Most security teams aren’t naive to the growing risk in their environment, but because of high event volume and asset visibility gaps, emerging risk dynamics have become increasingly challenging to act on.

Arctic Wolf’s latest State of the Cybersecurity Attack Surface report puts real data behind the challenge. Drawing on aggregated, anonymized data from Aurora® Exposure Management across more than 800,000 IT assets, the findings reveal an enterprise attack surface where foundational controls and basic security hygiene best practices are missing at scale.

One in Three Assets Is Missing a Critical Control

33% of IT assets are missing at least one critical control. That includes assets not covered by enterprise patch or configuration management (18%), assets without endpoint security (10%), and assets that are invisible to legacy vulnerability management tooling entirely (17%).

These aren’t isolated outliers in otherwise well-managed environments. They represent a pervasive structural condition within organizations across geographies, industries, and company size.

Why does the trend exist? Team structures vary significantly from enterprise to enterprise, but tool sprawl and hand-off break downs between teams responsible for maintaining assets (IT operations) and the teams accountable for securing them (security) contribute to the visibility gap. Both teams are often operating from different, incomplete inventories that are never fully reconciled.

The result? Devices outside patch management may have known CVEs, but they aren’t getting fixed. Assets that aren’t in vulnerability management are never scanned. Assets without endpoint security give attackers a direct path in — and with modern threat campaigns increasingly relying on living-off-the-land techniques, an unprotected endpoint is an exceptionally valuable and subtle foothold for lateral movement, credential theft, and ransomware deployment.

We know we can’t effectively measure risk in siloes, but modern security stacks promote this structure anyways. Most enterprises run separate systems for endpoint security, patch management, vulnerability scanning, identity, and cloud workloads, each generating its own findings, scored against its own criteria, with no common denominator to reconcile them. The result is a prioritization process that isn’t grounded in any single version of reality. A critical finding in a vulnerability management tool may affect an asset your endpoint tool has never seen. A misconfiguration flagged in your cloud posture management platform may involve an identity but lacks the necessary business context to be effectively or appropriately prioritized.

Without a unified risk view that correlates signals across sources, security teams are forced to triage in parallel realities — and the gaps between those realities are exactly where risk accumulates undetected.

End-of-Life Is Not an Edge Case

Nearly one in five IT assets (19%) has reached end-of-life; running hardware or software that will never receive another vendor security update.

Aurora Attack Surface Management data shows end-of-life assets are showing up in the systems organizations rely on most: legacy servers, virtualized infrastructure, and shared end-user devices. Regardless of industry — manufacturing, healthcare, banking — systems are kept in place because a critical application depends on them, or because a migration was assumed complete when it wasn’t.

In one organization that underwent a large-scale migration to retire end-of-life systems, individual business units confirmed completion. A subsequent Aurora Attack Surface Management scan revealed a 41% improvement, but 8% of assets remained end-of-life despite those confirmations. Without independent verification, the migration was considered done. It wasn’t.

Security teams advancing mature cyber risk management programs know continuous, verified remediation and mitigation of risk is the only way to know the work has been carried out.

Attackers Are Adapting

The share of incident response cases driven by external exploits dropped from 29% to 11%. Over the same period, abuse of remote access services more than doubled, now accounting for 65% of non-BEC IR cases — a steady climb from 24% just three years ago. Trusted-relationship abuse and misconfigurations surged more than 8x.

Attackers follow the path of least resistance. When perimeter defenses improve, they move to the legacy VPNs, the RMM agent still running on a retired endpoint, or the remote access service with stale or missing endpoint protection.

Every one of the top 10 most frequently exploited CVEs in Arctic Wolf’s 2025 incident response cases dated from 2024 or earlier. All had patches available. The most common — CVE-2024-40766, a SonicWall SonicOS access control vulnerability — had a fix available well before it was exploited at scale. Exploitation of zero-days isn’t necessary when so much of the environment isn’t accounted for.

Context Is What Turns Findings into Action

Data without context is noise. A CVSS score tells you how severe a vulnerability is in the abstract, but it doesn’t tell you whether the affected asset is internet-facing, who the asset is associated with, whether endpoint protection is present, or whether the system is running end-of-life software that can’t be patched at all.

A medium-severity authentication bypass on a perimeter appliance can represent far greater real-world risk than a critical-rated vulnerability on an isolated internal server. Programs driven by severity scores alone routinely invert the priority.

Effective exposure management requires layering threat intelligence, asset criticality, exploitability context, and business context to surface the exposures that matter most and then making it operationally straightforward to act on them.

The maturity data in the report reflects this directly. Organizations with established Aurora Attack Surface Management (part of the Aurora Exposure Management portfolio) deployments showed materially better outcomes across every exposure category measured:

• Missing configuration management and endpoint security fell by 43%
• Vulnerability management coverage gaps dropped by more than 40%
• End-of-life exposure declined by nearly 45%

Exposure doesn’t have to be a fixed condition. It improves considerably as visibility deepens, remediation workflows mature, and security teams develop the ability to continuously verify that the actions they’ve mandated have been completed.

For security teams evaluating exposure management strategies and tools, integration and interoperability become foundational buying criterion. A rigid CTEM or exposure management structure that requires ripping out existing tools, or only ingests data from its own stack, cannot capture the full range of risk signals across a real enterprise environment. The attack surface doesn’t respect product categories. Effective exposure management must be modular to be effective.

The security teams meaningfully reducing breach potential in their environment will be able to pull context from the security and IT tools already in place, correlate that data into a unified asset view, and surface prioritized findings without requiring a wholesale platform replacement. The flexibility to meet teams where they are, rather than forcing a standardized structure onto a non-standard environment, is what separates programs that make an impact from those that stall it.

The Foundation Every Security Investment Depends On

Visibility has a compounding effect. When asset inventories are incomplete, every downstream security investment — vulnerability management, endpoint protection, patch management, incident response — operates on a flawed foundation.

Aurora Exposure Management was built to close that gap. By continuously discovering assets across internal, external, and end-user environments, correlating data across the security and IT tools teams already use, and delivering prioritized, contextualized findings with built-in remediation workflows, helps give security teams the accurate picture they need to manage exposure and to validate to internal stakeholders, their customers, and the board that their environment is protected.

Ready to see the full findings? Download the State of the Cybersecurity Attack Surface report. 

Want to see what Aurora Exposure Management surfaces in your environment? Request a demo

This blog may include forward‑looking statements. These reflect our current views and are subject to change. They are not guarantees, and actual results may vary.

This blog is provided for informational purposes only. It reflects general industry perspectives and practices and is not intended to represent a guarantee, assurance, or measure of performance. Actual results, outcomes, and capabilities vary by organization, environment, and implementation.