Most enterprise servers reachable after internal breach

Zero Networks has published its inaugural Lateral Movement Exposure Report, which says 80% of enterprise servers are reachable from elsewhere inside corporate networks once an attacker gains access.

Based on analysis of 54 trillion activities across 312 enterprise environments over one month, the report examines how far intruders may be able to move through internal systems after an initial breach.

Its findings focus on so-called east-west traffic: the internal communications that move between devices, servers and workloads inside an organisation. This traffic accounts for more than 70% of a company's communications, yet often remains less protected than the external perimeter.

The report's central claim is that many businesses still leave broad internal pathways open, even after years of investment in tools designed to keep attackers out. In practice, that means a compromise affecting one endpoint, user account or workload could spread more widely across a network.

Internal exposure

Among the headline findings, 87% of enterprise servers in the sample accepted inbound RDP or SSH connections from broad internal sources. Those remote administration methods are widely used by IT teams, but they are also frequently abused by attackers seeking to move laterally inside an environment.

The report also found that 78% of enterprise servers were reachable over SMB or WinRM, administrative protocols commonly associated with ransomware propagation and post-breach activity. It also found that 43% of internal authentication traffic still relied on NTLM, a legacy protocol long linked to credential replay and privilege escalation risks.

Another finding identified direct user-to-server administrative pathways in 12% of the organisations surveyed. That suggests a compromised employee device may, in some cases, provide a route to high-value systems without further segmentation or isolation.

The research also examined the rise of artificial intelligence tools inside companies, finding that roughly 80% of enterprises had already deployed internal AI agents while two-thirds lacked governance policies for them.

That gap matters because AI tools are becoming another layer inside enterprise environments, often with access to internal systems, data stores and workflows. Security specialists have increasingly warned that as companies add AI agents, they may also be creating new paths for misuse if identity controls and network restrictions are weak.

Breach Map tool

Alongside the report, Zero Networks has introduced a free tool called Breach Map, intended to show security teams the extent of their internal exposure. It maps reachable assets, open lateral movement paths, average blast radius and breach propagation risk across an environment.

The launch reflects a wider shift in cybersecurity discussions from prevention alone to resilience after intrusion. Rather than assuming every attack can be blocked at the perimeter, many security leaders now focus on containing damage once an adversary is inside.

That shift has been sharpened by AI-assisted attack techniques, which can help automate reconnaissance, credential abuse and internal movement. If an attacker can identify reachable systems and privileged protocols faster, the value of restricting movement between assets rises.

Dr Chase Cunningham, author of the report's foreword, framed the issue in blunt terms.

"Containment is not failure. Containment is the control that lets the business survive failure. The organizations that win in the AI era will not be the ones that claim they can stop every compromise. That is fantasy. The winners will be the ones that make compromise boring, limited, and survivable. One laptop should stay one laptop. One workload should stay one workload. One identity should stay one identity. One AI agent should stay one AI agent. In the AI era, containment is survival," said Dr Chase Cunningham, author of the Lateral Movement Exposure Report's foreword at Zero Networks.

Board-level concern

The report is aimed not only at security operations teams but also at senior executives and boards, which increasingly treat cyber resilience as an operational risk issue rather than only a technical one. A breach that spreads across servers, identities and applications can halt operations, interrupt customer services, and trigger regulatory and financial consequences.

Benny Lakunishok, chief executive officer and co-founder of Zero Networks, said the data is intended to give security leaders a benchmark for internal exposure across large organisations.

"For seven years, we've engineered toward a single outcome: an attacker breaches a network protected by Zero, and discovers there's nowhere left to go. In the AI era, that outcome isn't aspirational, it's essential," said Benny Lakunishok, chief executive officer and co-founder of Zero Networks.

"Boards are demanding uptime and answers, and this data helps CISOs deliver. For the first time, risk leaders can benchmark their network security against the reality of hundreds of live enterprise environments and see precisely where they stand. But you cannot contain what you cannot see. That's why we built Breach Map: to expose every open lateral movement path in your environment, so you can close it before an attacker walks through it," he said.

The report also drew comment from Dmitri Alperovitch, co-founder of CrowdStrike and president of Silverado Policy Accelerator, who argued that internal blast radius now deserves more attention at the highest levels of organisations.

"The industry spent years focused on keeping attackers out," said Dmitri Alperovitch, co-founder of CrowdStrike and president of Silverado Policy Accelerator.

"But in the AI era, the biggest question facing defenders is what happens after they get in. This report shows most enterprises still have enormous internal blast radius, and that should concern every board, CIO, and CISO. The organizations that adapt fastest will shift from perimeter-only thinking to containment: limiting lateral movement, reducing blast radius, and ensuring attacks cannot bring down a business," he said.