Cloud security has rapidly ascended to the top of every IT agenda, propelled by accelerating digital transformation, complex multi-cloud strategies, and a wave of high-profile cyber incidents. Recent findings from CyCognito, a security firm recognized for its attack surface management platform, provide a stark reminder that the move to the cloud brings as many risks as it does rewards. A detailed analysis of nearly five million internet-exposed assets reveals profound disparities in the security posture of the leading cloud platforms and their smaller competitors. In an environment where just one overlooked asset can provide a gateway for malicious actors, the numbers command attention—and demand informed scrutiny.
The CyCognito report, widely cited in security news and confirmed by reputable technology outlets, sets out to answer a vital question: Which cloud providers expose their customers to the most risk through vulnerabilities and misconfigurations? The study spans the three industry giants—Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)—pulling in secondary players including Oracle Cloud, DigitalOcean, Linode, and major hosting names such as GoDaddy, Hetzner, and DreamHost.
The survey’s scope, covering millions of cloud assets, ensures findings are statistically significant and relevant for organizations of every size. Assets considered in the analysis are those directly accessible to the internet, illuminating how real-world attack surfaces compare in terms of risk and resilience.
Smaller cloud providers—the likes of Oracle Cloud, DigitalOcean, and Linode—fared just as poorly, also averaging a 38% exposure rate. Major hosting companies followed close behind at 33%. These figures raise serious questions about the underlying controls, default configurations, or customer guidance provided by these platforms.
Nonetheless, it is worth noting that some security experts caution against reading too much into raw exposure rates, arguing that customer behavior, asset types, and the complexity of GCP workloads may differ from those on AWS or Azure. Still, CyCognito’s methodology—tracking “internet-exposed” assets regardless of workload—provides a meaningful apples-to-apples comparison.
At first glance, these percentages might seem negligible. But scale changes everything. Applying a 0.07% rate across millions of assets means hundreds of critical weaknesses are left potentially open for exploitation—an unacceptable situation for organizations mandated to meet strict compliance or data protection standards.
Critically, the risk is far more pronounced among smaller cloud providers, where nearly 0.5% of internet-exposed assets carry critical flaws. Hosting companies exhibited 0.32%, again underscoring that economies of scale and mature security processes favor the largest providers.
Security advisories from Microsoft and AWS frequently discuss patch cycles and incident reports involving these severe flaws. Yet, as multiple industry analysts point out, even the best-run cloud environments cannot patch what they are unaware of or what lies outside their asset inventories—the very gaps CyCognito’s research aims to highlight.
Here again, smaller cloud providers see worrisome levels of risk: more than 13% of their assets contain vulnerabilities categorized as “easy to exploit.” Major hosting providers reach nearly 10%. Within the big three, Google Cloud suffers the highest rate at 5.35%, more than double AWS (1.98%) and well ahead of Azure (2.37%).
Security analysts debate the precise frequency of such “shadow IT,” but a wide body of research confirms it as a leading source of cloud breaches. According to Palo Alto Networks’ 2024 Cloud Threat Report, there was a massive 388% year-over-year spike in cloud security alerts—a surge attributed directly to the complexity of modern, multi-cloud environments and the continuous emergence of unknown or untracked components.
Its use of exploitability data, informed by live intelligence about attacker techniques and automated exploit campaigns, adds much-needed nuance to risk assessment. Distinguishing merely “vulnerable” from “actively exploitable” assets allows for actionable prioritization—a capability missing from many legacy exposure management programs.
Furthermore, the inclusion of major hosting companies and smaller cloud vendors highlights the risk that organizations may inadvertently take on by diversifying cloud portfolios or selecting providers without strong security track records.
Others warn against using exposure rates as a sole criterion for provider selection, emphasizing the importance of holistic security programs, customer support, and the specific needs of the enterprise. Leading cloud providers, for their part, routinely publish their own security assessments and advice for reducing risks, including the Shared Responsibility Model. Official documentation from AWS, Microsoft, and Google emphasizes the joint role of customer configuration and provider-managed security.
For organizations navigating the complex terrain of multi-cloud operations, the report’s findings—and the wider consensus among independent experts—point to several clear imperatives. Understand and continuously map your full attack surface. Prioritize vulnerabilities based both on severity and real-world exploitability. Consider your providers’ track records and transparency. And above all, nurture a culture where security is never the responsibility of a single team or tool, but a continuous, shared, and adaptive process.
Cloud is the future, but vigilance—and robust, data-driven security—must be its foundation.
A Closer Look at Cloud Security Gaps
The CyCognito report, widely cited in security news and confirmed by reputable technology outlets, sets out to answer a vital question: Which cloud providers expose their customers to the most risk through vulnerabilities and misconfigurations? The study spans the three industry giants—Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)—pulling in secondary players including Oracle Cloud, DigitalOcean, Linode, and major hosting names such as GoDaddy, Hetzner, and DreamHost.The survey’s scope, covering millions of cloud assets, ensures findings are statistically significant and relevant for organizations of every size. Assets considered in the analysis are those directly accessible to the internet, illuminating how real-world attack surfaces compare in terms of risk and resilience.
Google Cloud Tops the Charts for Overall Exposure
The most headline-grabbing revelation centers on Google Cloud’s share of risky assets. According to CyCognito’s data, 38% of Google Cloud-hosted assets exhibited at least one security issue. That’s more than double the rate found on AWS (15%) and notably higher than Azure (27%). In effect, nearly two out of every five GCP assets present some form of vulnerability.Smaller cloud providers—the likes of Oracle Cloud, DigitalOcean, and Linode—fared just as poorly, also averaging a 38% exposure rate. Major hosting companies followed close behind at 33%. These figures raise serious questions about the underlying controls, default configurations, or customer guidance provided by these platforms.
Verifying the Numbers: What Other Sources Say
Multiple independent security reports, including Palo Alto Networks’ annual threat review, corroborate the broader context: cloud vulnerabilities are rising as organizations adopt hybrid and multi-cloud setups. While specific percentages fluctuate between studies, consensus holds that Google Cloud and smaller vendors tend to present higher external exposure than AWS, which has long positioned itself as a leader in operational security.Nonetheless, it is worth noting that some security experts caution against reading too much into raw exposure rates, arguing that customer behavior, asset types, and the complexity of GCP workloads may differ from those on AWS or Azure. Still, CyCognito’s methodology—tracking “internet-exposed” assets regardless of workload—provides a meaningful apples-to-apples comparison.
Azure Carries the Most Critical Vulnerabilities
While Google Cloud led in overall exposure, the rate of critical vulnerabilities—defined as those with a CVSS score of 9.0 or higher—tells a slightly different story. Here, Azure comes out worst among the cloud majors, with 0.07% of assets affected by high-severity bugs. AWS and Google Cloud follow at 0.04% each.At first glance, these percentages might seem negligible. But scale changes everything. Applying a 0.07% rate across millions of assets means hundreds of critical weaknesses are left potentially open for exploitation—an unacceptable situation for organizations mandated to meet strict compliance or data protection standards.
Critically, the risk is far more pronounced among smaller cloud providers, where nearly 0.5% of internet-exposed assets carry critical flaws. Hosting companies exhibited 0.32%, again underscoring that economies of scale and mature security processes favor the largest providers.
Digging Deeper: The Real-World Impact of Critical Vulnerabilities
Critical vulnerabilities on cloud assets are not theoretical risks; they are among the most prized entry points for ransomware groups, state-sponsored actors, and skilled penetration testers. The exponential growth in cloud incident response engagements over the past year, as reported by global consultancies, is attributed in part to such low-frequency but high-impact weaknesses.Security advisories from Microsoft and AWS frequently discuss patch cycles and incident reports involving these severe flaws. Yet, as multiple industry analysts point out, even the best-run cloud environments cannot patch what they are unaware of or what lies outside their asset inventories—the very gaps CyCognito’s research aims to highlight.
The “Easy Targets”: Exploitability and Attacker Behavior
Not all vulnerabilities are created equal. What matters most to attackers—particularly those using automated scanning and exploitation tools—is not just what’s vulnerable, but what’s actually exploitable. CyCognito’s report advances industry discourse by measuring how many assets have flaws that are simple for attackers to exploit, based on current threat intelligence and observed attacker trends.Here again, smaller cloud providers see worrisome levels of risk: more than 13% of their assets contain vulnerabilities categorized as “easy to exploit.” Major hosting providers reach nearly 10%. Within the big three, Google Cloud suffers the highest rate at 5.35%, more than double AWS (1.98%) and well ahead of Azure (2.37%).
Contextualizing the Exploitability Gap
The “exploitability” criterion is critical because not every theoretical weakness is practical for attackers. Factors such as public proof-of-concept code, known malware leveraging flaws, and historical exploit chains all feed into whether a given vulnerability moves from the realm of caution to emergency. Multiple red team engagements and high-profile breaches show that attackers overwhelmingly favor low-effort, high-reward compromise paths, such as common misconfigurations and unpatched services—issues the research identifies in abundance on less mature platforms.Combined Risks: Where Criticality Meets Exploitability
The scenario every security team dreads is an asset that simultaneously carries a critical score and is easy to exploit. Fortunately, these nightmare situations are rare among the largest providers, with less than 0.1% of AWS, Azure, and Google Cloud assets falling into this high-risk overlap. Outside the big three, however, risk rises: about 0.3% of assets on smaller clouds and 0.25% on hosting providers cross this critical threshold—roughly ten times the rate for AWS.Statistical Significance and the Scale of the Cloud
Despite seemingly small figures, the reality of hyperscale cloud means even a tenth of a percent can represent hundreds or thousands of assets. Every one of these is a potential breach crater, especially for organizations unable to enforce rigorous asset management and automated remediation across sprawling, multi-cloud estates.The Roots of the Problem: Shadow IT and Asset Visibility
One of the root causes of these risks is the challenge of asset visibility. In practice, IT teams often lose track of resources in highly dynamic environments. Assets may be spun up for short-term projects and forgotten, left unpatched, or misconfigured in ways that are invisible to traditional scanning or inventory mechanisms.Security analysts debate the precise frequency of such “shadow IT,” but a wide body of research confirms it as a leading source of cloud breaches. According to Palo Alto Networks’ 2024 Cloud Threat Report, there was a massive 388% year-over-year spike in cloud security alerts—a surge attributed directly to the complexity of modern, multi-cloud environments and the continuous emergence of unknown or untracked components.
Advice for Security Teams: From Reactive to Proactive
So, what should organizations do in the face of these sobering findings? CyCognito and many security thought leaders recommend going beyond conventional cloud inventory and vulnerability management tools. Key recommendations include:- Adopt “seedless” discovery methods: Rather than relying solely on manually maintained asset lists (which invariably lag behind reality), organizations should use intelligence-driven approaches that continuously map every exposed internet asset associated with a business—even those not documented in internal records.
- Embrace continuous and dynamic security testing: Regularly probe live applications and network surfaces for vulnerabilities after deployment, not just during initial development. This helps catch configuration drift and changes made outside formal processes.
- Integrate threat intelligence into vulnerability prioritization: Not every vulnerability is equally urgent. By focusing on what attackers are actively exploiting, organizations can allocate effort where it best reduces risk.
- Automate remediation where possible: Use cloud-native controls to quickly quarantine exposed assets, enforce baseline configurations, and deploy security patches at scale.
- Foster a culture of accountability: Ultimately, the move to cloud requires shared responsibility. Security awareness, clear policy enforcement, and cross-team collaboration are as vital as technical controls.
Critical Analysis: Strengths of the CyCognito Approach
The CyCognito report stands out for its scope and methodological rigor. By evaluating real-world, internet-exposed assets, rather than relying solely on customer self-reporting or vendor-supplied configuration snapshots, it provides a credible, attacker-centric view of the world’s actual cloud attack surface.Its use of exploitability data, informed by live intelligence about attacker techniques and automated exploit campaigns, adds much-needed nuance to risk assessment. Distinguishing merely “vulnerable” from “actively exploitable” assets allows for actionable prioritization—a capability missing from many legacy exposure management programs.
Furthermore, the inclusion of major hosting companies and smaller cloud vendors highlights the risk that organizations may inadvertently take on by diversifying cloud portfolios or selecting providers without strong security track records.
Cautions and Limitations: What the Data Doesn’t Show
Despite its strengths, the data should be interpreted carefully. Some potential caveats include:- Customer responsibilities and self-configuration bias: Cloud security is inherently shared between provider and customer. Higher rates of risky assets may reflect less mature customer security practices on certain platforms, rather than intrinsic flaws in the underlying infrastructure. Nevertheless, providers are responsible for offering clear defaults, strong baseline controls, and proactive guidance.
- Varied asset profiles: GCP, AWS, and Azure do not always serve the same types of customers or workloads. For example, research-focused organizations or startups may be overrepresented on certain platforms, influencing the numbers.
- No direct measurement of breach rates: High exposure does not guarantee actual incidents. However, historical breach data consistently shows a strong correlation between exposed vulnerabilities and successful attacks.
- Rapidly changing cloud landscapes: Vulnerability profiles can shift quickly as platform configurations evolve, patch cycles run, and new guidance is rolled out. The time window of collected data is important to contextualize results.
- Possible detection bias: It is not always clear if all asset classes, ephemeral resources, and non-standard deployments are captured equally across providers. CyCognito’s methodology strives for coverage but readers should be wary of possible blind spots.
Competing Perspectives: Reaction from the Industry
Reaction to the findings within the security community is divided, though there is broad consensus about the gravity of cloud exposure. Some industry analysts praise the CyCognito study for highlighting real differences in provider approaches and urging organizations to scrutinize their choices more closely.Others warn against using exposure rates as a sole criterion for provider selection, emphasizing the importance of holistic security programs, customer support, and the specific needs of the enterprise. Leading cloud providers, for their part, routinely publish their own security assessments and advice for reducing risks, including the Shared Responsibility Model. Official documentation from AWS, Microsoft, and Google emphasizes the joint role of customer configuration and provider-managed security.
Looking Ahead: The Evolving Cloud Security Landscape
Cloud security is a moving target. As digital transformation accelerates and cloud adoption deepens, both attackers and defenders engage in a perpetual arms race. Automated scanners, new vulnerability discovery techniques, and increasingly complex infrastructure all contribute to an ever-expanding attack surface.- Regulatory pressures will intensify scrutiny on cloud asset security as governments and industry groups set clearer rules around data exposure and incident management.
- Technological advances, such as secure-by-design cloud services, automated remediation, and attacker-behavior-informed prioritization, offer hope of narrowing the exposure gap.
- Market consolidation is likely, as smaller providers unable to invest in top-tier security controls may lose business to the largest players, or be compelled to adopt stronger defaults.
Conclusion: Practical Takeaways for Cloud Security Leaders
The CyCognito research, bold in its scope and relevance, underscores a harsh reality: not all clouds are equally secure, and complacency is costly. Google Cloud’s high exposure rates demand attention from customers and highlight the need for better controls and configuration guidance at every stage of the cloud lifecycle. Azure’s concentration of critical flaws reiterates the danger of equating size with immunity. For those relying on smaller cloud or hosting providers, the message is clear: risk multiplies as you depart from the industry giants, and security investments must scale accordingly.For organizations navigating the complex terrain of multi-cloud operations, the report’s findings—and the wider consensus among independent experts—point to several clear imperatives. Understand and continuously map your full attack surface. Prioritize vulnerabilities based both on severity and real-world exploitability. Consider your providers’ track records and transparency. And above all, nurture a culture where security is never the responsibility of a single team or tool, but a continuous, shared, and adaptive process.
Cloud is the future, but vigilance—and robust, data-driven security—must be its foundation.
