REPORT · EDITION 2026

Digital Exposure State

As external attack surface grows, what do the attackers do with it and why the gap between the two dynamics is the true risk. A data portrait of dozens of organizations.

How to read this report. The numbers are aggregated and anonymous — 68 organizations with discovery completion on the CSURFACE platform and 16 detailed attack surface analyses. The charts express representativeness (%). Reading is organized into three parts: how the surface grows, how the threat moves, and what happens when the two meet.

FULL REPORT

2026 Edition — PDF Version

A comprehensive analysis, with in-depth reading and more data, in a 7-page document. We publish an edition per year.

Baixar o relatório (PDF)
Editions: 2026

THE SCALE

The attack surface outside the inventory

0

organizations with discovery completed

0

mapped external assets

0

subsidiaries and related organizations

0

third-party digital supply chain components

01 — THE SURFACE

It grows — and it grows without governance

The attack surface is not an organized inventory. It spreads across multiple clouds, environments that rise quickly and are rarely turned off, and third-party components embedded in every application. The 16 detailed analyses show a consistent pattern of uncontrolled growth.

2,8×

more third-party components than owned assets on the surface

75%

operate assets in two or more clouds at the same time

68%

have an open vulnerability for more than 5 years

Source: 16 detailed analyses "External Attack Surface Assessment".

Cloud providers by organization · % of companies

Three or more cloud providers 50%
Two cloud providers 25%
One cloud provider 19%
No cloud assets detected 6%

Half of the organizations distribute assets across three or more clouds. Each additional provider is one more console, one more configuration standard, and one more boundary for something to be overlooked.

What accumulates — % of analyzed companies with the finding

Vulnerability exposed for more than 5 years 68%
Vulnerability with public exploit available 56%
80% or more web applications without WAF 43%
At least one critical vulnerability open 37%
Corporate credentials leaked 37%
Vulnerability under active real-world exploitation 25%

The same findings recur from company to company — and are almost always old. The surface accumulates: what enters rarely gets removed, and what fails rarely gets fixed.

The picture of Act 1 is of a surface that expands faster than any team can inventory — spread across multiple clouds and third-party dependencies — and that accumulates without shrinking. Each forgotten asset remains standing, exposed, for years.

02 — THE THREAT

The other side is not waiting

While the surface accumulates in silence, the threat on the other side moves at an industrial pace. The following data comes from CSURFACE's emerging threats platform, which monitors high-severity CVEs by active exploitation and asset criticality.

Classes of most exploited failures (CWE) · % of monitored emerging threats

Command injection · CWE-78 12%
Unsafe deserialization · CWE-502 9.5%
Path traversal · CWE-22 9%
File upload without restriction · CWE-434 8.6%
Code injection · CWE-94 8.4%
SQL injection · CWE-89 8%

Five of the six most exploited classes are web application vulnerabilities — injection, path traversal, and file upload. And in Act 1, 71% of found web applications operate without a WAF: the threat curve points exactly to the layer that most leave unprotected.

Real priority of monitored threats · SSVC categorization

19%
immediate action
Immediate action (act) 19%
Attention (attend) 36%
Close monitoring (track*) 28%
Monitor (track) 17%

Reading exploitation indicators is within any team's reach — but this shows the market priority, a general reference that still needs to be applied to your company's reality. What cannot be done alone is crossing this intelligence with continuous discovery of your surface: knowing, every week, which threats actually reach your exposed assets. This is exactly what CSURFACE's threat and exploit intelligence does, in conjunction with discovery — your priority queue built by real threat and re-ordered as it evolves.

The pace of Act 2 is industrial: a public exploit emerges on average 5 days after the failure is disclosed. The window between a vulnerability existing and being exploited measures in days.

03 — THE MEETING

Where the incident begins

The volume of threats is directly related to surface reports. Each unmanaged asset from Act 1—a forgotten cloud environment, a third-party component, an application without WAF—is a door. Act 2 states that doors are found and attacked within days.

The threat attacks

5 days

is the average time between a flaw being disclosed and there existing a functional public exploit for it.

The door stays open

5+ years

is how long the oldest vulnerability has been exposed in 68% of analyzed companies.

Side by side, both sets of data converge on a single conclusion. Defense adds assets faster than it can inventory them, and removes or corrects almost nothing—the time to exposure is measured in years. The attacker arms an exploit in days.

An incident is the predictable intersection of two curves: one surface that grows disorderly and never shrinks, and a threat that only accelerates. An incident is just the time when the two cross on the same asset—almost always an asset absent from inventory.

THE CONCLUSION

What closes the gap between the two curves

You cannot correct what you cannot see, nor can you defeat the speed of the threat with manual effort. Closing this gap requires two operational capabilities working together and non-stop: continuous discovery — which finds every door, including cloud environments, shadow IT, and assets not in inventory — and threat and exploit intelligence — which tells you which doors are being attacked now.

One without the other leaves a window open: discovering everything without prioritizing overburdens the team; prioritizing threats without seeing the entire surface protected only what was already known. It is the continuous combination of both — discovery and intelligence in the same data model — that CSURFACE delivers.

CONTINUE ACOMPANHANDO

Receive the next edition and quarterly exposure alerts

New numbers from the State of Digital Exposure and relevant signals from the attack surface, in your email. No commitment.

No spam. You can unsubscribe at any time.

See where your company stands in this picture.

Provide your corporate email and receive a preliminary analysis of your company's attack surface. No card, no meeting required.

Receive my preliminary analysis