November 11, 2025•243 views•By Exposradar Security Team
Why We Built Exposradar
securitydatabaseselasticsearchmongodbcybersecurity
Why We Built Exposradar
Modern infrastructure is deployed faster than it can be secured.
Databases go live on the public internet with no authentication, no network restrictions, and no monitoring. Within hours, automated scanners discover them. Shortly after, opportunistic actors access the data, delete it, and replace it with ransom notes.
This is a repeatable failure pattern, and it operates at scale.
The Attack Model
Exposed databases follow a consistent lifecycle. A service is deployed with default or permissive settings and binds to a public interface. Authentication is missing or misconfigured. Internet-wide scanners identify the service within hours. Opportunistic actors access the instance, remove data, and leave ransom notes demanding payment.
No exploit is required. No malware is delivered. Exposure alone is sufficient.
What We Observed
We started scanning to measure real exposure, not assumptions.
The results were consistent: Elasticsearch clusters exposed without authentication, many already overwritten with ransom notes. MongoDB instances exposing customer records, session data, and internal systems, wiped and replaced with extortion messages. Databases containing credentials, PII, and regulated data, fully accessible from the internet.
These patterns repeat across cloud providers, regions, and industries. The problem is systemic.
What Exposradar Does
Exposradar is an exposure intelligence platform purpose-built for publicly accessible data services.
Most internet-wide scanning tools index everything. Ports, banners, certificates, HTTP headers. They leave interpretation to the analyst. Exposradar takes a different approach. We focus exclusively on data infrastructure: databases, object stores, and data services that should never be reachable from the public internet. This narrow scope allows us to go deeper where it matters.
We continuously identify and index exposed instances across a growing range of data services, including:
What we cover today is a fraction of what we are building toward.
Each instance is enriched with structured metadata: IP, port, geolocation, database and index names, and exposure classification. This includes whether the service lacks authentication, is misconfigured, or already contains a ransom note.
Where general-purpose scanners stop at banner extraction, Exposradar performs service-native interaction. We connect to databases using their own protocols, enumerate what is exposed at the schema level, and classify the state of the instance, not just its existence. The result is not a list of open ports. It is a structured, queryable view of what data infrastructure is exposed and in what condition.
Why It Matters
Exposure is not a vulnerability that gets patched. It is a configuration failure that persists until explicitly fixed. Most exposed systems we track could be secured by a single control: authentication, network restriction, or proper binding configuration.
Yet they remain accessible, often for weeks or months, because the teams responsible do not know they are exposed. Exposradar exists to close that visibility gap. Continuously, not on-demand.
What Comes Next
Elasticsearch and MongoDB are where we started, not where we stop.
We are expanding into additional data services, orchestration layers, and storage backends that follow the same pattern: deployed fast, exposed by default, discovered before anyone on the defending side notices. The full scope of what we are building is not public yet. The direction is clear: if it holds data and it is reachable from the internet without authentication, it belongs on the radar.
Scope and Ethics
Exposradar is built for defensive security.
We do not exploit systems. We do not extract data. We do not store sensitive content. We collect only service-level metadata available from unauthenticated, publicly accessible endpoints. Database names, collection names, document counts, and configuration indicators.
All scanning activity is conducted using standard, non-destructive protocol interactions. Instances are never modified. No data is read beyond what is necessary to classify exposure state.