Press Release

Palo Alto Networks Releases 2021 Cortex Xpanse Attack Surface Threat Report

Lessons in Attack Surface Management from Leading Global Enterprises


Palo Alto Networks (NYSE: PANW) today released the 2021 Cortex Xpanse Attack Surface Threat Report, which highlights lessons in attack surface management from leading global enterprises.

The Palo Alto Networks Cortex® Xpanse™ research team studied the public-facing internet attack surface of some of the world’s largest businesses to help enterprises. From January to March, they monitored scans of 50 million IP addresses associated with 50 global enterprises to understand how quickly adversaries can identify vulnerable systems for fast exploitation.

Key Reveals:

  • Adversaries are constantly scanning for weaknesses in the public-facing internet attack surface of enterprises, in the cloud and traditional data centers. Attackers scan for vulnerable systems once an hour on a typical day, but this activity picks up dramatically when new vulnerabilities are disclosed.
    • Scans started within 5 minutes after disclosure of the high-profile zero-day vulnerabilities in Microsoft’s widely used Exchange Server.
    • Scans started within 15 minutes after most vulnerabilities were announced.
    • Global enterprises are far behind the attackers. It takes weeks for such scans to begin.
  • Vulnerabilities in the public-facing internet of global enterprises are widespread. One serious vulnerability turned up twice a day, or every 12 hours, in the global enterprises we studied.
  • As global enterprises transformed their operations to support remote work, that created security gaps: 
    • 79% of observed exposures were in the cloud, compared to 21% for on-premises data centers.
    • Nearly one in three vulnerabilities uncovered were due to issues with Remote Desktop Protocol (RDP), whose usage has soared to enable remote work. It can provide direct admin access to a server, which makes it one of the most common gateways for ransomware.

Concerns about digital transformation introducing security gaps not only proved grounded but also understated the impact.

In reality, digital transformation has realigned the risk equilibrium in the attacker’s favor. Most tools in IT and security’s arsenal—namely asset and vulnerability management—focus on evaluation but not discovery. In other words, these tools manage known assets while remaining blind to unknown ones. Worse yet, the common methods of discovering unknown assets—such as pen-testing—take place on a quarterly basis (see figure 1).

Figure 1: IT security toolset for attack surface evaluation

These programs should start with the basics:

  • Global internet visibility: Implement a system of record to track every asset, system, and service you own that is on the public internet, including across all major CSPs and dynamically leased (commercial and residential) ISP space using comprehensive indexing, spanning common and often misconfigured port/protocols (i.e., not limited to the old perspective of only tracking HTTP and HTTPS websites).
  • In-depth attribution: Detect systems and services belonging to your organization using a full protocol handshake to verify details about a specific service running at a given IP address. By fusing this information with a number of public and proprietary datasets, match the full and correct set of internet-facing systems and services back to a specific  organization.


Using the externally available attack surface from global enterprises, Cortex Xpanse researchers examined and interpreted data to help defenders understand the attack surface in order to:

  • Quantify and remediate externally facing vulnerabilities.
  • Provide security teams with attack surface benchmark metrics.
  • Optimize threat modeling.
  • Convey the threat landscape to technical and nontechnical audiences.
  • Deploy proactive security measures.

Cortex Xpanse operates a proprietary platform that continuously collects more than one petabyte per day of information related to all systems on the public internet to ascertain how attackers view potential targets. We fuse this information to discover cybersecurity risks present on the networks of the world’s largest and most complex organizations, which no one else can find. Our technology helps our customers see the world through the eyes of highly sophisticated attackers.

For this report, they looked at the attack surface and threat data coming from 50 global enterprises, including a subset of the Fortune 500, covering around 50 million IP addresses from Q1 2021 (January 2021 – March 2021) and representing 1% of total, global IPv4 space.

Full report attached for reference.

About Cortex Xpanse

Cortex® Xpanse™, a global internet collection and attribution platform, empowers CISOs to continuously discover, evaluate, and mitigate their external attack surface. Today, Xpanse customers collectively represent 12% of the overall IPv4 internet and include leading Fortune 500 companies as well as both US government organizations and military branches.

About Palo Alto Networks 

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world’s greatest security challenges with continuous innovation that seizes the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. Our vision is a world where each day is safer and more secure than the one before. For more information, visit

Leave a Response