2026 State of Threat Exposure Management Report
Exposure management is no longer a simple vulnerability management problem. It is a problem of continuously understanding what is operating, communicating, and creating exposed attack paths across dynamic environments.
Vectra AI analyzed customer environments to understand asset change, unmanaged devices, AI-agent presence, and attacker-relevant exposure conditions.
100%
of analyzed environments experienced newly observed hosts in just 14 days.
Modern enterprise environments are continuously changing faster than static inventories can accurately track.
Environments are continuously introducing new assets and device types, creating persistent uncertainty around ownership, role, management status, coverage, segmentation, communication behavior, and whether new assets create paths attackers could use.
>30%
of devices are unmanaged on average.
These assets can operate outside agent-based visibility.
Organizations cannot assume endpoint tools provide complete visibility. Many assets remain outside agent-based coverage, creating blind spots that leave potential attack paths unmonitored.
96:1
maximum observed AI-agent to device ratio.
In some environments, AI agents and non-human actors already outnumber traditional devices at a massive scale.
Security teams need visibility beyond users and devices. AI agents, service accounts, automation pipelines, APIs, and other non-human identities are now active operational actors that create new access paths, communication flows, and potential attack paths.
98%
of analyzed environments had at least one attacker-relevant exposure condition present.
Legacy protocols, weak cryptography, credential exposure, and risky services remain widespread across modern environments.
Most commonly observed exposure conditions · Past 30 days
These conditions can help attackers gain access, move laterally, steal credentials, weaken encryption, or expand control once inside an environment.
Attacker-relevant exposure is widespread, but not all conditions carry equal risk. Security teams need context to understand which conditions are merely present, which ones create exploitable attack paths, and which ones should be remediated first.
Where exposure management goes next
Modern environments are dynamic, interconnected, and expanding faster than traditional security models can track. Exposure management must become continuous, contextual, and operational so that teams can identify and reduce exposed attack paths before attackers use them.
Understand what is operating, how it's communicating, and what has changed.
Focus on exposure conditions that create or extend exposed attack paths.
Address issues across assets, identities, and environments with operational context.
Continuously validate that exposure has been reduced and risk is meaningfully lowered.



