New Cloud Vulnerability Data Shows Google Cloud Leads in Risk

New research shows Google Cloud and smaller providers have the highest cloud vulnerability rates as compared to AWS and Azure.

A new report by CyCognito reveals wide differences in security across cloud providers, with Google Cloud and several smaller players showing significantly higher rates of vulnerable assets than Amazon Web Services (AWS) or Microsoft Azure.

The research, based on nearly five million internet-exposed assets, comes at a time when cloud security is top of mind for many organizations. Palo Alto Networks recently reported a 388% year-over-year spike in cloud security alerts, driven by the growing complexity of multi-cloud environments and the rising number of exposed online assets.

CyCognito, known for its attack surface management platform, analyzed assets hosted by the three largest cloud platforms including AWS, Azure, and Google Cloud, along with a group of smaller cloud providers and major hosting companies. The goal was to assess which environments are exposing customers to more risk through vulnerabilities and misconfigurations.

The study found that 38% of Google Cloud-hosted assets had at least one security issue, compared to just 15% for AWS and 27% for Azure. That puts Google Cloud more than twice as risky as AWS by this measure.

The same 38% figure also applied to smaller cloud providers like Oracle Cloud, DigitalOcean, and Linode. Meanwhile, major hosting companies like GoDaddy, Hetzner, and DreamHost came in at 33%.

When looking specifically at critical issues, defined by a CVSS score of 9.0 or higher, Azure showed the highest rate among the big three, at 0.07%. AWS and Google Cloud both registered 0.04%.

Though these numbers may seem small, they represent significant exposure at scale. Across millions of assets, even a fraction of a percent can translate to hundreds of weak points.

Smaller cloud platforms were more concerning in this category. Nearly 0.5% of assets hosted by non-major clouds had critical vulnerabilities, a rate more than ten times higher than that of AWS or Google Cloud. Hosting providers weren’t far behind, with 0.32% of their assets falling into this category.

CyCognito also looked at how exploitable these vulnerabilities are, not just how severe they look on paper. The company factored in threat intelligence and attacker behaviour to assess which issues would be easiest for attackers to exploit.

Here again, smaller providers fared poorly. More than 13% of assets on smaller clouds had easily exploitable flaws. For hosting providers, the number was close to 10%.

Among the big three, Google Cloud again led with 5.35% of assets having issues classified as easy to exploit. That’s more than twice the rate of AWS (1.98%) or Azure (2.37%).

While each of these risk types matters on its own, CyCognito also measured where they overlap assets with issues that are both critical and easy to exploit. Less than 0.1% of AWS, Azure, and Google Cloud assets fell into this high-risk category.

But outside the big players, things were more concerning. Around 0.3% of assets hosted on smaller clouds and 0.25% of those on hosting providers were affected by both critical and easily exploitable vulnerabilities. That’s roughly ten times the rate seen on AWS.

With more organizations spreading their infrastructure across multiple cloud environments, visibility has become a major concern. Assets get forgotten, misconfigured, or left out of internal inventories, creating shadow IT that attackers can find and exploit.

CyCognito recommends organizations go further than traditional inventory tools and adopt “seedless” discovery techniques that don’t rely on internal documentation. It also urges the use of dynamic security testing after applications are deployed, not just during development.