Within three minutes of a new digital asset going live, automated scanners detect it. By minute six, attackers are probing for known vulnerabilities. In under 24 hours, if defenses aren’t already locked down, the system is often compromised. That’s not speculation. That’s the timeline Sprocket Security documented across 72 real-world deployments, all monitored between January and April 2026.
Key Takeaways
- Automated scanning begins within minutes of an asset’s public deployment
- Attackers exploit default configurations and known CVEs before teams finish setup
- Over 89% of exposed systems were hit with brute-force attempts in the first hour
- Initial access achieved in under 24 hours across 61% of observed assets
- Most breaches started through unsecured management interfaces, not custom code flaws
The Clock Starts Before You’re Ready
Most engineering teams assume they have a grace period. A window. Time to finalize configurations, rotate test credentials, and patch before exposure becomes risk. That window doesn’t exist.
Sprocket Security’s report, detailed in a original report published May 01, 2026, shows that the average time to first scan is 2.8 minutes after IP registration. That’s faster than most deployment pipelines send confirmation alerts.
These aren’t targeted attacks. They’re not nation-state actors with zero-days. They’re commodity bots—scripts cycling through fresh IP ranges, checking for open ports, default passwords, and public admin panels. But their speed and consistency make them dangerous. And they’re always online.
We’re not talking about edge cases. Sprocket monitored virtual machines, Kubernetes ingress endpoints, and cloud storage buckets—all configured with default vendor settings during initial deployment. All became targets immediately.
Default Settings Are a Death Sentence
The most exploited entry points weren’t zero-day bugs or advanced phishing. They were default credentials on management consoles, open RDP ports, and exposed Docker APIs—all left active post-deployment.
In 19 of the 72 cases, attackers used factory-set usernames and passwords to gain admin access. In 11, they exploited unauthenticated API endpoints that shipped enabled in the base image. These weren’t oversights buried in documentation. They were the out-of-the-box state.
It’s Not Your Code—It’s the Stack
The irony? Most compromised assets ran clean, internally developed applications. The breach vectors sat beneath them—in infrastructure layers, container orchestrators, logging agents, and monitoring tools.
One team deployed a hardened Go-based API. Within 47 minutes, attackers had accessed the node—not through the API, but via an exposed Prometheus metrics endpoint that allowed command injection due to a misconfigured exporter. The API itself had zero vulnerabilities.
This pattern repeated. The application layer was secure. The delivery mechanism wasn’t.
Scanners Map, Then Exploit, in Under 20 Minutes
Sprocket’s telemetry shows a consistent attack sequence:
- 0–3 min: IP detected via BGP monitoring or cloud metadata scrapers
- 3–7 min: Port scan (TCP SYN) identifies open services (SSH, RDP, HTTP, Docker)
- 7–12 min: Service fingerprinting (banner grabs, path enumeration)
- 12–18 min: Exploit attempts (CVE lookups, default credential brute-forcing)
- 18–24 min: Reverse shell established, beaconing begins
By the time a typical DevOps engineer logs in to disable the test dashboard, the system has already been added to a botnet.
Cloud Providers Aren’t Helping
The data raises an uncomfortable question: are cloud vendors complicit in this cycle?
Default VM images from two major providers included SSH enabled on port 22 and a root account with password login active. One shipped with a web-accessible database admin panel exposed to 0.0.0.0/0. These aren’t bugs. They’re design choices—convenience prioritized over security.
Yes, the documentation says to change these settings. But when the clock starts at minute zero, documentation doesn’t matter. Muscle memory does. And under deployment pressure, engineers skip steps.
One engineer admitted in a post-incident review—cited by Sprocket—that they “assumed the cloud provider wouldn’t ship something that broken.” They were wrong.
The Myth of Zero Trust When the Box Ships Open
Zero Trust is everywhere in enterprise roadmaps. “Never trust, always verify.” But that philosophy collapses the second a system goes live with trust baked in by default.
True Zero Trust means no service listens publicly until explicitly allowed. But most infrastructure tools don’t work that way. Kubernetes dashboard? Enabled. Cloud-init debug endpoint? Active. Docker daemon? Bound to port 2375 and wide open.
You can’t “verify” your way out of a default configuration that says “trust everyone until told otherwise.”
And because these services often run with elevated privileges, initial access leads to full compromise fast. Sprocket saw lateral movement within an average of 37 minutes post-intrusion. That’s not a breach. It’s a takeover.
Technical Implications and Mitigations
From a technical standpoint, the issue is clear: default configurations are a ticking time bomb. But what can be done to mitigate this risk? For starters, cloud providers need to rethink their default settings. Instead of prioritizing convenience, they should prioritize security. This means disabling SSH, RDP, and other services by default, and requiring explicit configuration to enable them.
engineering teams need to take a hard look at their deployment processes. This includes implementing automated security validation in CI/CD pipelines, and treating every new IP as if it’s already compromised. It also means building images with all nonessential services disabled, removing default accounts, and blocking inbound traffic by default.
the use of infrastructure-as-code tools like Terraform or CloudFormation can help to ensure consistent and secure deployment of infrastructure. These tools allow teams to define their infrastructure configurations in code, which can then be reviewed and validated before deployment.
Industry Context and Competitor Analysis
The issue of default configurations and automated scanning is not unique to any one company or industry. It’s a widespread problem that affects organizations of all sizes. However, some companies are taking steps to address this issue. For example, Google Cloud Platform provides a range of security features and tools to help customers secure their deployments, including automated security scanning and compliance monitoring.
Other companies, like Amazon Web Services, are also taking steps to improve security. AWS provides a range of security features and tools, including IAM roles and policies, which can be used to restrict access to resources and services. However, more needs to be done to address the issue of default configurations and automated scanning.
Competing security companies, like Palo Alto Networks and Check Point, are also working to address this issue. They offer a range of security solutions and tools, including new firewalls and intrusion prevention systems, which can be used to detect and prevent automated scanning and exploitation.
The Bigger Picture
The issue of default configurations and automated scanning is just one part of a larger problem. It’s a symptom of a broader cultural and technological issue, where security is often an afterthought. This needs to change. Security needs to be a priority, not just for cloud providers and security companies, but for every organization that deploys public-facing assets.
This means taking a comprehensive approach to security, one that includes not just technology, but also people and processes. It means educating engineers and developers about the importance of security, and providing them with the tools and resources they need to deploy secure systems. It also means implementing security policies and procedures, and ensuring that they are followed consistently.
Ultimately, the issue of default configurations and automated scanning is a wake-up call for all of us. It’s a reminder that security is not just a technical issue, but a cultural and societal one. We need to work together to create a culture of security, one that prioritizes security and protects our systems and data from the threats that are out there.
What This Means For You
If you’re deploying public-facing assets, assume they will be attacked within minutes. Not tomorrow. Not during business hours. Immediately. That means pre-hardening is non-negotiable. No exceptions. Build images with all nonessential services disabled. Remove default accounts. Block inbound traffic by default, even during deployment.
Automate security validation in CI/CD. Scan for open ports, default credentials, and exposed APIs before the asset ever hits production. Treat every new IP like it’s already compromised. Because if you don’t, someone else already does.
Security isn’t something you bolt on after launch. It’s the state you deploy in. Everything else is just damage control.
So here’s the real question: when your next system goes live on May 01, 2026, who will access it first—the monitoring team or the botnet?
Sources: BleepingComputer, Sprocket Security
