-
26% of organizations leave MySQL databases exposed to the internet, while 1 in 7 expose sensitive API documentation
-
Midmarket organizations face the longest remediation times, averaging 56 days to remove exposures, nearly four times slower than smaller enterprises
-
The Index reveals a stark sector gap, with banks remediating exposures in just 11 days while insurance and pharmaceutical firms average over 40 days
Intruder, a leader in exposure management, released its 2026 Attack Surface Management Index. Based on anonymized data from 3,000 Intruder customers collected over the past year, the Index examines the most common exposures, how quickly they’re being fixed and how that varies by industry and organization size. According to the Index, over a quarter (26%) of cybersecurity teams have exposed MySQL databases, a known target for database ransomware and data extortion.
Also Read: CIO Influence Interview with Kyle Wickert, Field CTO at AlgoSec
“The emergence of autonomous AI models like Mythos has fundamentally shifted the cybersecurity landscape,” said Chris Wallis, CEO and founder of Intruder. “The security industry is seeing a major compression in the time between vulnerability discovery and exploitation. In this high-speed era, leaving a MySQL database or private API documentation exposed to the internet is an open invitation for automated, high-speed extortion.”
Securing the Attack Surface in the “Mythos Era”
Intruder’s findings arrive as the cybersecurity industry grapples with the release of Anthropic’s Mythos, an AI model capable of autonomously discovering zero day vulnerabilities. With vulnerabilities being found at this speed and scale, any unnecessarily exposed internet facing asset is carrying more risk than ever.
The Index confirms that while offensive AI usage is accelerating, organizations still struggle to reduce their attack surface, especially as they grow. AI is drastically compressing the time between vulnerability disclosure and exploitation. However, if a service is not reachable from the internet, the window of risk is significantly reduced.
Attack Surface Exposure by Category and Size
Attack surface exposures were categorized by HTTP panels, ports, services, databases, files and information facing the internet. While exposed databases ranked as the leading attack surface issue, more than 1 in 7 organizations had exposed API documentation, ranking ahead of Remote Desktop Service (RDP), a common entry point for ransomware attacks.
Additional details from the report include:
- Ports and Services: Nearly half (49%) of organizations exposed risky ports and services, with RDP being the most commonly exposed.
- Admin Panels: WordPress Admin (15%) and phpMyAdmin (8%) are frequently left internet-facing, despite being intended for internal use only.
- Legacy Services: Services like SNMP (9%) and UPnP (8%) continue to persist on the public internet, despite being intended for internal networks.
Organization Size and Rising Exposure Risks
The report reveals that as organizations grow, their attack surface risks and management challenges scale disproportionately. The average number of exposed assets expands significantly with size; organizations with over 5,000 employees manage more than twice as many external assets as those in the 1,000–5,000 category, and almost 35 times more than small enterprises (51–250 employees).
This rapid infrastructure growth creates a specific bottleneck for the “midmarket” (defined here as 251–5,000 employees) and those scaling into the 5,000–10,000 range. While small organizations remediate vulnerabilities fastest (averaging 14–18 days), speed drops significantly as firms scale, peaking at an average of 56 days for the 5,000–10,000 employee range, roughly four times slower than their smaller counterparts.
This aligns with Intruder’s recent 2026 Security Middle Child report, suggesting that midmarket firms manage enterprise-level complexity without the headcount, budget, or tooling maturity of larger enterprise teams.
Scaling and Vertical Challenges
Beyond organization size, the data reveals striking differences in how quickly specific sectors address their exposure. The Index identifies a clear divide between highly regulated industries and those struggling with legacy complexity:
- Banks & Retail: These sectors lead in efficiency, with banks remediating exposures in just 11 days and retail firms averaging 10 days.
- Insurance & Financial Services: Despite being part of the broader financial landscape, the insurance sector requires nearly 50 days to close the same types of gaps. Meanwhile, financial service organizations outside of banking require 24 days to remediate exposures.
- Automotive & Pharma: These sectors also show significant lag, with remediation times averaging 43 days.
“The data highlights a significant maturity gap between sectors,” continued Wallis. “Banks and retailers have streamlined their attack surface reduction processes to a matter of days, but sectors like insurance and pharmaceuticals are taking weeks longer. Many of the exposures we examined don’t even need a CVE to be exploited. For example, an exposed database or admin panel can be compromised through brute force or credential stuffing alone. As a result, remediation efforts that take 40–50 days leave this window open far too long.”
Catch more CIO Insights: The CIO as a Value Creator: Moving Beyond Cost Centers to Revenue Drivers
[To share your insights with us, please write to psen@itechseries.com ]
