Orca Security Report Reveals Majority of Organizations Introducing Vulnerable AI Packages into Cloud Environments

Study Reveals Accelerating AI Usage in Cloud, Leading to Influx of New Attack Paths

Orca Security, a pioneer of agentless cloud security, today released the 2025 State of Cloud Security Report, providing critical insight into cloud security risks identified by the Orca Cloud Security Platform. Among the key findings, 84% of organizations now use AI in the cloud, and 62% of organizations have at least one vulnerable AI package.

Compiled by the Orca Research Pod, the State of Cloud Security Report identifies consistent sources of risk from billions of cloud assets in AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud and hundreds of thousands of code repositories scanned by the Orca Cloud Security platform. Leveraging unique insights into current and emerging cloud risks, the report reveals the most common yet dangerous risk hotspots and how to mitigate them.

“As the cloud increasingly functions as an accelerator for innovation and growth, cloud security is entering a pivotal moment,” said Gil Geron, CEO and Co-Founder, Orca Security. “While multi-cloud architectures offer outstanding flexibility and growth, it also makes it harder to maintain consistent visibility and coverage across environments. Add AI adoption to the mix, with organizations rushing to run vulnerable packages in the cloud, and you have a uniquely difficult environment for security professionals.

Report Key Findings

The Orca Security 2025 State of Cloud Security Report finds that:

• More cloud innovation brings greater cloud risk: As cloud adoption and cloud-native technologies expand, so too does the volume and severity of cloud risks. Nearly a third of cloud assets are neglected today, and each asset contains on average 115 vulnerabilities. Both are two data points among many others illustrating this troubling trend.
• Attack surfaces are expanding—and risks are increasingly interconnected: 76% of organizations have at least one public-facing asset that enables lateral movement, turning a single risk into an opportunity for broader compromise. Security teams not only need to defend a growing attack surface, but increasingly interconnected risks. To illustrate, 36% of organizations have at least one cloud asset supporting more than 100 attack paths—giving attackers a direct route to endanger high-value assets.
• Risks span the entire application pipeline: Cloud security risks aren't confined to runtime environments—they often originate earlier in the application development lifecycle. 85% of organizations have plaintext secrets embedded in their source code repositories. If a repository is exposed, attackers can extract the secrets to access systems, exfiltrate data, and more.
• Innovation is expanding attack surfaces—and the scale of cloud risks: 84% of organizations are now using AI in the cloud, introducing new risks, including AI-related CVEs that enable remote code execution. Kubernetes adoption adds further complexity—93% of organizations have at least one privileged service account, increasing the potential of a breach. Combined with growing multi-cloud adoption, these trends are reshaping the nature and scale of cloud security challenges.

“The 2025 State of Cloud Security Report shows how the increased software development productivity that comes with using cloud services creates challenges of scale for security teams. Traditional exposures, like neglected cloud assets and exposed sensitive data, continue to grow. At the same time, new challenges are emerging—from the rapid rise of non-human identities to a growing number of AI-related vulnerabilities. The report sheds light on how security teams need to address the expanding attack surfaces for effective cloud security,” said Melinda Marks, Practice Director, Cybersecurity, Enterprise Strategy Group.

Additional Resources

• Download the full report
• Blog post announcement
• Orca Research Pod

About Orca Security

Orca enables organizations to make cloud security a strategic advantage. With the most comprehensive coverage and visibility across multi-cloud environments, the agentless-first Orca Platform unites teams to eliminate complexities, vulnerabilities and risks. Backed by Temasek, CapitalG, ICONIQ Capital, Redpoint Ventures and others, Orca is trusted by hundreds of organizations, including SAP, Gannett, Autodesk, Unity, Lemonade and Digital Turbine. Connect your first account in minutes: https://orca.security or book a personalized demo.

View source version on businesswire.com: https://www.businesswire.com/news/home/20250605150852/en/