The edge has been expanding for years. What's changing now is who's paying attention to it. New sensor telemetry from GreyNoise Intelligence, drawn from 162 days of continuous observation across H2 2025, records 2.97 billion malicious sessions targeting internet-facing infrastructure. That's roughly 212 sessions per second, sustained across the full period. The distribution is not random noise. VPN appliances, firewalls, and routers absorbed systematic, concentrated targeting.
Palo Alto GlobalProtect alone received 16.7 million sessions — more than 3.5 times Cisco and Fortinet combined. That's a concentration the GreyNoise data characterizes as deliberate targeting, not an artifact of market share.
How bad has targeting the edge gotten? The Verizon 2025 DBIR documented an eight-fold increase in edge device exploitation in a year, from 3% to 22% of all breaches involving vulnerability exploitation. Mandiant M-Trends 2025 found that all four of the most frequently exploited vulnerabilities in 2024 were in edge devices. CISA responded with Binding Operational Directive 26-02, requiring federal agencies to identify and decommission end-of-support edge devices, citing what the agency described as widespread exploitation by advanced threat actors. Three independent sources, one conclusion.
Edge devices draw this attention because of where they sit in the enterprise. When an attacker breaches a VPN appliance or firewall they gain network-level access: often before security defenses are triggered. These devices are internet-exposed to meet their very purpose. And they are frequently managed with less rigor than their risk profile warrants, while also positioned so that they are directly in front of everything that matters.
The investment trajectory in edge computing isn't going to relieve the pressure.
The global edge computing market was valued at approximately $168.4 billion in 2025 and is projected to reach $249.06 billion by 2030, growing 8.1% annually, according to Markets and Markets. That capital commitment reflects a genuine architectural shift. It's a shift that continues placing an expanding inventory of internet-facing devices at the boundary between enterprise operations and the public internet, across manufacturing, healthcare, financial services, and critical infrastructure.
More edge investment means more edge exposure. Attackers will follow what is deployed and vulnerable.
AI Infrastructure: Exposed Before Secured
The hyperscalers are spending at rates the industry hasn't seen before. [Alphabet, Amazon, Meta, and Microsoft are collectively projected to spend approximately $650 billion in capital expenditures in 2026, the majority directed at AI compute, data centers, and networking. That's up from roughly $410 billion in 2025, according to Bridgewater Associates. Enterprises are following, deploying LLM inference servers, AI-assisted security tooling, and AI-enabled operational systems. Much of it is internet-facing. A significant portion arrives misconfigured. How exposed is the AI infrastructure layer? Research by SentinelOne and Censys, published in January 2026, identified 175,000 Ollama servers exposed across 130 countries. Just over 48% of those hosts were advertising tool-calling capabilities via API endpoints.
, and CYBR.SEC.Media
A compromised server isn't a stolen model — it's a pivot point into whatever the LLM was wired to reach: internal APIs, code execution environments, external services. "A successful compromise could grant function-execution privileges, not just access to model weights," the GreyNoise research team told CYBER.SEC.Media.
GreyNoise sensors recorded 91,403 attack sessions targeting Ollama servers between October 2025 and January 2026, including a single 11-day enumeration sweep that systematically probed 73 model endpoints spanning GPT-4o, Claude Sonnet, Llama, DeepSeek-R1, Gemini, and others.
The source IPs tell the story. "Those actors had been observed targeting hundreds of other vulnerability signatures, the same infrastructure targeting traditional edge devices," the GreyNoise research team explained. These weren't purpose-built AI attacks. Ollama endpoints were simply appended to toolchains already sweeping the internet for VPN appliances, routers, and exposed services. Attackers didn't build new tools for AI infrastructure. They added it to the list. Some attackers have already moved to monetization.
In Operation Bizarre Bazaar, as documented by Pillar Security in January 2026, attackers systematically scanned for exposed AI infrastructure, captured stolen credentials, and resold that access at 40–60% discounts through Discord and Telegram channels. According to 2024 finding from Sysdig, the estimated victim costs hit over $46,000 per day per compromised account. That's cryptojacking economics applied to inference compute.
At the same time, the CVE landscape for AI-serving platforms is expanding. vLLM disclosed critical and high-severity vulnerabilities in 2025–2026, including remote code execution via unsafe deserialization CVE-2025-47277 and RCE via malicious video URLs submitted to multimodal API endpoints.
Ollama itself carries a critical CVE for missing authentication on all management operations (CVE-2025-63389). Production systems, documented exploitable vulnerabilities, actively probed by the same infrastructure targeting VPN appliances. And the threat runs in both directions. APT28 embedded Alibaba's Qwen2.5-Coder LLM directly into the LAMEHUG implant to generate commands on compromised hosts, per CERT-UA. That's the first documented case of an APT embedding LLM-based command generation directly into an implant.
Anthropic documented a Chinese state-sponsored campaign in which AI executed 80–90% of operations, that the company identified in September 2025. The attack surface and the attack tooling move together. For CISOs with AI infrastructure on the roadmap, the GreyNoise research team frames the immediate priorities as asset management, authentication/identity security, and improved use of behavioral analysis along with deny-lists.
CVE age-discrimination is costly
Pre-2015 CVEs generated 7.3 million exploitation sessions in H2 2025 — four times more than all 2023–2024 CVEs combined (1.8 million). The leading volume contributor was CVE-1999-0526, a 26-year-old X Server information disclosure vulnerability accounting for 6.35 million sessions: 87% of the pre-2015 category. Vulnerability management programs that prioritize by CVE recency are optimizing to the wrong metric. The finding isn't that old CVEs matter more than new ones; it's that patching programs shouldn't de-prioritize legacy exposure while unpatched systems remain in production.
Robert Hansen
The data reveals that while it's easy to say — and it's been said often — that to successfully mitigate risk, organizations must follow basic digital hygiene such as continuous asset discovery, management, risk assessment, mitigation, and ensure that mitigation efforts are in place: it is very difficult to do in practice.
It's that, or security programs are essentially misaligned against where actual risk exists in their environment.
