On June 17, 2026, Intruder published its Attack Surface Management Index, analyzing 3,000 organizations over the period March 2025 to March 2026. The data shows a top 10 list of exposures completely devoid of zero-days: MySQL exposed in 26% of organizations, HTTP admin panels accessible in 60%, and public API documentation in more than one in seven companies. The stakes center on offensive speed, with time-to-exploit compressed to a single day, against a defense that averages 56 days for the midmarket.
- 26% of organizations have Internet-reachable MySQL databases; 60% expose at least one HTTP administration panel
- API documentation surpasses RDP in the exposure rankings, affecting more than 1 in 7 organizations
- Time-to-exploit has fallen to one day, while Mandiant records exploitation occurring an average of 7 days before patch release
- Organizations with 5,000 to 10,000 employees take an average of 56 days to remediate, four times slower than small businesses
The Top 10: Basic Hygiene, Not Advanced Vulnerabilities
Intruder's analysis of 3,000 customers identifies ten recurring exposures that stem not from zero-day flaws but from misconfigurations. Topping the list is MySQL, exposed in 26% of organizations according to the original press release. PostgreSQL follows at roughly one in six companies, or 17%. The newcomer at third place is API documentation, which overtakes RDP with more than one in seven organizations affected.
RDP drops to fifth place, though it remains a historic initial vector for ransomware. 49% of organizations expose ports or services deemed risky; 42% have databases directly reachable from the Internet. 30% publish files or information not intentionally accessible. Legacy services such as SNMP, UPnP, NTP, and RPC round out the list. 60% of organizations have at least one exposed HTTP panel: admin consoles, management UIs, or login pages for internal tools.
"With time-to-exploit now down to a single day, the question isn't just how fast you can patch. It's why the service was exposed in the first place."
Chris Wallis, CEO of Intruder, links the compression of offensive timelines to the emergence of autonomous AI models like Mythos, cited in the 2026 ASM Index as accelerants of the landscape. The source does not quantify Mythos's specific impact with documented technical metrics.
The Midmarket Paradox: Enterprise Complexity, Insufficient Resources
Intruder's data shows an inverse correlation between organizational size and remediation speed defies intuition. Banks close in 11 days on average, retail in 10. Automotive and pharmaceuticals climb to 43 days, insurance to roughly 50. The peak belongs to organizations with 5,000 to 10,000 employees: 56 days on average, four times slower than small businesses.
This 56-day window overlaps with a one-day time-to-exploit. The misalignment is not technological but organizational: growing companies manage attack surfaces that expand exponentially, without equivalent scaling of governance processes.
Arctic Wolf, with primary data from over 800,000 IT assets, corroborates the picture. 33% of assets lack at least one critical control: patch management, endpoint security, or vulnerability management visibility. 19% are end-of-life. These numbers point to a fundamental problem in asset visibility and governance, not just technical vulnerabilities.
Exploitation Beats the Patch: Converging Mandiant and CrowdStrike Data
Stingrai's meta-analysis, aggregating NVD, Mandiant, CrowdStrike, Google, and IBM data, confirms the trend. Mandiant M-Trends 2026, based on 450,000 hours of incident response, estimates mean time to exploit at minus 7 days: exploitation occurs on average before patch release. CrowdStrike reports that 42% of vulnerabilities are exploited before public disclosure.
The convergence across these sources makes Intruder's data point — time-to-exploit at one day — part of a broader pattern, not an anomaly. Arctic Wolf adds context: each of the top 10 most exploited CVEs in 2025 incident response cases was dated 2024 or earlier, and all had patches available. According to the source, attackers follow the path of least resistance: "When perimeter defenses improve, they move to the legacy VPNs, the RMM agent still running on a retired endpoint, or the remote access service with stale or missing endpoint protection."
Abuse of remote access services accounts for 65% of non-BEC IR cases, doubled from the past. This Arctic Wolf data positions RDP and analogous tools not as technical vulnerabilities but as systematically exploited operational vectors.
What to Do Now
The dossier does not specify detailed remediation measures from the cited vendors. Priority actions emerge from the documented data:
- Map exposed HTTP panels: with 60% of organizations affected, identifying admin consoles, management UIs, and login pages reachable from the Internet is the first step. The brief does not detail specific detection methodologies.
- Reduce database reachability: 42% of organizations have directly exposed databases; 26% specifically MySQL. Removing Internet access requires network reconfiguration, not patching.
- Verify public API documentation: with more than 1 in 7 organizations affected, reviewing exposed repositories and developer portals is a priority. The brief does not specify tools for this verification.
- Accelerate midmarket remediation: the 56-day gap for 5,000–10,000 employee organizations demands internal process review, not just technology deployment. Arctic Wolf documents a 43% reduction in exposures with a mature Aurora ASM program.
Why Hygiene Doesn't Scale Automatically
The technical core of the phenomenon is the structural discrepancy between offensive and defensive speed. When exploitation systematically precedes patching, preventive attack surface reduction becomes more efficient than reactive patching. But reduction requires visibility, and visibility requires governance.
The midmarket is particularly vulnerable because it sits in a transition: no longer a small business with a limited surface, not yet an enterprise with mature processes. The data shows this transition carries a cost in exposure days that organizations pay in linear complexity scaling without equivalent control scaling. The challenge is not technical but organizational: how to surface the priority of basic hygiene to boards that associate cybersecurity with advanced investments.
Information verified against cited sources and current as of publication.
Sources
- https://thehackernews.com/2026/06/the-top-10-attack-surface-exposures-in.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.stingrai.io/blog/vulnerability-statistics-2026
- https://security.paloaltonetworks.com/
- https://nvd.nist.gov/vuln/detail/cve-2026-0257
- https://arcticwolf.com/resources/blog/insights-from-the-arctic-wolf-2026-state-of-the-cybersecurity-attack-surface-report/
- https://www.wiz.io/academy/cloud-security/attack-surface-management-tools
- https://www.businesswire.com/news/home/20260512825797/en/Intruder-Releases-2026-Attack-Surface-Management-Index-1-in-4-Organizations-Have-Exposed-MySQL-Databases
- https://security.paloaltonetworks.com/bugbounty
- https://support.paloaltonetworks.com/support
- https://security.paloaltonetworks.com/rss.xml