Cloud Security Benchmarks 2026.
180 estates across AWS, Azure, GCP.

Five numbers from the dataset.

• →Median critical-finding density was 4.1 per 100 accounts on AWS, 5.8 on Azure, and 3.4 on GCP across the dataset.
• →61% of AWS estates still had IMDSv1 enabled on at least one workload running in production at the time of assessment.
• →47% of estates had at least one publicly exposed S3 / blob / GCS bucket containing data classified as sensitive by the customer's own tagging policy.
• →Estates with a documented IAM tier separation produced 2.3x fewer privileged-identity findings than those without — independent of CSPM spend.
• →Removing legacy authentication on Azure correlated with a 38% reduction in subsequent identity-related findings — the largest single-control delta in the dataset.

Preview of all twelve sections.

1. 01

   Executive summary

   Top-line baselines across 180 estates: median critical-finding density per 100 accounts, IAM exposure rate, IMDSv1 prevalence, the percentage of estates with at least one publicly exposed S3 / blob / bucket containing sensitive data.

2. 02

   Methodology & dataset

   How the 180 estates were sampled across AWS, Azure, GCP, and hybrid. The control-mapping baseline (CIS, AWS FSBP, Azure CIS, GCP CIS) and the boundary cases we excluded from the central percentiles.

3. 03

   AWS — top ten misconfigurations

   Per-control prevalence: IMDSv1, public S3, overly-permissive IAM policies, unencrypted RDS, unrestricted security groups, missing CloudTrail, root MFA absence, public AMIs, exposed Lambda URLs, weak KMS rotation.

4. 04

   Azure — top ten misconfigurations

   Per-control prevalence: legacy authentication enabled, no conditional access, public storage accounts, NSG ANY/ANY rules, missing Defender for Cloud coverage, unprotected key vaults, RDP/SSH on the public surface, and more.

5. 05

   GCP — top ten misconfigurations

   Per-control prevalence: default service account in use, public GCS buckets, BigQuery dataset exposure, over-broad IAM bindings, legacy networks, unprotected metadata server, weak Cloud SQL configuration, and more.

6. 06

   IAM exposure rates

   Percentage of estates with at least one wildcard-action IAM policy, percentage with at least one cross-account trust policy missing an ExternalId, and the median number of unused privileged identities per 100 accounts.

7. 07

   Finding-density per 100 accounts

   Critical / high / medium finding density per 100 accounts, plotted by cloud and by company stage. Where the density curve flattens as estates mature, and where it sharpens unexpectedly at scale.

8. 08

   Hybrid estates — the cross-cloud blind spots

   Where AWS and Azure meet — federated identity, cross-cloud egress paths, shared KMS / Key Vault patterns, and the audit-trail discontinuity that hides cross-cloud lateral movement.

9. 09

   The controls that genuinely move the score

   Of all controls applied across the dataset, the seven that produced the largest measurable improvement in subsequent finding density — and the four that produced near-zero measurable improvement despite operational cost.

10. 10

    Compliance crosswalk — CIS, SOC 2 CC6, PCI DSS v4

    How the misconfiguration baseline maps to CIS benchmark sections, SOC 2 CC6 (logical access) sub-controls, and PCI DSS v4.0 requirement 7. Useful as evidence appendix during audit.

11. 11

    Spend vs. score curve

    Cloud security tooling spend (CSPM, CWPP, CNAPP) plotted against the finding-density curve. Where the tooling spend correlates with improvement, where the correlation breaks, and the two configuration choices that matter more than the tool.

12. 12

    Procurement & remediation guidance

    The four CSPM-vendor selection questions that correlate with the spend-vs-score winners, and the remediation-ordering heuristic that produced the steepest 90-day finding-density improvements in the dataset.

Written by the operators who ran the assessments.

Read alongside.