Organizations adopting multi-cloud strategies face mounting security challenges, as our team’s recent research reveals that one in three easily exploitable vulnerabilities are found on cloud-hosted assets. 

The findings come from our analysis of nearly five million internet-exposed assets, including web applications, servers, and domains. We focused on assets hosted on cloud platforms rather than the cloud platforms themselves, examining how vulnerabilities behave “in the wild” rather than in controlled testing environments. 

The timing couldn’t be more critical. Organizations experienced a 38 % increase in cloud security alerts by the end of 2024 compared to 2023, coinciding with Gartner’s prediction of double-digit growth across all cloud segments in 2025. As companies accelerate their cloud adoption, these security gaps represent real footholds that attackers are actively exploiting. 

Significant Variations Between Cloud Providers 

The research revealed substantial differences in vulnerability rates across major cloud platforms—disparities that frankly surprised our team. Assets hosted on Google Cloud showed the highest rate of security issues, with 38% vulnerable to at least one security issue or misconfiguration. 

This compares to 15% of assets hosted on AWS and 27% of assets hosted on Azure, showing vulnerabilities—over a 2.5x difference between the highest and lowest rates. 

The data suggests organizations may face varying levels of complexity when securing deployments across different cloud platforms. While further research is needed to understand the specific causes, these disparities highlight that security teams cannot apply one-size-fits-all approaches across their multi-cloud environments. 

Critical Vulnerabilities Present Across All Platforms 

Critical vulnerabilities scoring 9.0 or higher on the CVSS scale were detected on assets hosted by all major cloud providers, though rates remained relatively low overall. 

Assets hosted on Azure showed slightly higher rates of critical vulnerabilities at 0.07% , compared to 0.04% for both AWS and Google Cloud-hosted assets. While these percentages appear small, they represent thousands of vulnerable assets when considered across the global cloud ecosystem. Assets hosted on alternative cloud providers showed approximately ten times higher rates of critical vulnerabilities, highlighting the security maturity gap between major and secondary platforms. 

Easily Exploitable Vulnerabilities More Common on Alternative Platforms 

Our research distinguished between high-severity vulnerabilities and those that are easily exploitable—a critical difference that changes how security teams should prioritize threats. 

Over 13% of assets hosted on other clouds and 10% on alternative hosting providers had easily exploitable vulnerabilities. This compares to 5% of assets hosted on Google Cloud and 2% each for AWS and Azure. 

This data suggests that while Google Cloud shows higher overall vulnerability counts, many may be less immediately threatening than those found on smaller platforms. Assets with both critical severity ratings and easy exploitability were found across all providers, with AWS showing the lowest combined rate at 0.02% while alternative cloud and hosting providers showed rates ten times higher. 

Post-Deployment Security Testing Highlighted 

The findings emphasize what we’ve long advocated—the importance of security testing beyond development environments. Too many organizations treat security as a development checkbox rather than an ongoing operational requirement. 

While cloud computing offers tremendous benefits, our research reveals an alarming increase in serious security issues affecting cloud assets. Organizations must understand the crucial difference between high-severity vulnerabilities and those that are easily exploitable—both present distinct risks that require targeted security approaches. 

Dynamic application security testing of live systems proves crucial for uncovering vulnerabilities and misconfigurations that static analysis tools consistently miss. Security teams must focus on testing applications after deployment, not just during development, as many of the vulnerabilities that attackers actually exploit only surface in production environments. 

Recommendations for Organizations 

Based on our findings, organizations should implement several protective measures that we’ve seen work in practice: 

• Prioritize continuous monitoring of external systems, particularly e-commerce platforms and customer-facing applications that represent prime targets 

• Implement comprehensive asset discovery across all business units and cloud deployments, security teams can’t protect what they don’t know exists 

• Conduct ongoing security testing rather than periodic assessments, as the traditional annual approach proves insufficient against modern threats 

• Evaluate threats based on potential business impact and exploitability rather than technical severity alone 

• Integrate security findings into existing business processes through automation and clear communication channels 

The research comes as organizations increasingly adopt multi-cloud strategies, highlighting the need for comprehensive security approaches that account for varying risk profiles across different cloud platforms. As our data demonstrates, the question isn’t whether cloud assets face security challenges—it’s whether organizations will take the necessary steps to identify and remediate them before attackers do.