Full Report
From school districts to state agencies, 2025 cyber incidents were a wake-up call about asset visibility. Discover five actionable lessons SLG leaders can use to close the cyber exposure gap and move from reactive threat detection and response to proactive exposure management.Key takeawaysEffective cyber defense in 2026 requires state and local government agencies (SLGs) to move beyond scheduled scans to continuous, real-time discovery of all managed and unmanaged digital assets.Consolidating data from siloed cybersecurity tools into a unified visibility layer helps security teams proactively identify the identity, cloud, and network weaknesses attackers are likely to exploit.The 2026 SLG cybersecurity blueprint should focus on identifying and remediating specific exposures that create viable attack paths.Shifting focus from reactive threat detection and response to unified exposure management helps SLGs mitigate risks before they escalate into breaches and cause disruption.In 2025, cyberattacks against state and local governments (SLGs) reached an alarming scale. Publicly reported incidents impacted organizations in 44 U.S. states, disrupting critical services, exposing sensitive data, and straining already limited IT and security resources. From state, local, and education (SLED) to utilities and public safety agencies, the breadth of attacks made one thing clear: cyber risk is systemic.While the tactics varied, the outcomes were strikingly consistent. Attackers exploited security blind spots. They moved laterally across fragmented environments. And in many cases, SLG agencies didn’t realize the true scope of exposure until attackers had already compromised their systems.As state and local leaders look ahead to 2026, the most important question is not whether attacks will continue, but what lessons to apply now to reduce risk moving forward.The 2025 cyber snapshot for SLGsThe most significant cyber incidents of 2025 shared several common characteristics:Unknown or unmanaged assets exposed to the internetUnpatched vulnerabilities in legacy systemsMisconfigured cloud services introduced during modernization effortsDecentralized environments with limited centralized oversightDelayed detection, allowing attackers to escalate privileges and expand impactIn many cases, agencies had security tools in place, but those tools operated in silos. Vulnerability scanners, endpoint detection and response tools, cloud security platforms, and identity systems all generated isolated signals, yet no unified view existed to connect them. This left security teams reacting to alerts rather than understanding how real risk moved through their environments.The result was a widening cyber exposure gap between what agencies thought they had secured and where they actually had exposures.Learn how to apply lessons learned to your 2026 cyber roadmap. Register for the "Bridging the Cyber Gap" webinar now.Why 2025 was a turning point for SLG cybersecurityFor years, state and local government organizations prioritized reactive cybersecurity approaches. Limited budgets, staffing shortages, and aging infrastructure made it difficult to move beyond compliance checklists and point-in-time security assessments.But the 2025 attacks demonstrated that reactive security no longer matches the speed or sophistication of modern cyber threats.Attackers don’t exploit single vulnerabilities in isolation. They chain together weaknesses across identity systems, endpoints, cloud workloads, and network infrastructure. They target what defenders can’t see, including the weaknesses they don’t realize are connected.This is where many SLGs found themselves in 2025: responding to incidents without a clear understanding of how attackers gained access, where else they could move, or which exposures posed the greatest risk next.From vulnerability management to exposure managementWhile vulnerability management remains an essential foundation for cyber hygiene in any agency, the evolving threat landscape of 2026 requires building upon those basics with a comprehensive exposure management strategy. Rather than replacing vulnerability management, exposure management provides the critical visibility and context needed to scale security efforts across a diverse, modern attack surface.Traditional vulnerability management answers an important question: Which vulnerabilities exist? Exposure management answers a more critical one: Which vulnerabilities actually put the organization at risk, and how could attackers exploit them?A proactive exposure management approach focuses on:Complete asset visibility: Identifying known, unknown (shadow IT), on-prem, cloud, and remote assetsContextual risk prioritization: Understanding which exposures matter most based on exploitability and business impactAttack path analysis: Seeing how individual weaknesses connect across systemsContinuous monitoring: Adapting as environments change, not just during scheduled scansFor state and local governments, this shift is especially important. Decentralized governance models, independent local agencies, and mixed infrastructure make it nearly impossible to manage cyber risk without a unified view.Learn how to build a 2026 exposure management roadmap for SLGs. Register for the webinar now.5 cyber lessons for SLG leaders in 2026SLG leaders can use lessons learned from last year’s cyber incidents to drive action in 2026:1. You can’t protect what you can’t seeIn many of the most damaging cyber attacks, threat actors exploited assets agencies didn’t realize were exposed, including S3 buckets in the cloud and network devices on premises. Continuous asset discovery is no longer optional.2. Cyber risk lives between toolsSiloed cloud, identity, OT, AI, and network security tools leave gaps attackers are happy to exploit. Attack surface visibility must extend into AI tools, across systems, teams, and environments, whether cloud or on-prem.3. Decentralization requires central insightEven when security operations are local, leadership needs centralized visibility into risk across agencies, counties, and districts.4. Prioritization is everythingSecurity teams can’t fix everything, but they can fix what matters most using threat and business context.5. Proactive beats reactive, every timeAgencies that proactively identify and close exposures dramatically reduce their risk.Preparing SLGs for 2026: Closing the cyber exposure gapAs state and local governments move into 2026, cloud adoption will expand, AI tools will introduce new risks, regulatory scrutiny will grow, and attackers will keep targeting the public sector.The agencies best positioned to meet these challenges will be those that move beyond reactive defense and embrace exposure management as a whole-of-state cybersecurity strategy.Bridging the cyber exposure gap doesn’t start with more tools. It starts with better visibility, richer context, smarter prioritization, and a proactive understanding of how risk truly exists across the environment.The lessons of 2025 are clear. The opportunity in 2026 is to act on them.Is your agency ready to build a proactive cybersecurity strategy for 2026? Join us at 2 p.m. ET Feb. 5 for our webinar, "Bridging the cyber gap: From 2025 hits to 2026 threats," where you can dive deeper into these SLG cyber trends and get a blueprint for a proactive defense.Register now for the webinar.
Analysis Summary
# Best Practices: Transitioning from Reactive Detection to Proactive Exposure Management for SLGs
## Overview
These practices focus on helping State and Local Government (SLG) agencies bridge the growing cyber exposure gap identified in 2025 incidents. The core goal is to shift from reacting to security alerts toward a proactive, unified management of digital exposures across heterogeneous environments (on-premise, cloud, unmanaged assets).
## Key Recommendations
### Immediate Actions
1. **Mandate Continuous Asset Discovery:** Immediately cease reliance on scheduled scans alone. Implement continuous, real-time discovery mechanisms to identify *all* managed and unmanaged digital assets exposed to the internet (Lesson 1).
2. **Identify "Hidden" Exposures:** Conduct an immediate review specifically targeting commonly exploited blind spots, such as misconfigured cloud services (e.g., S3 buckets) and exposed network devices, which attackers leveraged in 2025 incidents.
3. **Centralize Initial Risk Signals:** Begin the process of ingesting data from siloed security tools (vulnerability scanners, EDR, cloud platforms, identity systems) into a unified visibility layer to establish a preliminary holistic view of risk.
### Short-term Improvements (1-3 months)
1. **Establish Unified Visibility Layer:** Consolidate data streams from existing cybersecurity tools (Vulnerability Management, Cloud Security Posture Management, Identity Access Management) to connect isolated signals and reveal attack paths across systems (Lesson 2).
2. **Implement Contextual Prioritization:** Move beyond raw vulnerability counts. Prioritize remediation efforts based on the combination of known vulnerabilities *and* the context of exploitability, active threats, and the potential business impact of the asset (Lesson 4).
3. **Document Attack Path Analysis:** Begin mapping how known weaknesses—such as an unpatched legacy system connected to a poorly configured cloud resource—could be chained together by an attacker to escalate privileges.
### Long-term Strategy (3+ months)
1. **Adopt Exposure Management Framework:** Fully integrate Exposure Management as the primary security strategy, building upon foundational vulnerability management practices by focusing on how exposures create viable attack paths (Shift Focus: Vulnerability Management to Exposure Management).
2. **Establish Centralized Risk Oversight:** For decentralized environments (multiple agencies, counties, districts), implement a centralized risk reporting and visibility mechanism so leadership maintains overarching oversight, even if operations are distributed (Lesson 3).
3. **Integrate Emerging Risk Vectors:** Ensure the unified visibility layer spans all modern system components, including nascent technologies like AI tools, to monitor for corresponding security gaps before they become exploited attack surfaces (Lesson 2).
## Implementation Guidance
### For Small Organizations
- **Focus on Critical Assets First:** Since extensive tool integration may be challenging initially, prioritize achieving continuous visibility and contextual risk scoring for the 20% of assets that support the most critical public services.
- **Leverage Free/Low-Cost Discovery Tools:** Utilize built-in cloud provider discovery features and free scanners to augment existing inventory processes rapidly, addressing the immediate need for asset visibility.
### For Medium Organizations
- **Prioritize Data Consolidation:** Focus IT resources on integrating 3-5 key data sources (e.g., on-prem scanner, cloud configuration tool, central identity catalogue) into a management platform to automate contextual risk correlation.
- **Develop Basic Attack Path Modeling:** Use consolidated data to visualize the top 5 most likely attack paths through the environment and assign clear ownership for remediation across IT silos.
### For Large Enterprises
- **Implement Whole-of-State Strategy:** If applicable, deploy a unified framework that spans multiple independent agencies/districts to ensure consistent risk posture reporting and prioritized remediation across the entire organization or jurisdiction cluster (Lesson 3).
- **Deep Integration and Automation:** Ensure connectors integrate all security tool outputs, leveraging automation for continuous monitoring and adaptive prioritization as environments change rapidly due to modernization efforts (cloud adoption, AI deployment).
## Configuration Examples
*No specific technical configuration (e.g., specific firewall rule, GPO setting) was provided in the text. The focus is on architectural and strategic configuration.*
**Strategic Configuration Goal (Unified Visibility Layer):**
- **Input Sources:** Configure connectors to pull data from (1) Vulnerability Scanners, (2) Cloud Security Posture Management (CSPM), (3) Identity Governance and Administration (IGA), and (4) Endpoint Detection and Response (EDR).
- **Processing Goal:** The platform must correlate a vulnerability on an on-prem server (Source 1) with the fact that the server is accessible via an exposed IP address (Cloud/Network context) and that the user managing it has excessive privileges (Source 3).
## Compliance Alignment
The transition aligns with the principles of modern, continuous compliance and risk management standards:
* **NIST CSF (Continuous Monitoring & Identify Functions):** Direct alignment with identifying assets (ID.AM) and continuously monitoring for vulnerabilities and exposures (ID.SC).
* **ISO 27001 (Information Security Management):** Supports the requirement to understand the context of the organization and manage risks based on likelihood and consequence.
## Common Pitfalls to Avoid
- **Tool Sprawl Continuation:** Do not purchase new tools expecting them to solve visibility gaps autonomously. The focus must be on *connecting* existing data, not layering new silos.
- **Ignoring Unmanaged Assets:** Failing to actively look for "shadow IT," especially in cloud environments (e.g., forgotten resources, unmonitored S3 buckets), which were primary targets in 2025 incidents.
- **Sticking to Point-in-Time Scans:** Relying on monthly or quarterly vulnerability scans provides a rapidly outdated snapshot that attackers can exploit in the interim period.
## Resources
* **Asset Discovery Tools:** Implement solutions capable of continuous, real-time discovery across cloud and on-premise environments.
* **Exposure Management Platforms:** Solutions that specialize in integrating disparate security signals for attack path analysis.
* **Whole-of-State Framework Documentation:** Reference internal or external guidance on coordinating cybersecurity practices across decentralized government entities.