EchelonGraph · Threat Intelligence

The State of Internet Exposure 2026

Inaugural Edition · What the whole internet can already see

An evidence-based field report, observed passively from public data — not a survey, not a forecast. We measured the externally-visible attack surface from the same vantage point an adversary uses, across 137 countries, over a five-week baseline window.

↓ Download PDF (1.3 MB)Read online →
Share:LinkedInX / Twitter· Certified by EchelonGraph · Free · No signup

By the numbers — window 29 May – 28 June 2026

2,050
AI services confirmed active & open
of 82,416 discovered
21,299
hosts on CISA-KEV exploited vulns
of 36,416 CVE-exposed
6,607
open, unauthenticated databases
120 countries
2,571
exposed .env files
≈2,600 AWS keys
619
secrets in public Git repos
478 repositories
134
hijackable subdomains
dangling CNAME
340,552
CVEs tracked & enriched
1,621 CISA-KEV
137
countries observed
passive, detect-only

What's inside — 15 chapters, ~128 pages

  1. Executive Summary
  2. Methodology & How We Found This
  3. The AI Attack Surface
  4. Known-Exploited Vulnerability Exposure
  5. Exposed Data Stores
  6. Secret Sprawl
  7. Subdomain Takeover
  8. The Vulnerability Landscape
  9. Trends & Trajectory
  10. Risk Analysis
  11. Mitigation & Remediation
  12. Gaps & What We're Not Seeing
  13. The CISO Playbook
  14. Past Mistakes & Lessons
  15. The Path Forward
↓ Download the full report (PDF)
How we found this. Every figure is observed passively from public data — Certificate Transparency logs, public internet scan data, public source repositories, and public DNS. We never authenticate, never log in, and never read the contents of an exposed system. Findings are aggregated and host-redacted under a responsible-disclosure posture. This is an observational field report, not a penetration test, and the absence of a finding is not evidence of safety. Want to see your own exposure? Run the free Surface Scanner →