The Exposure-Time Problem: Why 24/7 Connectivity Is a Measurable Cybersecurity Risk

01Key takeaways

01
Exposure time is the total number of hours a system stays reachable from a network that could host an attacker. It is one of the few cyber-risk variables you can actually measure and control.
02
Plenty of “always on” assets don’t need to be. Backup repositories, ILO and iDRAC interfaces, IP cameras, vendor maintenance VPNs — all have legitimate use windows much shorter than 24/7.
03
Cutting exposure time cuts opportunistic and scanning-based risk in roughly the same proportion. That covers most breaches.
04
Hardware-enforced disconnection works whether or not your detection stack is configured perfectly.

02Why “always online” became the default

Enterprise IT has spent two decades treating constant connectivity as a default. Servers, storage arrays, cameras, badge readers, backup repositories. Everything ends up on the network, all day, every day. The trade-off between connectivity and exposure rarely makes it into the conversation.

The math doesn’t favour that approach. Every extra hour a system stays reachable from a network that might host an attacker is another hour of exposure. And since most attacks today are automated, those hours add up in a way you can measure.

Exposure time is the conditions that let the breach happen — not what happens after.

03What exposure time actually means

Exposure time is the total time a system, service, port or management interface stays reachable from a network where an attacker might live. You measure it per asset, usually in hours per week or as a percentage of uptime.

Three things it isn’t:

Window of exposure: the gap between a vulnerability going public and a patch going in.
Dwell time: how long an attacker stays inside before you notice.
MTTD and MTTR: response metrics. They describe what happens after something has gone wrong.

All three describe what happens after a breach. Exposure time describes the conditions that let the breach happen in the first place.

04How exposure time multiplies risk

Boil cyber risk down to its variables and you get something like this:

RISK ∝ ATTACK SURFACE × VULNERABILITY × EXPOSURE TIME

Attack surface and vulnerability get most of the attention. Closing ports, retiring services, patching: these are mature disciplines, with frameworks and vendor stacks behind them. Time gets very little. It’s also the variable that’s easiest to change.

Most attacks against externally reachable systems aren’t targeted at you specifically. They come out of scanning infrastructure that sweeps the entire IPv4 space, round the clock. SANS Internet Storm Center honeypots see first brute-force attempts against exposed SSH or RDP within five to ten minutes of going online.

For this kind of opportunistic activity, the probability of being scanned in any given hour is roughly flat. A system online 168 hours a week absorbs 168 hours of scanning. The same system online 8 hours a week, only during a backup job, absorbs 8 hours. The reduction is linear.

05Three ways attackers benefit from your uptime

Opportunistic scanning & mass exploitation

When a serious vulnerability drops in a widely deployed product, the scanning crowd retools within hours. Log4Shell went from disclosure to mass exploitation the same day. MOVEit Transfer breached hundreds of organisations within days. Fortinet, Ivanti and Citrix appliance CVEs have, more than once, seen wide exploitation before defenders could finish patching. What separated victims from everyone else was usually one thing: whether the vulnerable box was reachable from the internet during the 24- to 72-hour window between disclosure and patch.

Lateral movement after the initial foothold

Once an attacker has a foothold, lateral movement depends on that foothold being able to reach the target. Backup repositories, domain controllers and management interfaces are favourite second-stop targets — almost always reachable from compromised workstations. A backup repository reachable 24 hours a day gives the attacker 24 hours a day to wreck it. A repository reachable only during a 4-hour nightly window forces them to either time the operation precisely, or wait.

Persistent command and control

Most post-exploitation tooling needs an outbound channel back to the attacker. C2 beacons run on a periodic schedule, with minutes or hours between callbacks, and expect continuous outbound connectivity. Scheduled outbound disconnection breaks those sessions — even when the windows are short — and re-establishment tends to look more anomalous than steady-state beaconing. The attacker has to spend more effort keeping persistence alive.

06Why traditional defences don’t cut exposure time

Most security controls reduce attack surface or improve detection. Few of them touch exposure time itself.

Firewalls: filter traffic. They don’t disconnect anything.
WAFs: protect specific applications. They have nothing to say about the management plane.
EDR / XDR: are detection tools. They need the attack to start before they can do their job.
Zero trust: improves identity-based access decisions. The asset stays reachable at the network layer.
Segmentation: limits how far an attacker moves once inside. Segmented assets stay reachable from their own permitted networks.

All of these are useful. Many are necessary. None of them touch the time variable.

07The case for hardware-enforced, time-based isolation

Physically disconnecting an asset when nobody’s using it sits in a different category. You’re not mitigating reachability. You’re eliminating it for the duration of the disconnect.

Three things make hardware-enforced disconnection different:

No misconfiguration surface.: A physical break can’t be bypassed by a bad firewall rule or a routing mistake.
Nothing on the network to exploit.: If the switching mechanism is controlled out-of-band, over a separate cellular channel, there is no in-band path an attacker can use to influence the disconnect state.
Auditable in physical terms.: Every connect and disconnect is a discrete event you can log, timestamp and review.

That’s the operating principle behind AirgapNet’s AGN1 and AGN2 devices: a patented network switch driven by an independent GSM channel, with support for manual, scheduled and event-triggered disconnection.

The cable is open or closed. There is nothing to misconfigure.

08Where exposure-time reduction pays off

Where exposure-time reduction pays off

Tap a column to sort. Public-facing systems are intentionally out of scope.

Asset class	Time actually needed online	Typical exposure today	Possible reduction
Backup repository	2–6 h/day (backup window)	24 h/day	88%
ILO / iDRAC / BMC	< 2 h/month maintenance	24/7	99%
Vendor remote maintenance	Scheduled service appointments	Always-on VPN	99%
IP cameras (workplace)	Business hours only	24/7	65%
Building automation / IoT	Business hours only	24/7	65%
Dev & test environments	Business hours only	24/7	65%

09Putting “online when needed” into practice

A practical exposure-time reduction programme has three steps, and they are not complicated.

Inventory and classify.

List every asset and ask what its actual operational need for connectivity is. Many things are always-on by default, not by design. The default rarely gets re-examined.
Pick an operating mode.

For each candidate, decide whether disconnection should be manual (an admin triggers it), scheduled (cron-style time windows), or event-triggered (for example, disconnect after the backup job reports done).
Run the control out of band.

The channel that drives the switch should not share fate with the asset’s data plane. A cellular control channel means a compromise of the data network does not give the attacker any say in the disconnect state.

AirgapNet hardware does all three out of the box. Connect and disconnect events get logged, which gives you the audit trail regulators increasingly want under NIS2, DORA and ISO 27001:2022.

10Three common objections

“We need 24/7 monitoring on everything.”

For production-facing systems, yes. For backup repositories and management interfaces, no. A backup repository doesn’t need monitoring while it’s offline — it’s offline by design. Most of the monitoring value comes from active hours anyway, which are exactly the hours when the asset is connected.

“Automation will break.”

Most modern backup, monitoring and management platforms handle scheduled connectivity natively. Veeam, Acronis, Veritas, Synology and the rest expect this kind of pattern. IPMI and BMC tooling has always assumed intermittent reachability.

“This isn’t a real air gap if it reconnects.”

Correct. It’s not a traditional air gap. It’s a controlled exposure window — a different security primitive, addressing the threats that actually drive most breaches: opportunistic scanning, ransomware backup targeting, vendor supply chain compromise. At a fraction of the cost of permanent isolation.

11Closing thought

Cyber risk reduces to three measurable variables: attack surface, vulnerability and time. The industry has built mature disciplines around the first two. The third gets very little attention, which is strange, because it’s the one you can change most easily.

Hardware-enforced, time-based disconnection cuts the exposure time for assets that don’t need to be reachable round the clock. AGN1 and AGN2 work alongside your existing security stack, not in place of it. They work without needing perfect configuration or perfect detection.

Ready to cut your exposure time?

AGN1 — deploy it in an afternoon, audit it in physical terms.

Patented, GSM-controlled network switch. Physically disconnect any Ethernet asset on a schedule or on demand. Works alongside your firewall and backup stack.

See AGN1 Practical use cases