Today we’re releasing findings from a statistical sample of over 2 million internet-exposed assets, across on-prem, cloud, APIs, and web apps, discovered and analyzed by the CyCognito platform.
The analysis focused on identifying exploitable assets across several key industries, using techniques that simulate real-world attacker behavior, including:
In a year defined by rising geopolitical tensions, stricter cyber disclosure mandates, and a series of high-profile breaches, the timing of this research is no coincidence.
As security leaders face growing pressure to demonstrate control over their digital perimeter, internet-facing assets remain the biggest unknown – often invisible until it’s too late.
By sharing these findings our goal isn’t just to highlight where vulnerabilities concentrate, but to expose why surface scans and static inventories continue to miss the risks that turn into tomorrow’s headlines.
This analysis is based on a random sample of over 2 million internet-exposed cloud assets, drawn from a broader dataset identified and analyzed by the CyCognito platform between January 1, 2024, and June 2025. The sample is meant to provide statistically meaningful insights into vulnerability patterns across different industries, focusing on three commonplace asset types: APIs, web applications, and cloud infrastructure.
Each of the assets was attributed to its rightful business owner using CyCognito’s proprietary attribution engine, and its respective industry, aligned with the Global Industry Classification Standard (GICS).
Vulnerable assets were flagged based on a combination of known exploitable issues, exposed sensitive data, outdated software, and other misconfigurations validated through non-intrusive automated testing, etc.
Zooming out, here’s how vulnerability breaks down across the three asset types:
As one would expect, APIs and web applications represent the highest concentration of risk. Their proliferation – especially via shadow IT and third-party integrations – makes them easy to introduce and hard to govern.
When viewed industry by industry, the distribution of vulnerable vs. non-vulnerable assets varies – sometimes dramatically:
Industry | Vulnerable Assets | Non-Vulnerable Assets |
Construction | 18% | 82% |
Education | 31% | 69% |
Energy | 18% | 82% |
Finance | 5% | 95% |
Government | 26% | 74% |
Health Care & Insurance | 16% | 84% |
Hospitality | 15% | 85% |
Manufacturing | 19% | 81% |
Media | 21% | 79% |
Professional Services | 28% | 72% |
Retail | 27% | 73% |
Technology | 15% | 85% |
Telecommunications | 15% | 85% |
Transport | 12% | 88% |
Importantly, these numbers are more than abstract statistics, they’re signals of real-world consequences already unfolding.
Each percentage point represents a potential incident, a compromised system, or a breach waiting to happen. Behind the data are actual events – many recent, some still under investigation – that validate these findings and suggest that without urgent improvements, more headlines are inevitable.
Here is how this comes into play across top top five most vulnerable industries:
1. Education
Rising digital adoption, limited security investment, and sprawling infrastructure make education a perfect storm for attackers. The December 2024 PowerSchool breach exposed millions of records, spotlighting sector-wide weaknesses.
2. Retail
Retail’s complexity and third-party dependencies create persistent blind spots. The April 2025 Marks & Spencer breach exploited a supplier vulnerability, resulting in data loss and estimated losses over £300 million.
3. Government
Public sector assets are increasingly targeted by state-sponsored actors. A 2025 Homeland Threat Assessment from DHS warned of intensified nation-state cyber campaigns targeting critical government infrastructure.
4. Professional Services
Despite lower API exposure, the sector shows high vulnerability in web and cloud due to fragmented IT environments and decentralized client delivery. In 2024, Capita suffered a breach affecting internal systems tied to misconfigured internet-facing assets.
5. Media
Media platforms prioritize delivery speed and content availability – often at the expense of hardening controls. The Vice Media breach in late 2023 exposed internal systems, highlighting risks in CMS and adtech APIs.
Notably, each of these industries carries a distinct risk signature. For education, it’s often the concentration of sensitive personal data on undermanaged and outdated systems.
For retail, it’s often the reliance on interconnected vendors and e-commerce platforms that expand the attack surface. For government systems, it is often the combination of legacy technology and publicly exposed services that create points of vulnerability.
Professional services face compounded exposure due to client-specific environments and asset sprawl. And media’s drive for publishing velocity often outpaces governance, leaving APIs and CMS platforms as recurring weak points.
While on paper two industries might show similar percentages of vulnerabilities, across one or more asset types, the type of damage those could cause varies widely. For example, an exposed university app might leak vast amounts of personally identifiable information (PII), triggering reputational damage, regulatory violations, and public backlash.
As serious as that is, the impact might be dwarfed by a vulnerable edge device in a telecom or government network, where exploitation might serve as a pivot point for lateral movement, privilege escalation, and long-dwell attacks that quietly compromise critical infrastructure from the inside out.
Understanding the context of who owns the asset, what it does, and especially how attackers see it in the context of a broader network is where real exposure management takes place.
Security threats are diverse, and so are the ways they are measured and perceived. The above report offers one perspective, based on data observed through the CyCognito platform, serving as a piece of a larger puzzle.
Attack surfaces are dynamic, and risks are constantly evolving. No single analysis can (or should) claim to capture it all. That’s why we believe information sharing between security vendors is essential, and this is us doing our part by offering a window into what we see in our day-to-day work.
By contributing our findings, we hope to support a broader awareness, helping defenders, decision-makers, and organizations make more informed choices. We believe that shared insight leads to shared resilience. The more viewpoints we bring together, the better equipped we are to protect what matters.
Zohar Venturero is a data scientist with extensive experience in data analysis and offensive security research, bringing a unique analytical perspective to cybersecurity challenges through both defensive insights and hands-on security testing expertise.
Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.
Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.
Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.
Discover insights on application security, exposure management and other key topics below.
The definitive guide to attack surface management. Learn everything you need to know to reduce your cyber security risk with attack surface management.
Exposure management is a set of processes which allow organizations to assess the visibility, accessibility, and risk factors of their digital assets.
Vulnerability assessment is the process of identifying, quantifying, and prioritizing vulnerabilities in a system.
Explore CyCognito modules ASM, AST and EI in the resources below.
Scalable, continuous, and comprehensive testing for all external assets, all the time.
CyCognito Automated Security Testing dynamically applies payload-based testing techniques across your entire external attack surface.
CyCognito Exploit Intelligence uses threat intelligence about attackers’ behavior and exploitability for enhanced prioritization.