Sysdig Global Cloud Threat Report Reveals 10 Minutes from Recon to Attack

AUGUST 2, 2023


Read the 2023 Global Cloud Threat Report from Sysdig

The 2023 Global Cloud Threat Report breaks down what is lurking in some software supply chains and how automation has been weaponized in the cloud

SAN FRANCISCO – (Aug. 2, 2023) – According to the latest report from Sysdig, the leader in cloud security powered by runtime insights, the average time from recon to attack completion is now only 10 minutes. Using worldwide honeynets for the 2023 Global Cloud Threat Report, the Sysdig Threat Research Team sheds light on an alarming truth: Attacks in the cloud are lightning fast, with minutes determining the line between detection and severe damage. It’s clear that cloud attackers are taking advantage of the same things that lure companies to the cloud. While defenders need to protect their entire software life cycle, attackers only have to be right one time, and automation is making it even easier for them.

Read the blog post: 2023 Global Cloud Threat Report: Cloud Attacks are Lightning Fast.

Key Findings

Cloud automation weaponized. Cloud attacks happen fast. Recon and discovery are even faster. Automating these techniques allows an attacker to act immediately upon finding a gap in the target system. A recon alert is the first indication that something is awry; a discovery alert means that the blue team is too late.

10 minutes to pain. Cloud attackers are quick and opportunistic, spending only 10 minutes to initiate an attack. According to Mandiant, the median dwell time on premises is 16 days, underlining the speed of the cloud.

A 90% safe supply chain isn’t safe enough. 10% of advanced supply chain threats are invisible to standard tools. Evasive techniques enable attackers to hide malicious code until the image is deployed. Identifying this type of malware requires runtime analysis.

65% of cloud attacks target telcos and fintech. Telecommunication and finance companies are ripe with valuable information and offer an opportunity to make quick money. Both industries are attractive targets for fraud schemes.

What People are Saying

“The reality is, attackers are good at exploiting the cloud. It’s not just that they can script recon and autodeploy cryptominers and other malware, but they take the tools that unleash the power of the cloud for good and turn them into weapons. Abusing infrastructure-as-code to bypass protective policies is one example,” said Michael Clark, Director of Threat Research at Sysdig.

“Cloud-native attackers are ‘everything-as-code’ experts and automation fans, significantly reducing their time to impact on the target systems and increasing the potential blast radius. Open source detection-as-code approaches like Falco are how blue teams can stay ahead in the cloud,” said Alessandro Brucato, a Threat Research Engineer at Sysdig.


The 2023 Global Cloud Threat Report is based on data found via open source intelligence (OSINT) and Sysdig’s global data collection – including honeypot networks – along with other publicly available information from the Falco open source community. Sysdig conducted research in Asia, Australia, the European Union, Japan, North and South America, and the United Kingdom from October 2022 through June 2023.


Media Contact

Sysdig Press
[email protected]

Sysdig Logo

In the cloud, every second counts. Attacks move at warp speed, and security teams must protect the business without slowing it down. Sysdig stops cloud attacks in real time, instantly detecting changes in risk with runtime insights and open source Falco. Sysdig, rated #1 for CSPM in the Gartner Peer Insights “Voice of a Customer” report, correlates signals across cloud workloads, identities, and services to uncover hidden attack paths and prioritize real risk. From prevention to defense, Sysdig helps enterprises focus on what matters: innovation.

Sysdig. Secure Every Second.