Maintaining an accurate understanding of the IT assets that exist across an organisation’s environment remains one of the most fundamental challenges in cybersecurity.

This may sound like a basic security problem, but it continues to undermine security programs of all sizes.

In fact, one of the most surprising findings from Arctic Wolf’s latest State of the Cybersecurity Attack Surface report wasn’t a new attack technique or emerging threat. It was proof that organisations are still struggling with the same visibility challenges security teams have been trying to solve for more than a decade.

The report found that 33% of IT assets is missing at least one critical security control, meaning the assets exist in a blind spot outside processes and best practices widely treated as baseline security hygiene.

Foundational controls are still falling short

IT asset visibility has long been recognised as a foundational security control because organisations cannot secure assets they do not know exist.

As organisations embrace cloud, AI and increasingly complex technology environments, maintaining a complete picture of what exists across the business has become more challenging.

Security teams often have visibility into most of their environment, but it is the “known unknowns” or the assets and systems that fall outside established processes but are still within an organisation’s ability to identify and manage that can create significant risk.

The report found that 18% of IT assets are not covered by enterprise patch or configuration management, while more than 17% are not visible to traditional vulnerability management solutions and are therefore never scanned for known vulnerabilities. Most concerning, 10% of assets lack endpoint protection altogether.

These findings highlight an enterprise attack surface where foundational controls are not where they need to be. Assets operating outside those controls create opportunities for attackers and increase the likelihood that vulnerabilities go undetected or unaddressed.

For organisations working towards frameworks such as the Essential Eight, this presents a difficult reality. Implementing security controls is one challenge; ensuring they are consistently deployed across every asset is another.

This challenge is particularly relevant for Australian mid-market and larger organisations, where security teams are often responsible for managing increasingly complex environments with limited resources.

As cloud services, AI tools and digital transformation initiatives continue to expand the attack surface, maintaining visibility across every asset becomes increasingly difficult.

Visibility gaps create real-world risk

The report also found that 19% of IT assets have reached end-of-life and nearly one in five are running hardware or software that no longer receive vendor security updates.

This was one of the more surprising findings because it highlights how difficult vulnerability management has become for many organisations. Security teams are dealing with a continuous stream of new vulnerabilities and compressed timelines for patching.

At the same time, AI is fundamentally changing the pace of vulnerability discovery. Tools such as Anthropic’s Claude Mythos and Google’s Big Sleep demonstrate how AI can identify vulnerabilities faster than traditional methods, accelerating discovery for both defenders and adversaries alike.

While this has the potential to improve security outcomes, it also places additional pressure on organisations. Vulnerabilities that once took weeks or months to identify can now be discovered far more quickly, reducing the time security teams have to assess, prioritise and remediate risk.

The cybersecurity industry has become remarkably proficient at identifying vulnerabilities. However, identifying risk and remediating it are two very different things.

As attack surfaces continue to expand, the challenge for many organisations is no longer finding exposures, but ensuring they have the visibility and resources required to address them before attackers do.

Attackers are exploiting the basics

It is easy to assume that organisations are most at risk from newly discovered vulnerabilities and emerging attack techniques.

Arctic Wolf’s 2026 Threat Report found that 65% of non-business email compromise (BEC) incident response cases involved abuse of external remote access services such as RDP, VPN, and RMM tools. It also found that the top 10 most frequently exploited vulnerabilities all had patches at the time of exploitation.

What this tells us is that many successful attacks are not driven by a lack of security technologies or the absence of available fixes. Instead, attackers continue to take advantage of weaknesses that organisations already know about but have not yet remediated.

Despite decades of investment in cybersecurity technologies, one-third of IT assets are still operating with missing controls or misconfigurations.

That should serve as a reminder that many organisations are still struggling with the same foundational security challenges they faced more than a decade ago.

The organisations that will be most successful at reducing risk are not necessarily those identifying the most vulnerabilities, but those that can accurately identify their IT assets, understand where controls are missing and consistently remediate the exposures that matter most.

Before organisations can patch vulnerabilities, deploy controls or prioritise risk, they must first understand what exists within their environment.