root@xservus:~/research# cat surface-risk-summary.md

Same network, same threats

A surface-and-risk snapshot from a large, mixed estate — and a reminder that the “AI threat” is mostly old wine in new bottles. The attacks haven’t changed. The discipline hasn’t either.

Xservus research // threat intel & attack-surface // updated 13 Jun 2026

The surface is old and ordinary

We pulled passive enrichment across a large, mixed estate. The picture that survives scrutiny is almost boringly familiar: internet-facing standard services, dominated by credential and identity surface, with a side order of free reconnaissance leaking out of public DNS.

Two rows in that readout matter more than the rest, and they point in opposite directions. A single web application firewall, fronting a large block of domains, answered on effectively every port — manufacturing hundreds of phantom “critical” findings (exposed Docker sockets, open databases, VNC) that simply do not exist once you filter the noise. Meanwhile the scan reported zero CVEs on VPN concentrators and firewalls, not because they’re patched, but because the tooling doesn’t fingerprint them. The instrument over-reported the trivial and was blind to the dangerous. Distrust any single enrichment source. This one lied in both directions at once.

Identity vs zero-day, weighted honestly

By frequency, identity-based compromise dominates — call it 70/30. Nearly everything genuinely visible here is a credential target: RDP, database ports, FTP, legacy VPN, shared-hosting control panels. That tracks with breach telemetry everywhere — stolen credentials remain the leading way in.

By severity the ratio inverts. A zero-day against an edge appliance is rare but pre-authentication, unauthenticated, and hits many organisations at once. And the two aren’t a fork — they’re a sequence: the zero-day buys initial access, then stolen identity does the lateral movement. Treat the software-vulnerability share as a floor, not a finding, precisely because the scan can’t see the appliances where it lives.

The AI threat that mostly isn’t

Strip away the conference-keynote energy and the fundamentals are untouched. Intrusions still arrive over 445 and 3389, through reused credentials and unpatched edges, and still end in ransomware. There is no new attack-surface paradigm. There are three real deltas — and the tell is that every one of them lands straight back on the control planes we already own:

Scale, not novelty: AI is a force-multiplier on existing vectors — faster vuln research, phishing at volume, deepfake-assisted vishing aimed at help-desks and identity recovery. New suppliers: model providers and agent/MCP tooling are fresh third-party dependencies — a supply-chain and TPRM problem. New class: prompt injection, and AI agents holding credentials — which is an authorization problem and a machine-identity problem respectively.

So the correct read is neither “AI changes everything” nor “AI changes nothing.” It adds new actors and raises attack volume while needing no new security paradigm — just the existing identity-centric, least-privilege, supply-chain-assurance model applied to new participants. The work stays unglamorous. The hype is misdirected.

Sensible steps, in order of leverage

Nobody defends everything. You can’t enumerate every asset, see every appliance, or pre-empt the next zero-day. You can make identity the control plane, keep the pre-auth surface small, and ensure no single failure is terminal. Sequenced:

1. Know your surface — build authoritative inventory and distrust any single feed. The one above invented criticals and hid appliances.
2. Protect the identity planes — phishing-resistant MFA, session and token protection (not just login MFA), privileged tiering, and machine-identity governance that now includes AI agents.
3. Stop blind management exposure — broker the network planes (RDP, DB, WinRM) behind identity; for cloud control planes you can’t hide, use conditional access plus just-in-time admin.
4. Patch with bias — KEV-prioritised, exposure-validated, internet-facing first. A holding action: on edge appliances, patching loses the race to exploitation.
5. Shrink the pre-auth perimeter — move from zero-day-prone perimeter appliances toward identity-brokered access. The one architectural bet that answers both vectors at once.
6. Assume breach — identity-plane and deception-based detection, blast-radius containment through least privilege and trust reduction, and a rehearsed recovery floor including directory forest recovery.
7. Tier by capability — large orgs run the programme; small ones minimise their own footprint and outsource to a hardened provider, accepting that concentration deliberately rather than by accident.
8. Govern AI as supplier and actor — TPRM the model vendors, treat agents as privileged workload identities, and handle prompt injection as an authorization boundary, not a novelty.

That posture holds whether the next incident comes from a 2009-era credential spray or a 2026 AI-assisted one. Which is the whole point.

[ ok ] exit 0 — questions, corrections, or a second opinion on your estate: xservus.com

Observations are a point-in-time passive-enrichment snapshot and represent exposure, not confirmed vulnerability; relative figures are de-noised for WAF artifacts. No individual hosts, organisations, or sectors are identified. This is research and general guidance, not a per-organisation assessment.