At the Cyentia Institute, we are constantly seeking answers to the pressing questions that challenge the security of organizations today. A question we often encounter is, “Where and what are our biggest security exposures?” To address this, we recently analyzed data from hundreds of thousands of attack path assessments conducted using the XM Cyber Continuous Exposure Management (CEM) platform.

Our findings are presented in a new series of charts and analysis that offer a detailed breakdown of security exposures across various digital entities and environments.

Understanding the Attack Surface

Our study begins with an examination of the attack surface, as defined by the broad categories of digital entities discovered during attack path assessments. According to our data, Active Directory is a major component, constituting just over half of the entities identified across all environments. On-premises IT and network devices make up another 31%, with cloud environments accounting for the remaining 18%.

Focusing on Vetted Exposures

However, not all entities are equally vulnerable.


When we refine our focus to include only vetted exposures—those entities susceptible to specific attack techniques—the landscape shifts dramatically. Active Directory exposures, for instance, begin to dominate the attack surface. This shift is clearly depicted in the Exposures portion of the chart, highlighting how critical it is to consider not just the presence of entities, but their susceptibility to attacks.






Critical Asset Exposures

The true measure of exposure management effectiveness lies in its impact on critical assets. When we rescope the attack surface to concentrate on exposures that affect critical assets, we observe yet another shift in the distribution. In this scenario, cloud environments emerge as the predominant area of concern, encompassing over half of all critical asset exposures.Active Directory follows at 33%, with IT and network devices at 11%. This critical perspective is captured in the rightmost chart of our series.

These insights raise important considerations for security management. For instance, while Active Directory may dominate general and vetted exposures, the critical asset exposures in cloud environments demand significant attention and resources.

Engage with Us

Does this alignment with the exposures observed on your own attack surfaces? Which perspective or chart do you primarily use to guide your exposure management strategies?

At Cyentia Institute, we are dedicated to advancing the science of cyber risk through research and analysis. We invite you to engage with our findings and share your perspectives.

Together, we can enhance our approaches to securing critical assets and reducing exposures in increasingly complex environments.


The full report contains tons of additional insights on exposure management. Download the full study on exposure management in 2024 here.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.