2024 Navigating the Paths of Risk

Traditional vulnerability management often leaves defenders drowning in endless lists of CVEs without the context needed to stop an actual attack. This third annual State of Exposure Management report from XM Cyber analyzes over 40 million exposures to shift the focus from individual assets to “attack paths.” The report rewards the reader by identifying the specific intersections where these paths converge, allowing organizations to remediate a fraction of the issues to achieve maximum protection.

The data reveals that defenders are often overwhelmed by volume while missing the systemic reality of their environment. While a typical organization contends with 15,000 exploitable exposures, only 2% of those reside on “choke points”—the critical junctions an adversary must traverse to reach crown-jewel assets. This research provides a roadmap for “Continuous Threat Exposure Management” (CTEM), proving that security is not a static checkbox but a continuous process of path elimination.

Cloud environments and Active Directory (AD) emerge as the primary theaters of risk. Over half of all critical asset exposures now reside in the cloud, yet attackers can pivot from on-premises networks to cloud platforms in 70% of organizations. By focusing on identity and credential hygiene rather than just software patches, defenders can close the 20x gap in choke point density that currently separates top-performing organizations from those with the weakest security posture.

Key Findings

• The 15,000-Exposure Baseline: Organizations typically harbor 15,000 security exposures at any given time, with low-performing organizations contending with six times that volume.
• 2% Choke Point Ratio: Only 2% of identified exposures qualify as choke points—key intersections of converging attack paths that lead directly to critical business assets.
• Active Directory Dominance: Active Directory misconfigurations and credential issues account for 80% of all security exposures identified across the enterprise.
• Cloud Exposure Surge: Over half (56%) of all exposures that put critical assets at immediate risk are located within cloud platforms rather than on-premises.
• Hybrid Pivot Ease: Attackers can successfully pivot from on-premises networks to cloud environments in 70% of organizations, often compromising critical cloud assets in just two hops.
• The CVE-Signal Gap: Traditional CVEs account for less than 1% of total exposures and only 11% of exposures that threaten critical assets, highlighting the inadequacy of patch-centric models.