The threat landscape for cloud infrastructure took a dramatic turn in 2024, with a staggering spike in severe security breaches. According to data tracked by Palo Alto Networks, high-severity cloud incidents affecting customers surged by 235% compared to the start of the year. Overall, the total number of cloud security alerts grew by an eye-opening 388%.
This sharp rise highlights a concerning trend: cloud attacks aren’t just more frequent—they’re also becoming more sophisticated. Malicious actors are now executing more impactful breaches that bypass traditional defenses, especially in runtime environments.
While low-severity threats only rose by 10%, and medium-level alerts climbed 21%. It was the critical-level incidents that truly redefined the cloud security risk profile for organizations in 2024.
The Cloud’s Biggest Trouble Spots: What’s Triggering the Alarms
Throughout the year, enterprises monitored by Palo Alto Networks experienced an average of more than 20 serious security alerts per day—each signaling suspicious or dangerous behavior in real time. The most frequent alerts involved:
- Remote command line usage with serverless tokens, clocking in at an average of 24.68 times daily
- Suspicious downloads of multiple cloud storage files by a single identity (21.09 daily)
- Disabled delete protection in cloud storage environments (20.19 daily)
These actions don’t just represent isolated risks—they often serve as early steps in a larger, coordinated attack. For instance, ransomware groups have been known to start by exploiting serverless functions to gain unauthorized access, move laterally within cloud systems, disable data protection, and ultimately siphon off sensitive data in massive downloads.
Medium-severity threats also posed major headaches. The most common? Unauthorized attempts to perform multiple restricted actions—whether by hackers testing the system or everyday users misclicking their way into trouble. These alerts occurred roughly 80 times per day across organizations.
Palo Alto also flagged several fast-growing risks:
- A 305% surge in unusually large downloads
- A 116% increase in “impossible travel events,” such as users logging in from geographically distant locations within minutes
- A 60% rise in suspicious IAM API activity targeting virtual machines from outside expected regions
What’s particularly telling about today’s alert landscape is the shift away from traditional cloud security posture management (CSPM). Once the foundation of cloud security, CSPM focused heavily on configurations—flagging misaligned settings and internet-facing exposures. That approach made sense during the early cloud adoption years.
But now, as runtime threats take center stage, the landscape has evolved. Nearly all of the top high- and medium-severity cloud alerts in 2024 happened during runtime—not from misconfigurations.
Upwind founder and CEO Amiram Shachar explained this shift by reflecting on the three waves of cloud security. The first wave, he noted, emerged when Palo Alto began acquiring startups to build CSPM tools—designed to analyze static configurations and spot vulnerabilities.
The second wave, spearheaded by startups like Wiz, introduced visually rich dashboards and added deeper vulnerability context. These tools helped prioritize real risks over noise—flagging only those configuration issues that actually posed a threat, such as those exposed to the internet or tied to high-privilege roles.
Now, we’ve entered a third wave. According to Shachar, “What people want today is real-time visibility—understanding how APIs talk to each other, how apps behave during execution. That’s where the real risk lives.”
He emphasized that runtime security has become the new frontier, where attacks can unfold dynamically and elude detection by traditional CSPM tools. Shachar himself had just been reading on his phone about a new NGINX runtime vulnerability, “IngressNightmare,” minutes before speaking at Cybertech Global 2025.
In a world where cloud systems are always on and ever-evolving, static snapshots of risk just don’t cut it anymore. Organizations are now racing to keep pace with threats that unfold live, not later—because in the cloud, the danger is happening now.
