SYDNEY, Australia – June 17, 2026 – Arctic Wolf®, the cybersecurity and AI company, today released findings from its State of the Cybersecurity Attack Surface report, revealing that 33% of IT assets are either missing at least one critical security control or are misconfigured, placing them outside baseline security practices and creating exploitable blind spots for attackers.
Based on analysis of more than 800,000 IT assets observed through Arctic Wolf Aurora Attack Surface Management, the report found widespread gaps in foundational security controls across enterprise environments, creating opportunities for attackers to exploit unmanaged and under-protected assets.
Other key findings include:
- 18% of IT assets are not covered by enterprise patch or configuration management, creating environments where known weaknesses cannot be reliably remediated.
- 17% of IT assets are not visible to traditional vulnerability management solutions, meaning they are never scanned for vulnerabilities that threat actors are actively exploiting.
- 10% of IT assets are missing endpoint security, giving attackers a one-in-ten chance of entering enterprise networks unnoticed.
- 19% of IT assets have reached end-of-life, running hardware or software that no longer receives vendor security updates.
The report also found that end-of-life assets have become a structural risk rather than an exception. Aurora Attack Surface Management data shows unsupported assets are concentrated in systems organisations continue to rely on most, including legacy servers, virtualised infrastructure and shared end-user devices.
“Many organisations are investing heavily in vulnerability discovery and advanced security technologies, but our findings show that real-world exposure is often driven by a more fundamental issue: unmanaged assets, incomplete control coverage, legacy systems and blind spots across the environment,” said Dan Schiappa, President, Technology and Services, Arctic Wolf. “Organisations cannot protect, patch or prioritise what they cannot see, and attackers continue to take advantage of those gaps.”
The findings also challenge the perception that attackers primarily rely on sophisticated new attack techniques. According to Arctic Wolf’s 2026 Threat Report, 65% of non-business email compromise (BEC) incident response cases involved abuse of internet-facing remote access services such as RDP, VPN and remote management tools. Every one of the ten most frequently exploited vulnerabilities had a patch available at the time of exploitation.
As patching of internet-facing systems has improved, trusted-relationship and misconfiguration abuse surged from under 1% to 8% of non-BEC incident response cases, reinforcing a broader trend of attackers pivoting towards areas where environmental visibility is weakest.
The findings reinforce that many successful attacks are not driven by unknown vulnerabilities or a lack of available fixes. Instead, attackers continue to exploit known weaknesses, misconfigurations and assets operating outside established security controls.
Steve Hunter, Director of Engineering, APAC, Arctic Wolf added: “One of the most surprising aspects of this report is that we’re still seeing many of the same challenges security teams have been trying to solve for more than a decade.”
“Maintaining an accurate understanding of what exists across an environment sounds like a basic security requirement, but it remains incredibly difficult in modern organisations. At a time when AI is accelerating vulnerability discovery and organisations are managing increasingly complex environments, ensuring security controls are consistently applied across every asset is becoming even more critical.”
The full State of the Cybersecurity Attack Surface report is available here.
