The December 2024 PowerSchool breach exposed millions of records, spotlighting sector-wide weaknesses.

2. Retail

• Cloud: 23.3% | APIs: 29.8% | Web Apps: 30.9% 

Retail’s complexity and third-party dependencies create persistent blind spots. The April 2025 Marks & Spencer breach exploited a supplier vulnerability, resulting in data loss and estimated losses over £300 million.

3. Government

• Cloud: 18.4% | APIs: 18.5% | Web Apps: 30.4% 

Public sector assets are increasingly targeted by state-sponsored actors. A 2025 Homeland Threat Assessment from DHS warned of intensified nation-state cyber campaigns targeting critical government infrastructure.

4. Professional Services

• Cloud: 25% | APIs: 10.6% | Web Apps: 30.1% 

Despite lower API exposure, the sector shows high vulnerability in web and cloud due to fragmented IT environments and decentralized client delivery. In 2024, Capita suffered a breach affecting internal systems tied to misconfigured internet-facing assets.

5. Media

• Cloud: 13.8% | APIs: 18.8% | Web Apps: 25.7% 

Media platforms prioritize delivery speed and content availability – often at the expense of hardening controls. The Vice Media breach in late 2023 exposed internal systems, highlighting risks in CMS and adtech APIs.

Notably, each of these industries carries a distinct risk signature. For education, it’s often the concentration of sensitive personal data on undermanaged and outdated systems. 

For retail, it’s often the reliance on interconnected vendors and e-commerce platforms that expand the attack surface. For government systems, it is often the combination of legacy technology and publicly exposed services that create points of vulnerability. 

Professional services face compounded exposure due to client-specific environments and asset sprawl. And media’s drive for publishing velocity often outpaces governance, leaving APIs and CMS platforms as recurring weak points.

While on paper two industries might show similar percentages of vulnerabilities, across one or more asset types, the type of damage those could cause varies widely. For example, an exposed university app might leak vast amounts of personally identifiable information (PII), triggering reputational damage, regulatory violations, and public backlash. 

As serious as that is, the impact might be dwarfed by a vulnerable edge device in a telecom or government network, where exploitation might serve as a pivot point for lateral movement, privilege escalation, and long-dwell attacks that quietly compromise critical infrastructure from the inside out. 

Understanding the context of who owns the asset, what it does, and especially how attackers see it in the context of a broader network is where real exposure management takes place. 

Shared Understanding

Security threats are diverse, and so are the ways they are measured and perceived. The above report offers one perspective, based on data observed through the CyCognito platform, serving as a piece of a larger puzzle.

Attack surfaces are dynamic, and risks are constantly evolving. No single analysis can (or should) claim to capture it all. That’s why we believe information sharing between security vendors is essential, and this is us doing our part by offering a window into what we see in our day-to-day work.

By contributing our findings, we hope to support a broader awareness, helping defenders, decision-makers, and organizations make more informed choices. We believe that shared insight leads to shared resilience. The more viewpoints we bring together, the better equipped we are to protect what matters.