REPORT · EDITION 2026
Digital Exposure State
As external attack surface grows, what do the attackers do with it and why the gap between the two dynamics is the true risk. A data portrait of dozens of organizations.
FULL REPORT
2026 Edition — PDF Version
A comprehensive analysis, with in-depth reading and more data, in a 7-page document. We publish an edition per year.
THE SCALE
The attack surface outside the inventory
organizations with discovery completed
mapped external assets
subsidiaries and related organizations
third-party digital supply chain components
01 — THE SURFACE
It grows — and it grows without governance
The attack surface is not an organized inventory. It spreads across multiple clouds, environments that rise quickly and are rarely turned off, and third-party components embedded in every application. The 16 detailed analyses show a consistent pattern of uncontrolled growth.
more third-party components than owned assets on the surface
operate assets in two or more clouds at the same time
have an open vulnerability for more than 5 years
Source: 16 detailed analyses "External Attack Surface Assessment".
Cloud providers by organization · % of companies
Half of the organizations distribute assets across three or more clouds. Each additional provider is one more console, one more configuration standard, and one more boundary for something to be overlooked.
What accumulates — % of analyzed companies with the finding
The same findings recur from company to company — and are almost always old. The surface accumulates: what enters rarely gets removed, and what fails rarely gets fixed.
The picture of Act 1 is of a surface that expands faster than any team can inventory — spread across multiple clouds and third-party dependencies — and that accumulates without shrinking. Each forgotten asset remains standing, exposed, for years.
02 — THE THREAT
The other side is not waiting
While the surface accumulates in silence, the threat on the other side moves at an industrial pace. The following data comes from CSURFACE's emerging threats platform, which monitors high-severity CVEs by active exploitation and asset criticality.
Classes of most exploited failures (CWE) · % of monitored emerging threats
Five of the six most exploited classes are web application vulnerabilities — injection, path traversal, and file upload. And in Act 1, 71% of found web applications operate without a WAF: the threat curve points exactly to the layer that most leave unprotected.
Real priority of monitored threats · SSVC categorization
Reading exploitation indicators is within any team's reach — but this shows the market priority, a general reference that still needs to be applied to your company's reality. What cannot be done alone is crossing this intelligence with continuous discovery of your surface: knowing, every week, which threats actually reach your exposed assets. This is exactly what CSURFACE's threat and exploit intelligence does, in conjunction with discovery — your priority queue built by real threat and re-ordered as it evolves.
The pace of Act 2 is industrial: a public exploit emerges on average 5 days after the failure is disclosed. The window between a vulnerability existing and being exploited measures in days.
03 — THE MEETING
Where the incident begins
The volume of threats is directly related to surface reports. Each unmanaged asset from Act 1—a forgotten cloud environment, a third-party component, an application without WAF—is a door. Act 2 states that doors are found and attacked within days.
The threat attacks
is the average time between a flaw being disclosed and there existing a functional public exploit for it.
The door stays open
is how long the oldest vulnerability has been exposed in 68% of analyzed companies.
Side by side, both sets of data converge on a single conclusion. Defense adds assets faster than it can inventory them, and removes or corrects almost nothing—the time to exposure is measured in years. The attacker arms an exploit in days.
An incident is the predictable intersection of two curves: one surface that grows disorderly and never shrinks, and a threat that only accelerates. An incident is just the time when the two cross on the same asset—almost always an asset absent from inventory.
THE CONCLUSION
What closes the gap between the two curves
You cannot correct what you cannot see, nor can you defeat the speed of the threat with manual effort. Closing this gap requires two operational capabilities working together and non-stop: continuous discovery — which finds every door, including cloud environments, shadow IT, and assets not in inventory — and threat and exploit intelligence — which tells you which doors are being attacked now.
One without the other leaves a window open: discovering everything without prioritizing overburdens the team; prioritizing threats without seeing the entire surface protected only what was already known. It is the continuous combination of both — discovery and intelligence in the same data model — that CSURFACE delivers.
CONTINUE ACOMPANHANDO
Receive the next edition and quarterly exposure alerts
New numbers from the State of Digital Exposure and relevant signals from the attack surface, in your email. No commitment.
See where your company stands in this picture.
Provide your corporate email and receive a preliminary analysis of your company's attack surface. No card, no meeting required.
Receive my preliminary analysis