- 26% of organizations leave MySQL databases exposed to the internet, while 1 in 7 expose sensitive API documentation
- Midmarket organizations face the longest remediation times, averaging 56 days to remove exposures, nearly four times slower than smaller enterprises
- The Index reveals a stark sector gap, with banks remediating exposures in just 11 days while insurance and pharmaceutical firms average over 40 days
LONDON — Intruder, a leader in exposure management, today released its 2026 Attack Surface Management Index. Based on anonymized data from 3,000 Intruder customers collected over the past year, the Index examines the most common exposures, how quickly they’re being fixed and how that varies by industry and organization size. According to the Index, over a quarter (26%) of cybersecurity teams have exposed MySQL databases, a known target for database ransomware and data extortion.
“The emergence of autonomous AI models like Mythos has fundamentally shifted the cybersecurity landscape,” said Chris Wallis, CEO and founder of Intruder. “The security industry is seeing a major compression in the time between vulnerability discovery and exploitation. In this high-speed era, leaving a MySQL database or private API documentation exposed to the internet is an open invitation for automated, high-speed extortion.”
Securing the Attack Surface in the “Mythos Era”
Intruder’s findings arrive as the cybersecurity industry grapples with the release of Anthropic’s Mythos, an AI model capable of autonomously discovering zero day vulnerabilities. With vulnerabilities being found at this speed and scale, any unnecessarily exposed internet facing asset is carrying more risk than ever.
The Index confirms that while offensive AI usage is accelerating, organizations still struggle to reduce their attack surface, especially as they grow. AI is drastically compressing the time between vulnerability disclosure and exploitation. However, if a service is not reachable from the internet, the window of risk is significantly reduced.
Attack Surface Exposure by Category and Size
Attack surface exposures were categorized by HTTP panels, ports, services, databases, files and information facing the internet. While exposed databases ranked as the leading attack surface issue, more than 1 in 7 organizations had exposed API documentation, ranking ahead of Remote Desktop Service (RDP), a common entry point for ransomware attacks.
Additional details from the report include:
- Ports and Services: Nearly half (49%) of organizations exposed risky ports and services, with RDP being the most commonly exposed.
- Admin Panels: WordPress Admin (15%) and phpMyAdmin (8%) are frequently left internet-facing, despite being intended for internal use only.
- Legacy Services: Services like SNMP (9%) and UPnP (8%) continue to persist on the public internet, despite being intended for internal networks.
Organization Size and Rising Exposure Risks
The report reveals that as organizations grow, their attack surface risks and management challenges scale disproportionately. The average number of exposed assets expands significantly with size; organizations with over 5,000 employees manage more than twice as many external assets as those in the 1,000–5,000 category, and almost 35 times more than small enterprises (51–250 employees).
This rapid infrastructure growth creates a specific bottleneck for the “midmarket” (defined here as 251–5,000 employees) and those scaling into the 5,000–10,000 range. While small organizations remediate vulnerabilities fastest (averaging 14–18 days), speed drops significantly as firms scale, peaking at an average of 56 days for the 5,000–10,000 employee range, roughly four times slower than their smaller counterparts.
This aligns with Intruder’s recent 2026 Security Middle Child report, suggesting that midmarket firms manage enterprise-level complexity without the headcount, budget, or tooling maturity of larger enterprise teams.
Scaling and Vertical Challenges
Beyond organization size, the data reveals striking differences in how quickly specific sectors address their exposure. The Index identifies a clear divide between highly regulated industries and those struggling with legacy complexity:
- Banks & Retail: These sectors lead in efficiency, with banks remediating exposures in just 11 days and retail firms averaging 10 days.
- Insurance & Financial Services: Despite being part of the broader financial landscape, the insurance sector requires nearly 50 days to close the same types of gaps. Meanwhile, financial service organizations outside of banking require 24 days to remediate exposures.
- Automotive & Pharma: These sectors also show significant lag, with remediation times averaging 43 days.
“The data highlights a significant maturity gap between sectors,” continued Wallis. “Banks and retailers have streamlined their attack surface reduction processes to a matter of days, but sectors like insurance and pharmaceuticals are taking weeks longer. Many of the exposures we examined don’t even need a CVE to be exploited. For example, an exposed database or admin panel can be compromised through brute force or credential stuffing alone. As a result, remediation efforts that take 40–50 days leave this window open far too long.”
About the 2026 Attack Surface Management Index
To build this report, Intruder analyzed anonymous data from over 3,000 customers to find which attack surfaces are most commonly exposed and how quickly they are being fixed. The Index is based on Intruder customer data with segments across industry and organization size over the past year, beginning in March 2025 and ending in March 2026. The full report is available to access here.
About Intruder
Intruder’s exposure management platform helps lean security teams stop breaches before they start by proactively discovering attack surface weaknesses. By unifying AI penetration testing, attack surface management, cloud security and continuous vulnerability management in one intuitive platform, Intruder makes it easy to stay secure by cutting through the noise and complexity. Founded in 2015 by Chris Wallis, a former ethical hacker turned corporate blue teamer, Intruder is now protecting over 3,000 companies worldwide. Learn more at https://intruder.io.
Q&A: Intruder’s 2026 Attack Surface Management (ASM) Index
Q: What is the 2026 Attack Surface Management (ASM) Index?
The 2026 Attack Surface Management Index evaluates the reality of attack surface risk across 3,000 organizations, identifying the most common exposures and the speed at which they are remediated. The report is based on anonymized data from Intruder customers over the 12-month period ending in March 2026, with detailed breakdowns by industry and organization size.
Q: What are the key attack surface issues this Index uncovered?
Exposed databases occupy the top two spots, with over a quarter of organizations having an exposed MySQL database and one in six affected by Postgres exposures. More than 1 in 7 organizations exposed API documentation, ranking ahead of Remote Desktop, a common entry point for ransomware attacks. Legacy services intended for internal networks rather than the public internet make up the remainder of the top 10, including SNMP, UPnP, NTP, and RPC.
Q: What does this index reveal about AI usage and its impact on attack surfaces?
The Index confirms that while offensive AI usage is accelerating, organizations struggle to reduce attack surface exposure, especially as they scale. AI is drastically compressing the time between vulnerability disclosure and exploitation. However, if a service is not reachable from the internet, the window of risk is significantly reduced.
