Cloud on fire: What the data from 4,549 players says about your weakest defenses

When a breach hits the headlines, it’s tempting to look for sophisticated malware or some zero-day exploit. But more often than not, attackers just log in. And increasingly, they’re logging into your cloud.

Groups like Scattered Spider, UNC3886, and TeamTNT have shown us that attackers don’t actually need new exploits when they can abuse credentials, escalate privileges, or find open doors in misconfigured cloud environments. From social engineering to scanning for insecure APIs, the path in is rarely complex. It’s just overlooked.

A joint advisory from CISA, the FBI, and the NSA details how attackers "evaded detection by using living off the land techniques and leveraging legitimate credentials to access and persist in targeted environments, especially cloud environments."

The bottom line: attackers don’t need to break in if we leave the door open. Let’s dig into the data.

Cloud is the weakest link 

The Global Cyber Skills Benchmark 2025 tested 796 teams from organizations across every major industry. The global average score for cloud security challenges? Just 21.3%. And it only gets worse in high-risk sectors:

• Government: 8%

• Healthcare: 18.8%

• Education: 1.3%

These aren’t obscure vulnerabilities; they’re the same types of cloud misconfigurations and IAM flaws seen in real breaches. And they’re slipping through the net in live, hands-on scenarios by even the most experienced teams.

Download the full report

We’ve seen what this looks like in the wild. For example: UNC3886, a Chinese APT group that targeted VMware ESXi hosts and vCenter servers by abusing default credentials and poorly configured cloud-based management interfaces. 

In one campaign, they utilized SSH keys collected from mismanaged systems to move laterally and maintain persistence. No malware necessary, just skill gaps for bad actors to slip through.

Now picture two organizations: one whose cloud team has drilled hardening IAM roles and responding to lateral movement in platforms like HTB’s BlackSky Labs, and one that hasn’t. The first detects abnormal SSH access and shuts it down fast. The second never knows they were compromised.

In both cases, the tools may be the same. The difference is the people behind them.

All visibility, no action?

One of the most telling insights from this year’s report is that teams often score high in visibility-focused categories (like OSINT) while lagging behind in critical defense domains like Secure Coding and Cloud. Retail teams, for example, had the highest OSINT solves (79.7%) but just 22.5% in cloud, making the sector an irresistible target for cloud-focused attacks.

This is a dangerous pattern. High detection, low response capability creates a false sense of security (and attackers know how to take advantage of it).

Cloud security can’t be outsourced or automated away

There’s a growing misconception that cloud security is a tooling problem. It’s not. It’s a skills problem.

Even high-performing teams struggled with identity access management, role escalation, and lateral movement in cloud environments. These are complex systems that require deliberate, real-world training.

That’s where platforms like BlackSky and HTB Cloud Machines come in. They give teams hands-on experience with the same tactics used by attackers, from privilege escalation to persistence across cloud services.

The findings of the report give us some clarity: teams relying on static policies, vendor defaults, or certifications alone are not prepared for real threats.

CTEM turns cloud gaps into real resilience

So what to do about it? The report outlines a framework that’s gaining traction among elite teams: CTEM (Continuous Threat Exposure Management). It’s a strategy for taking benchmark data—like low cloud scores—and using it to simulate the real-world cost of those gaps.

If your team struggles with cloud in a controlled CTF environment, what would happen in a real breach? CTEM helps you find out, safely. You emulate attacker behavior, quantify the exposure, and close the loop with targeted remediation. Then you test again. 

It’s about getting battle-ready

What security leaders can do next

The main takeaway is pretty straightforward: attackers are already exploiting cloud misconfigurations at scale. If your own CTF data says that’s one of your weakest areas, then there’s a decision to be made. You can kick things off by:

• Reviewing your team’s cloud skill performance

• Using benchmarks to identify high-risk gaps

• Running threat simulations tied to known APT tactics

• Prioritizing real-world, hands-on training with Cloud Sherlocks or BlackSky Labs

The Global Cyber Skills Benchmark 2025 is your starting point. It not only uncovers your industry’s most pressing weaknesses—it showcases how the top-performing teams are overcoming them.

If you’re focused on defending your organization, check out the full report and find out where you stand. Because attackers already know.

Find out how your industry stacks up