The Orca Research Pod has spent all year investigating cloud security. Billions of cloud assets scanned. Hundreds of thousands of code repositories analyzed. What they uncovered is significant.

Today, they’re laying out their findings. Five case files revealing the biggest security risks hidden across cloud infrastructure in 2025. Risks that repeat in nearly every organization. Risks that need to be understood before the new year begins.

An image with the text: Case File No. 1 of 5

The Forgotten Permissions

A stylized graphic of a cloud providing a key to a stranger

“I gave out too many keys,” the Cloud says quietly.

The investigation began with identity and access. What the detectives found was staggering: organizations have fundamentally lost control of who can do what in their infrastructure.

The problem starts with service accounts. These are non-human identities that run critical operations in the cloud. They’re supposed to have just enough permissions to do their job, nothing more. But 93% of organizations have at least one overprivileged service account. Somewhere along the way, someone granted them far more power than they ever needed. The Principle of Least Privilege got abandoned.

There’s a second problem that’s even worse. 78% of organizations have at least one IAM role that hasn’t been used in over 90 days. These are stale credentials. Still active. Still powerful. Sitting there like forgotten keys. Security teams don’t think about them anymore. Attackers will. And here’s the kicker: in 12% of organizations, a single permissive role is attached to more than 50 instances. One compromised credential doesn’t open one door. It opens dozens.

The detectives know what this means. Attackers don’t have to work hard to break in. The doors are already unlocked.

An image with the text: Case File No. 2 of 5

The Exposed Secrets

A stylized graphic of a vault being ransacked with "crime scene" caution tap blocking the entrance

“The secrets were never supposed to leave the vault,” the Cloud admits.

The application security trail led somewhere worse: secrets scattered everywhere, still active, still usable by attackers.

Here’s how it happens. Developers write code. They need credentials to connect to databases, APIs, services. So they hardcode them. Just temporarily. Just for testing. Except those credentials never get removed. 85% of organizations have plaintext secrets embedded in their source code repositories. API keys. OAuth tokens. Database credentials. All sitting in plain text.

But it gets darker. 36% of these secrets are active and stored in the current main branch. Not buried in old commits. Active. Right now. If the repository gets breached, attackers have immediate access to live systems.

Even deleted secrets persist. 58% of plaintext secrets are saved in Git history. Attackers can unearth them with simple tools. And here’s what keeps security teams up at night: 14% of those historical secrets are still valid. Giving attackers real access weeks or months after the secret was supposedly removed.

The timeline makes it worse. Attackers can find and exploit an exposed secret on GitHub in two minutes. Organizations take 94 days to remediate. That’s 4,496 hours where attackers have access.

An image with the text: Case File No. 3 of 5

The Neglected Assets

A stylized graphic of a cloud walking into an abandoned warehouse

“I lost track of things. A lot of things,” the Cloud says.

One third of all cloud infrastructure has simply been forgotten. Not compromised yet. Not actively attacked. Just… forgotten.

Here’s what forgotten looks like. A development team spins up a server to test something. It’s supposed to be temporary. But then they move on to the next project. The server stays running. Years pass. The operating system stops being supported by the vendor. Security patches stop coming. Nobody’s monitoring it. Nobody even remembers it exists.

32% of cloud assets on average are in a neglected state. Unsupported operating systems. No patches for over 180 days. These are the soft targets attackers actively hunt for. APT29, the Russian intelligence group, built their reputation on finding exactly these kinds of forgotten assets. And 89% of organizations have at least one neglected asset that’s internet-facing. A forgotten server. Public access by default. That’s all it takes.

What makes it worse: the vulnerabilities aren’t new. 58% of organizations are now contending with vulnerabilities older than 20 years. Log4Shell. Spring4Shell. Exploits from 2021 and 2022 that are still dangerous and still being actively exploited. And 59% of cloud assets vulnerable to Log4Shell are public-facing. Attackers can trigger them directly from the internet.

One forgotten asset. One old exploit. One foothold. That’s how it starts.

An image with the text: Case File No. 4 of 5

The Toxic Combinations

A stylized graphic of a cloud with access to multiple computers

“I connected too many things together,” the Cloud confesses.

The detectives discovered something even more troubling than individual risks. It’s not about one vulnerability. It’s about how risks connect and amplify each other.

Think of it this way. A single overprivileged role by itself isn’t catastrophic. An exposed database by itself is bad but manageable. A forgotten server by itself is a liability. But when you connect them? When you chain them together? That’s when individual problems become a highway to disaster.

That’s an attack path. It’s the sequence of exploits that turns a single mistake into a complete compromise. And they’re everywhere.

13% of organizations have a single cloud asset responsible for creating more than 1,000 attack paths. One misconfigured resource. One thousand different routes an attacker could use to compromise high-value targets. The worst case the detectives found? 165,142 attack paths from a single asset. An attacker only needs to find one.

Where do these paths lead? 54% lead to exposed data stores. 23% lead to broad permission access. 23% lead to compromised hosts. But the real prize is almost always data.

38% of organizations with sensitive data in their databases also have those databases exposed to the public. Financial records. Customer information. Health records. Healthcare organizations face HIPAA fines up to $1.5 million per violation, but this isn’t just a healthcare problem. It’s everywhere.

This is where the math gets terrifying. Individual risks become catastrophic. One misconfiguration. One exposed credential. One neglected asset. Connected through attack paths, they become a direct route to compromise.

An image with the text: Case File No. 5 of 5

The Application Pipeline Collapse

A stylized graphic of a cloud unloading dangerous packages from a delivery truck

“The problems weren’t in me. They were built before code ever reached me,” the Cloud observes.

Attacks don’t originate in production. They’re built in earlier, during development. They’re embedded in code long before it ever reaches the cloud.

72% of organizations have at least one package with a severe vulnerability in a code repository. CVSS 7 and above. Critical severity. And here’s what’s shocking: 97% of those vulnerable packages are fixable. Organizations have patches available. They just aren’t applying them before shipping to production. They’re knowingly deploying known vulnerabilities.

The problem spreads through infrastructure-as-code. Developers write code that defines cloud infrastructure. But that code often contains misconfigurations that propagate risk at scale:

20% of organizations have created IAM roles that allow cross-account access without MFA or external IDs. An attacker only needs to guess the correct AWS ARN to assume a privileged role across accounts.

17% have S3 buckets configured to grant public read access to anyone on the internet. Sensitive data sitting there, waiting to be discovered by automated scanners.

40% have GitHub Actions workflows configured to allow automatic pull request approvals. Code reviews bypassed. Malicious code can be injected and auto-merged into the main branch without human intervention.

The supply chain is compromised not by the cloud itself, but by the decisions made before code ever reaches the cloud. And nobody’s catching these mistakes until they’re already in production and exposed to real attackers.

The Investigation Concludes

Five case files. Billions of data points analyzed. The picture is undeniable.

The Cloud is guilty. But guilt is complicated. It’s a reflection of human choices too. Speed over security. Complexity without visibility. Innovation without protection. The same patterns repeat across every industry, every organization size, every cloud provider.

The Orca Research Pod’s investigation revealed not just the problems, but the path forward. Organizations need to prioritize attack paths over individual risks. Enforce least privilege relentlessly. Protect secrets before they leave the repository. Stop neglecting assets. Know where sensitive data lives. Unify security across the development pipeline. Build visibility across multi-cloud environments.

The investigation revealed the crimes of 2025. But the solution lies in action.

Your Investigation Awaits

The Orca Research Pod spent the year investigating the cloud ecosystem across billions of real-world assets. They found the same patterns repeating everywhere. But your environment is unique. Your risks are specific. Your attack paths are yours alone.

Want to know what’s hidden in your infrastructure? The detectives are ready to investigate. We’ll scan your entire multi-cloud environment. AWS, Azure, Google Cloud, and beyond. We’ll uncover the risks hiding in your blind spots. We’ll map your attack paths. We’ll prioritize the threats that actually matter.

Ready to see what we find in your environment? Schedule a personalized 1:1 demo and let’s start investigating.

For the complete evidence, methodology, and detailed findings behind this investigation:

REPORT

2025 State of Cloud Security Report

Every statistic. Every case file. Backed by data from billions of production cloud assets across AWS, Azure, Google Cloud, Oracle Cloud, and Alibaba Cloud.

Table of contents

Table of contents