As an authority in cloud technology and security architecture, Maryanne Baines has spent years deconstructing the invisible threads that hold our digital infrastructure together. With a background in evaluating complex tech stacks and product applications across diverse industries, she offers a pragmatic yet urgent perspective on the vulnerabilities that haunt modern enterprises. Today, we explore the alarming reality of attack surface management, delving into why foundational tools like databases and admin panels remain exposed to the public web. Our conversation traverses the dangerous persistence of legacy protocols, the staggering disparity in how quickly different sectors patch their holes, and the emergence of advanced AI models that are fundamentally shifting the speed of cyber-warfare.
One-quarter of MySQL databases are currently internet-facing, alongside significant portions of Postgres and WordPress admin panels. What specific configuration errors usually lead to these exposures, and how can teams implement a step-by-step audit to ensure internal tools stay off the public web?
The sheer volume of exposure we are seeing—with 25% of MySQL and 16% of Postgres databases left open—is a direct result of “convenience-first” configurations where developers prioritize ease of remote access over basic security hygiene. Often, a database or a phpMyAdmin panel is exposed because a firewall rule was temporarily relaxed during a migration and never reinstated, or a default cloud instance was spun up without a private VPC. To audit this effectively, teams must first map their entire external perimeter to identify every IP and port, specifically looking for that 8% of phpMyAdmin instances that often act as a secondary gateway. The next step is implementing a strict “deny-all” default policy, ensuring that administrative tools like WordPress panels, which currently sit exposed at a 15% rate, are tucked behind a VPN or a zero-trust proxy. It is chilling to realize that many of these assets don’t even require a known software vulnerability to be breached; a simple brute-force attack on a poorly configured admin panel is often all it takes for an intruder to gain total control.
RDP services and API documentation are frequently left vulnerable, serving as primary entry points for ransomware groups. Beyond just closing ports, what metrics should security teams track to measure their attack surface, and could you share an anecdote regarding a breach caused by these overlooked gateways?
While closing a port is a quick fix, security teams need to track the “mean time to discovery” for any new internet-facing asset to truly understand their risk profile. We are currently seeing one-in-seven organizations exposing private API documentation, which provides a literal roadmap for hackers to exploit backend logic. I’ve seen cases where a midmarket firm left an RDP service open for a single weekend of remote maintenance, only to find their entire server environment encrypted by Monday morning because they weren’t tracking “unauthorized service persistence.” It’s not just about the 15% of organizations that have RDP exposed; it’s about the sensory shock of seeing a ransomware note on a screen that was supposed to be protected by an internal-only gateway. Teams must monitor the ratio of internal-to-external services and treat any deviation as a high-priority incident before an automated scanner finds the gap for them.
Legacy protocols like SNMP and UPnP continue to persist on the public internet despite being intended for internal use. Why do these services remain such a hurdle for modern enterprises, and what are the practical trade-offs when attempting to decommission or firewall them in complex environments?
These legacy protocols are the “ghosts in the machine,” with 9% of organizations still running SNMP and 8% running UPnP on the public web, often because they are baked into the firmware of older networking gear or IoT devices. They remain a hurdle because decommissioning them can feel like pulling a single thread that unravels the entire enterprise sweater, potentially breaking vital monitoring or discovery functions that the business relies on. However, the trade-off of keeping them open is far more dangerous, as these protocols were never designed with the authentication rigors required for the modern internet. When you firewall these services, you might face a few days of visibility loss in your legacy dashboard, but that is a small price to pay compared to the catastrophic data loss that occurs when an attacker uses these protocols to map your internal network. The operational friction of updating these systems is real, but leaving them exposed is essentially an open invitation for a sophisticated actor to walk right through your front door.
While banks often remediate security gaps in 11 days, midmarket firms can take nearly two months to address similar exposures. What organizational roadblocks cause these significant delays, and what specific operational changes allow high-performing sectors to move four times faster?
The disparity is staggering; while a bank cleans up its act in 11 days and a retail firm in 10, midmarket organizations are languishing at an average of 56 days. This delay is usually caused by a lack of automated remediation workflows and a fragmented chain of command where the security team discovers the hole, but the IT team—which is already buried in tickets—has no mandate to prioritize the fix. High-performing sectors move four times faster because they treat vulnerability management as a real-time operational metric rather than a monthly compliance chore. They invest in automated discovery tools that instantly alert the correct stakeholder, bypassing the bureaucratic red tape that keeps a MySQL database exposed for two months. Moving the needle in the midmarket requires a cultural shift where security debt is treated with the same financial urgency as a line of credit, ensuring that “remediation windows” don’t stay open for weeks at a time.
Advanced AI models have significantly compressed the time between the discovery of a vulnerability and its exploitation by threat actors. How is this high-speed era changing daily security operations, and what automated defenses must companies deploy to counter AI-driven extortion attempts?
The arrival of powerful frontier models like Claude Mythos has fundamentally shifted the cybersecurity landscape by giving attackers the ability to automate the discovery and exploitation of gaps at a pace humans simply cannot match. This high-speed era means that the “grace period” between a patch being released and an exploit being active has effectively vanished, turning every vulnerability into a race against an algorithm. Daily operations must now center on “continuous” rather than “periodic” scanning to prevent high-speed extortion attempts that target exposed API docs or databases. Companies must deploy AI-driven defensive shields that can automatically isolate a compromised asset the millisecond an anomaly is detected, effectively fighting fire with fire. If you are still relying on a human being to manually approve a firewall change in response to a new threat, you have already lost the battle against the current generation of autonomous AI agents.
What is your forecast for database security?
I forecast that database security will move entirely away from the concept of a “perimeter” and toward a model of intrinsic, identity-based protection. As automated exploitation continues to skyrocket, we will see a massive push toward “dark databases” that are never reachable via a public IP, even for administrative purposes, relying instead on ephemeral, short-lived credentials. By 2027, I expect the 25% exposure rate for MySQL to drop significantly, not because organizations have become more diligent, but because cloud providers will begin enforcing “secure-by-default” postures that make it nearly impossible to accidentally expose a database to the public web. Ultimately, the future belongs to those who can automate their defenses to match the speed of AI-driven threats, turning what is currently a 56-day remediation slog into a sub-hour automated response.
