Arctic Wolf says one in three IT assets lack controls

Arctic Wolf has released research showing that one in three IT assets are missing critical security controls or are misconfigured, based on analysis of more than 800,000 assets.

The report found that 33% of assets fall outside baseline security practices, creating gaps attackers can exploit. It also found that 18% are not covered by enterprise patch or configuration management, while 17% are not visible to traditional vulnerability management tools.

Another 10% of assets were missing endpoint security. A further 19% had reached end-of-life status and were running hardware or software that no longer receives vendor security updates.

The study points to a broad exposure problem across corporate technology estates, rather than a narrow issue affecting a small set of overlooked systems. Unsupported systems were concentrated in legacy servers, virtualised infrastructure, and shared end-user devices that organisations still rely on.

Control gaps

The data suggests many businesses still struggle with basic asset visibility and control coverage, even as they invest in newer security tools. In practice, that means some devices and systems are not patched, scanned, or monitored consistently across the environment.

Dan Schiappa, President, Technology and Services, Arctic Wolf, said the findings reflect a more fundamental security problem. "Many organisations are investing heavily in vulnerability discovery and advanced security technologies, but our findings show that real-world exposure is often driven by a more fundamental issue: unmanaged assets, incomplete control coverage, legacy systems and blind spots across the environment," he said.

"Organisations cannot protect, patch or prioritise what they cannot see, and attackers continue to take advantage of those gaps," Schiappa said.

Arctic Wolf also linked the findings to incident response trends identified in separate threat research. It said 65% of non-business email compromise incident response cases involved abuse of internet-facing remote access services such as RDP, VPN, and remote management tools.

Each of the ten most frequently exploited vulnerabilities had a patch available at the time of exploitation. That adds to longstanding industry concern that many successful intrusions stem from delays in applying available fixes or from systems outside standard management processes.

Attack patterns

Arctic Wolf said attacker behaviour is shifting as some organisations improve patching on internet-facing systems. Abuse of trusted relationships and misconfigurations rose from under 1% to 8% of non-business email compromise incident response cases, according to the report.

That suggests attackers may be turning to weaker points inside environments where visibility is incomplete or controls are applied inconsistently. The report argues that known weaknesses and configuration errors remain a common route into enterprise networks.

For technology and security teams, the figures underline the operational challenge of maintaining a current inventory of devices, software, and services across on-premise systems, cloud infrastructure, and user endpoints. Assets that are not properly recorded or enrolled in management tools can fall outside patching cycles and routine checks.

Steve Hunter, Director of Engineering, APAC, Arctic Wolf, said the issue has persisted despite years of industry attention. "One of the most surprising aspects of this report is that we're still seeing many of the same challenges security teams have been trying to solve for more than a decade," he said.

"Maintaining an accurate understanding of what exists across an environment sounds like a basic security requirement, but it remains incredibly difficult in modern organisations. At a time when AI is accelerating vulnerability discovery and organisations are managing increasingly complex environments, ensuring security controls are consistently applied across every asset is becoming even more critical," Hunter said.