{"id":428,"date":"2019-11-19T17:55:00","date_gmt":"2019-11-19T17:55:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=428"},"modified":"2025-07-11T13:50:50","modified_gmt":"2025-07-11T20:50:50","slug":"cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/","title":{"rendered":"Cybersecurity Research: Latest Security Risk Trends and Data"},"content":{"rendered":"\n<p>CyCognito research staff analyzed data aggregated from hundreds of organizations to identify the top-level shadow risk trends that businesses with modern IT ecosystems face. The results reveal that organizations have a significant number of security blind spots, and those are often a by-product of interconnectivity with partners, cloud service providers and an organization\u2019s own subsidiaries, as well as the fact that legacy security assessment solutions do not identify these blind spots.<br><br>The&nbsp;<a href=\"\/platform\/\">CyCognito platform<\/a>&nbsp;marries sophisticated attacker reconnaissance techniques with large-scale data analysis. When applied to an individual organization, the results have proven indispensable for platform subscribers to better defend themselves. When the data collected by the platform is viewed in aggregate, it reveals a number of trends that cut across industries and organization sizes. In this blog, we reflect on: key trends identified, trend implications and how we gathered this data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Trends Identified<\/h2>\n\n\n\n<p>The CyCognito research shows that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Organizations are unaware of as many as 75% of their IT assets.<\/li>\n\n\n\n<li>82% of these hidden assets impact the organization\u2019s cybersecurity posture and are managed by their cloud providers, partners or subsidiaries.<\/li>\n\n\n\n<li>95% of these \u201cunknown\u201d and \u201cunmanaged\u201d assets were found to be blind spots that are not discovered by vulnerability scanners or even highly-trained penetration testing experts.<\/li>\n\n\n\n<li>87% of organizations have critical exposures that are visible to attackers at a given point in time.<\/li>\n\n\n\n<li>80% of organizations have critical network architecture flaws or gateway misconfigurations. Common examples include remote access servers (e.g., Citrix NetScalers, Juniper Unified Access Control, and Cisco Adaptive Security Appliances) that are misconfigured or have unpatched software.<\/li>\n\n\n\n<li>30% of organizations have exposed software development environments (e.g., Git, Jenkins or Jfrog servers) that are accessible to attackers, primarily due to misconfigurations.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Trend Implications<\/h2>\n\n\n\n<p>What do these facts and trends mean for the average organization? The serious implications of these data points may be readily obvious to security professionals, but let\u2019s briefly review:<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Enterprises must find a way to identify and assess the 75% of their attacker-exposed assets they don\u2019t know about already.&nbsp;<\/h5>\n\n\n\n<p>While it\u2019s stunning that even organizations with well-funded cybersecurity teams are blind to as many as 75% of their attacker-exposed assets, it\u2019s not entirely surprising given the explosion in the enterprise IT ecosystem. Today, business viability means agility and interconnectivity with new environments spun up with a moment\u2019s notice, partners integrated into the supply chain and acquired companies. That often comes at the expense of security visibility or controls. To compound the problem, most security solutions are designed for a 20th century network, not the distributed IT ecosystem of the 21st century, and do not help organizations discover the full extent of their&nbsp;<a href=\"\/learn\/attack-surface-discovery.php\">attack surface<\/a>&nbsp;assets.&nbsp;<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">The enterprise attack surface extends well beyond the assets managed by central security and IT teams, with 82% of unknown and unmanaged assets managed by cloud providers, partners or subsidiaries.<\/h5>\n\n\n\n<p>In the average organization\u2019s IT ecosystem, there are connections to over 115 networks, most which are not managed by the organization. Enterprises are awakening to exposures from third-party vendors and the risk associated with the shared security model of cloud environments, but legacy tools don\u2019t provide visibility to the assets that expose them outside their IT management sphere.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Virtually all (95%) of the assets unknown to an organization are not discovered by legacy tools and scanners \u2014 or even highly-trained\u00a0<a href=\"\/solutions\/autopt.php\" target=\"_blank\" rel=\"noreferrer noopener\">penetration testing experts<\/a>.<\/h5>\n\n\n\n<p>This lack of discovery is because legacy security assessment approaches are designed to help you test the asset environments you already know about: with&nbsp;<a href=\"\/blog\/vulnerability-scanners-are-no-match-for-modern-threats\/\">legacy vulnerability scanners<\/a>&nbsp;you select the IP ranges to scan. Thus you are working within your known IT universe, and the process by its nature is not going to discover the true unknowns. A bias toward known environments is there for penetration tests as well, though pen testers can be told to look broadly for assets. Nonetheless, with penetration testing, a lack of full visibility is further compounded by the fact that the testing is done on a very narrow slice of the enterprise IT ecosystem, typically just 1% or 2%.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">87% of organizations have critical exposures that are visible to attackers at a given point in time.<\/h5>\n\n\n\n<p>Attacker-reconnaissance has grown increasingly sophisticated. Offensive scanning and exploitation tools have become cheaper, more automated, and widely available to threat actors, which gives them unprecedented visibility to unattended points of entry into their target organizations. An organization\u2019s best response is to view their attacker-exposed assets in the same way that an attacker does, but on an even bigger and faster scale. Organizations have to eliminate all points of entry, while an attacker needs only one path in. But if organizations focus on attack vector discoverability, attractiveness and exploitability, it becomes clear which issues should be remediated first.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">80% of organizations have network architecture or gateway misconfigurations that are not identified during regular cybersecurity hygiene.<\/h5>\n\n\n\n<p>Many of these misconfigurations occur in networking gear located in third-party networks that are outside the control or visibility of the organization, but they must be assessed by the organization as if they were their own. The implications are significant because these devices are meant to be network and security gatekeepers and have the capability of granting broad access to attackers and others who should not have access. These assets are typically located at the intersection of the organization\u2019s network and third-party networks, and are overlooked by legacy security assessment solutions.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Misconfigurations of software development environments present a significant source of risk to 30% of organizations.<\/h5>\n\n\n\n<p>Software development organizations include technically savvy staff who are capable of setting up complex agile development environments and automated DevOps pipelines. Still, these developers and DevOps pros are seldom security experts, and modern SaaS development platforms operate on a shared responsibility model where users are expected to configure security. When misconfigurations and\/or network architecture flaws are introduced, these types of assets are exposed, intellectual property theft can occur, and sophisticated attackers can look for software vulnerabilities they can later exploit or even introduce their own to be used as back-door channels.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How We Gathered the Data<\/h2>\n\n\n\n<p>The CyCognito platform gathers data using a&nbsp;<a href=\"\/platform\/\">nation-state-scale botnet<\/a>&nbsp;that continuously analyzes every internet-exposed IT asset \u2013 approximately 3.5 billion in total \u2013 and fingerprints them by looking at things as diverse as their visual elements (e.g., logos and icons), keywords and code fragments, and what software is deployed on the assets, among other identifiers. The platform uses a graph data model to represent the relationships between assets and classify the business purpose of assets.<br><br>The data and trends reflected in this blog post are based on the analysis of CyCognito platform data aggregated across hundreds of organizations with IT assets around the globe.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity analytics data show that security teams are blind to 75% of their attacker-exposed assets \u2013 entry points not found by vulnerability scanners.<\/p>\n","protected":false},"author":14,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9],"class_list":["post-428","post","type-post","status-publish","format-standard","hentry","category-research","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cybersecurity Research: Latest Security Risk Trends and Data | CyCognito Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cybersecurity Research: Latest Security Risk Trends and Data | CyCognito Blog\" \/>\n<meta property=\"og:description\" content=\"Cybersecurity analytics data show that security teams are blind to 75% of their attacker-exposed assets \u2013 entry points not found by vulnerability scanners.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-11-19T17:55:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-11T20:50:50+00:00\" \/>\n<meta name=\"author\" content=\"Alex Zaslavsky\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alex Zaslavsky\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/\"},\"author\":{\"name\":\"Alex Zaslavsky\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/a66518132b1efe6e5d21fd429128a953\"},\"headline\":\"Cybersecurity Research: Latest Security Risk Trends and Data\",\"datePublished\":\"2019-11-19T17:55:00+00:00\",\"dateModified\":\"2025-07-11T20:50:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/\"},\"wordCount\":1120,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Research\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/\",\"name\":\"Cybersecurity Research: Latest Security Risk Trends and Data | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"datePublished\":\"2019-11-19T17:55:00+00:00\",\"dateModified\":\"2025-07-11T20:50:50+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Research: Latest Security Risk Trends and Data\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/a66518132b1efe6e5d21fd429128a953\",\"name\":\"Alex Zaslavsky\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d14b8d99179745962f3db9e46d2ce6c4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d14b8d99179745962f3db9e46d2ce6c4?s=96&d=mm&r=g\",\"caption\":\"Alex Zaslavsky\"},\"description\":\"Was Sr. Product Manager at CyCognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/alex-zaslavsky\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cybersecurity Research: Latest Security Risk Trends and Data | CyCognito Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/","og_locale":"en_US","og_type":"article","og_title":"Cybersecurity Research: Latest Security Risk Trends and Data | CyCognito Blog","og_description":"Cybersecurity analytics data show that security teams are blind to 75% of their attacker-exposed assets \u2013 entry points not found by vulnerability scanners.","og_url":"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/","og_site_name":"CyCognito Blog","article_published_time":"2019-11-19T17:55:00+00:00","article_modified_time":"2025-07-11T20:50:50+00:00","author":"Alex Zaslavsky","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Alex Zaslavsky","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/"},"author":{"name":"Alex Zaslavsky","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/a66518132b1efe6e5d21fd429128a953"},"headline":"Cybersecurity Research: Latest Security Risk Trends and Data","datePublished":"2019-11-19T17:55:00+00:00","dateModified":"2025-07-11T20:50:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/"},"wordCount":1120,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"keywords":["Cybersecurity"],"articleSection":["Research"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/","url":"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/","name":"Cybersecurity Research: Latest Security Risk Trends and Data | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"datePublished":"2019-11-19T17:55:00+00:00","dateModified":"2025-07-11T20:50:50+00:00","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/cybersecurity-research-report-organizations-are-blind-to-attacker-exposed-assets\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Research: Latest Security Risk Trends and Data"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/a66518132b1efe6e5d21fd429128a953","name":"Alex Zaslavsky","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d14b8d99179745962f3db9e46d2ce6c4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d14b8d99179745962f3db9e46d2ce6c4?s=96&d=mm&r=g","caption":"Alex Zaslavsky"},"description":"Was Sr. Product Manager at CyCognito","url":"https:\/\/www.cycognito.com\/blog\/author\/alex-zaslavsky\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/428","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=428"}],"version-history":[{"count":5,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/428\/revisions"}],"predecessor-version":[{"id":1615,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/428\/revisions\/1615"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=428"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}