The Hacker NewsJun 17, 2026Attack Surface Management

Breaches don't always start with a zero-day. An exposed admin panel can get brute-forced, or credentials reused from a previous attack. But when a vulnerability does drop — like MongoBleed earlier this year, which let attackers pull credentials and session tokens from server memory without authentication — anything internet-facing is immediately at risk.

With time-to-exploit now down to a single day, the question isn't just how fast you can patch. It's why the service was exposed in the first place.

The team at Intruder analyzed 3,000 attack surfaces to find out how much of a typical organization's attack surface consists of services that have no reason to be there. We grouped what we found into four categories — HTTP panels, risky ports and services, databases, and publicly accessible files and information.

The full findings, including breakdowns by company size and industry, are in our 2026 Attack Surface Management Index.