Zombie Projects Rise Again to Undermine Security TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCyber RiskZombie Projects Rise Again to Undermine SecurityZombie Projects Rise Again to Undermine SecuritybyRobert Lemos, Contributing WriterOct 30, 20257 Min ReadVulnerabilities & ThreatsLotL Attack Hides Malware in Windows Native AI StackLotL Attack Hides Malware in Windows Native AI StackbyNate Nelson, Contributing WriterOct 30, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLCyber RiskApplication SecurityСloud SecurityCybersecurity OperationsCybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.Zombie Projects Rise Again to Undermine SecurityZombie Projects Rise Again to Undermine SecurityZombie Projects Rise Again to Undermine SecurityCompanies left them for dead, but the remnants of old infrastructure and failed projects continue to haunt businesses' security teams.Robert Lemos, Contributing WriterOctober 30, 20257 Min ReadSource: Sergey Shubin via ShutterstockA variety of old, abandoned projects, long considered dead, continue to rise up and undermine the cybersecurity posture of the companies who created them.From code to infrastructure to APIs, these so-called "zombie" assets continue to cause security headaches for companies, and sometimes, lead to breaches. Oracle's "obsolete" servers, abandoned Amazon S3 buckets used by attackers to distribute malware, and the unmonitored API connecting Optus' customer-identity database to the Internet are all variations of the zombies plaguing enterprises.The lack of attention to forgotten — dare we say, "undead" — services causes cybersecurity headaches in two ways, says Andrew Scott, director of product at cybersecurity firm Palo Alto Networks."If you've got a device that has been forgotten, you're probably not looking after it, so if it were compromised, it may be hard for you to know," he says. "And two: The longer that those things stay out there, stay unmanaged or not getting the TLC and patch cycles ... the more likely that they are vulnerable to risks over time."Still-operating, yet unmanaged devices, services, and APIs continue to be a massive cybersecurity problem for companies, expanding their attack surfaces and requiring intense efforts to discover and remediate. A third of attackers look for exposed assets, including web-facing services (18%), external remote services (12%), and supply chains (3%), according to Microsoft's Digital Defense Report 2025 published this month. The vast majority of organizations (84%) have seen their external attack surfaces grow — and 90% have seen a corresponding increase in impactful incidents — over the past year, according to Cybersecurity Insiders' 2024 Attack Surface Threat Intelligence Report.Related:The Best End User Security Awareness Programs Aren't About Awareness AnymoreZombie devices and software are also a form of security debt, with more than half of organizations (58%) seriously or moderately concerned over technology known to be vulnerable but which remains unpatched or lacks updates, according to Invanti's "State of Cybersecurity Exposure Management" report. Despite this, organizations continue to produce unmanaged technology, with more than half of organizations (51%), for example, running software beyond its end-of-life date.Zombie Code, Undead HardwareZombie software and devices are both problems for companies.Nine in 10 codebases scanned by application security firm Black Duck have open-source components that were more than ten versions behind the current release, while 91% of codebases had packages that showed no development activity for the past two years. All of this while the number of open-source files in the average application has quadrupled, according to the firm.Related:Despite More CVEs, Cyber Insurers Aren't Altering Policies Most codebases have at least one package more than 4 years out of date and that developers are likely unaware of. Source: Black DuckWith the vast majority of these zombie codebases (81%) containing at least one critical vulnerability, the software is a high-risk liability, says Mike McGuire, senior security solutions manager at Black Duck."That's a huge, unmanaged population of old code," he says. "More components mean a larger attack surface and more places for zombie code to hide."Unmanaged hardware is another major risk, usually because the software for an unmanaged device is no longer updated, but also because the security controls managing access to the services it provides are no longer updated. The average organization has more than 300 new services publicly accessible each month, accounting for a third of high and critical exposures, according to research published by Palo Alto Networks.These devices are often hard to find, says Palo Alto Networks' Scott."You will find hardware where the last guy who knew about that thing has left the company and no one really knows what it is or where it is," he says. If a serious vulnerability or  authentication is uncovered, it will push it higher on the priority list for patching, says Scott. But, he adds, "We do see plenty of things that are old and the company just decided, 'Hey, it's going to be a lot of manpower to go and track those things down. I'm not that worried about it.'"Related:7 Lessons for Securing AI Transformation From Digital Guru Jennifer EwbankUndead Cloud InfrastructureCloud infrastructure has made managing attack surfaces even more complicated.Every night at midnight UTC, the free digital certificate service Let's Encrypt runs into its own zombie problem. The hardware belonging to organizations that have allowed domain names to lapse, home users with dynamic-DNS domains, and administrators that have failed to deprovision old web services wakes up and sends a renewal request to its servers. Because the requests are invalid, they do not result in a certificate being generated and sent.However, because the service covers 670 million active certificates, even a small percentage of zombie clients uses a significant amount of resources, wrote Samantha Frank, a senior software engineer at Let's Encrypt."Unlike a human being, software doesn’t give up in frustration, or try to modify its approach, when it repeatedly fails at the same task," she wrote. Automation "is great when those renewals succeed, but it also means that forgotten clients and devices can continue requesting renewals unsuccessfully for months, or even years."To solve the problem, the organization has adopted rate limiting and will pause account-hostname pairs, immediately rejecting any requests for a renewal.Other zombie infrastructure includes application programming interfaces (APIs). Overall, attacks on APIs grew by 41% in 2024, with attacks on shadow and zombie APIs — defined as "undocumented" and "forgotten" endpoints, respectively — allowing attacks on business logic flaws and sensitive data to be conducted without detection, according to cloud-security firm Radware's 2025 Cyber Threat Report.Companies often deploy a new version an API, while leaving the old version for backwards compatibility, but subsequently forget to decommission the legacy code, says Pascal Geenens, vice president of cyberthreat intelligence for Radware."Typically, those zombie APIs are written many years ago and they weren't written with the same controls and the same secure code — and maybe the company switched to a more secure programming language, like Rust instead of C++ that they used before," he says.Fast Deployment of AI Leaves ZombiesThe rapid development of pilot artificial intelligence projects have left some companies with significant security debt — zombie services connected to real company data that continues to be accessible. One customer of exposure-management firm Tenable, for example, transitioned from Microsoft Copilot, but when the company scanned its network, found "tens of endpoints" still accessible and open to the Internet, says Tomer Avni, vice president of product for the company.A variety of flaws and misconfiguration can affect forgotten AI services. Source: Tenable"Basically anyone on the Internet could communicate with those agents and query sensitive data," he says. And because to company had moved on from Microsoft Copilot Enterprise, it  didn't have the permissions to fix the issue, he explains.The vast majority of organizations today are either running (55%) or piloting (34%) AI workloads, and a third have already experienced an AI-related breach, according to Tenable's "State of Cloud and AI Security 2025" report.Automation is key to tackling the issue of zombie services, devices, and code. Scanning the package manifests in software, for example, is not enough, because nearly two-thirds of vulnerabilities are transitive — they occur in software package imported by another software package. Scanning manifests only catches about 77% of dependencies, says Black Duck's McGuire."Focus on components that are both outdated and contain high [or] critical-risk vulnerabilities — de-prioritize everything else," he says. "Institute a strict and regular update cadence for open source components — you need to treat the maintenance of a third-party library with the same rigor you treat your own code."AI poses an even more complex set of problems, says Tenable's Avni. For one, AI services span across a variety of endpoints. Some are software-as-a-service (SaaS), some are integrated into applications, and others are AI agents running on endpoints. In addition, AI agents routinely connect to third-party services which could result in exposing sensitive data to untrusted environments. A developer using Cursor and connecting it to the DeepSeek foundational AI model may be violating policy.The security team needs to hunt for shadow AI and zombie endpoint across the entire company, as well as the services used by employees. Looking at network traffic alone will not do this, says Avni, so spreading sensors throughout the infrastructure is important."This is a much bigger challenge than what we used to experience, because the solution spans across different people and groups," Avni says. "Sometimes the security team is siloed — there are endpoint people, cloud people — and this problem actually requires all of them to sit together and to look at it together."Read more about:CISO CornerAbout the AuthorRobert Lemos, Contributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.See more from Robert Lemos, Contributing WriterMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Miercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsAccess More ResearchWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeFEATUREDCheck out the Black Hat USA Conference Guide for more coverage and intel from — and about — the show.Edge PicksApplication SecurityAI Agents in Browsers Light on Cybersecurity, Bypass ControlsAI Agents in Browsers Light on Cybersecurity, Bypass ControlsLatest Articles in The EdgeFrom Power Users to Protective Stewards: How to Tune Security Training for Specialized EmployeesOct 29, 2025|7 Min ReadInside the Data on Insider Threats: What 1,000 Real Cases Reveal About Hidden RiskOct 28, 2025|4 Min ReadFrom Chef to CISO: An Empathy-First Approach to Cybersecurity LeadershipOct 28, 2025Pwn2Own Underscores Secure Development ConcernsOct 22, 2025|4 Min ReadRead More The EdgeDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The resurgence of “zombie projects” – neglected and abandoned systems, code, and infrastructure – represents a significant and growing cybersecurity risk for organizations worldwide. As detailed by sources like TechTarget and Informa Tech, this phenomenon, highlighted by writers Robert Lemos, is driven by a combination of factors, including rapid technological shifts, shifting priorities, and a lack of consistent oversight. These remnants of past endeavors, often left untouched, become havens for vulnerabilities and potential attack vectors.

The core issue is the extended lifespan of these dormant assets. Organizations, in their efforts to move forward, frequently fail to adequately decommission or manage legacy systems. This neglect leads to a situation where critical infrastructure, such as obsolete servers, forgotten Amazon S3 buckets, and unmonitored APIs, remain accessible and vulnerable. According to Palo Alto Networks’ Andrew Scott, the lack of attention to these systems stems from a perceived low priority – the thinking being that an old, neglected asset poses less of a threat than actively used systems. However, this complacency dramatically increases the attack surface. Microsoft’s Digital Defense Report 2025 underscored this trend, revealing that a third of attacks originate from exposed assets, including web-facing services, external remote services, and supply chain vulnerabilities.

The risk isn’t solely confined to simple obsolescence. Black Duck’s data revealed that many codebases contain outdated open-source components, often several versions behind the current release, due to a failure to maintain dependencies. This creates a dangerous confluence of vulnerabilities, magnified by the increased volume of open-source code – a fourfold increase over the past few years. Furthermore, the sheer quantity of new services becoming publicly accessible – upwards of 300 per month – exacerbates the problem, as highlighted by Palo Alto Networks research.

Beyond traditional software vulnerabilities, the rise of cloud infrastructure has introduced new layers of complexity. Let’s Encrypt, a free digital certificate service, struggles with “zombie clients” – systems that continue to renew certificates even after their associated domains have expired. These lingering requests consume resources and, crucially, remain open to potential exploitation. Similarly, forgotten APIs, often deployed for backward compatibility but left undocumented and unmanaged, create further attack vectors. Radware’s 2025 Cyber Threat Report indicated a 41% growth in API attacks, with a particular focus on “shadow and zombie APIs,” representing undocumented and forgotten endpoints.

The acceleration of AI development has further complicated the landscape. Rapidly deployed AI projects – particularly pilot programs – tend to generate unique “zombie” services connecting to real company data. As highlighted by Tenable, organizations have discovered tens of endpoints still accessible via AI agents, with potentially devastating consequences if exploited. As noted by Tenable’s Tomer Avni, this includes those connected to AI models like Cursor. Sophisticated AI agents extending across multiple platforms and services introduce an exponentially larger attack surface, requiring vigilance across endpoint, cloud, and even SaaS environments. The trend extends to the increased prevalence of AI workloads (55%) and associated pilot programs (34%), and the early realization of AI-related breaches (3%) among organizations.

Addressing this “zombie” problem requires a holistic approach, incorporating robust vulnerability management, continuous monitoring, and a disciplined approach to lifecycle management. Scanning code manifests, implementing automated dependency updates, and regularly reviewing IT inventories are all critical components. Furthermore, organizations must prioritize proactive threat hunting, specifically targeting these forgotten systems. Ultimately, as stated by Palo Alto Networks' Scott, the core challenge lies not just in identifying these dormant assets, but in maintaining the consistent oversight needed to protect them, preventing them from becoming conduits for disruptive attacks.