Real-time cloud security company has issued a 2025 market study which estimates that machine identities vastly outnumber humans. The company says that we currently have 40,000 times more machine identities than human identities. If this figure is even 20% true, it clearly represents a dramatically expanded attack surface if we follow Sysdig’s recommendation that machine identities are 7.5 times more risky.
The company says this (x7.5) amplification of risk from machine identities stems from the fact that (according to Verizon) nearly 40% of breaches start with a credentials exploitation. Because machine-based systems oversee credentials for user sign-ins, log-ins and authentication at a variety of levels, this vector has been called out as a significant liability.
Sysdig’s 2025 Cloud-Native Security & Usage Report suggests that organizations of every size and industry across North America; Europe, the Middle East and Africa; and the Asia-Pacific and Japan are making strides in identity and vulnerability management, artificial intelligence (AI) security, and threat detection and response.
Container image bloat
However, as businesses scale their AI adoption and their cloud footprints, risks also scale. The growing risk and complexity of machine identities sits close to system weaknesses such as container image bloat and attacker automation, which introduces new hurdles for enterprise security.
“It has been fascinating to watch cloud security evolve since we started reporting on usage eight years ago. When we first looked at container life spans in 2019, half lasted at least five minutes – today, 60% live for one minute or less,” said Loris Degioanni, Sysdig founder and CTO. “Given the short life span paired with how quickly attackers can move across cloud environments, I am encouraged to see defenders actively detecting and responding to threats in less than 10 minutes.”
Other areas to be aware of here include the fact that workloads using AI and machine learning packages grew by 500% over the last year, with the percentage of generative AI packages in use more than doubling. Despite this rapid adoption, public exposure decreased by 38%, which may in fact signal a strong commitment to secure AI implementations.
10-minute cloud attack window
According to Degioanni and team, mature security teams are detecting threats in under 5 seconds and initiating response actions within 3.5 minutes on average. This outpaces the 10-minute cloud attack window that has historically given adversaries the upper hand.
We can also see that organizations are prioritising real risk by reducing in-use vulnerabilities i.e. in-use vulnerabilities have declined to less than 6%, reflecting a 64% improvement in vulnerability management over the past two years. This shift may show that organizations are refining their approach to fixing what matters most – vulnerabilities actively running in production workloads and more effectively strengthening their overall security posture.
“Cybersecurity has long been an arms race between threat actors and defenders, but the battlefield is evolving,” said Crystal Morin, Sysdig cybersecurity strategist. “Organisations have made tremendous progress, and the fact that mature security teams can now respond to threats within minutes is a game-changer. But with machine identities multiplying and cloud environments evolving in real-time, automation and rapid response have never been more mission-critical.”
Open source, of course
Sysdig also points to the fact that organizations across the globe are using open source tools, such as Kubernetes, Prometheus and Falco to defend their cloud infrastructure, evidence of quickly growing trust in open source security standards. While open source security tools have become foundational for organisations of all sizes, cybercriminals continue to rely on open source malware and weaponize open source software, a trend first documented in Sysdig’s “2024 Global Threat Year-in-Review.”
The size of container images has quintupled, introducing unnecessary security risks and operational inefficiencies. Larger images increase the attack surface and make deployments more expensive, emphasising the need for more efficient containers.
The harsh truth to take away here is that the majority of containers live for one minute or less, but attackers don’t need that long. While 60% of containers now live for 60 seconds or less and ephemeral workloads enhance application agility, cloud adversaries are now said to “automate their reconnaissance” to instantly identify and exploit weaknesses.
Real-time, really really
Although it’s the kind of term that every tech vendor will slap on its platform to convey some form of immediacy, Sysdig directly calls itself a real-time cloud security company… and it’s easy to see why real-time detection and response is more essential than ever.
Free image use: Wikimedia Commons