Bring out your dead: How agentic AI for cybersecurity helps you rid your cloud of forgotten, risky assets

Tenable Hexa AI eliminates “zombie” cloud infrastructure, helping you reduce risk and make a “killing” on cost reduction.

Picture the scene from “Monty Python and the Holy Grail”: a plague-ravaged village, a cart rolling through the mud, and a lone collector bellowing, "Bring out your dead!" Bodies piling up. Costs mounting. Nobody quite sure how it got this bad.

Your cloud environment isn't so different.

In the race to maintain engineering velocity, cloud environments have quietly become a sprawling graveyard for forgotten resources. We call them zombie assets: unused, unmanaged resources that just... sit there. Not alive. Not dead. Just lingering. Accruing cost. Expanding your attack surface. And waiting for an attacker patient enough to notice nobody's watching.

According to Tenable Research, 49% of cloud infrastructure currently sits idle and untracked, with neglected resources going unpatched for six months or longer. In addition to being budget leaks, these unused cloud assets are vulnerability goldmines for attackers. Here's the twist though: every zombie asset you kill puts money in your pocket.

So let's go hunting with Tenable Hexa AI.

The graveyard no one meant to build

Software engineering speed is the goal. It always has been. But it comes at a cost that rarely shows up in sprint reviews. Organizations are deploying ephemeral resources (containers, serverless

functions, virtual machines) faster than they're retiring them. They get spun up for a sprint, a test, a proof of concept, and then quietly abandoned when the next priority arrives. This is how the zombie assets pile up: With a forgotten checkbox and a billing cycle that keeps running.

Knowing zombie assets are out there is one thing. Finding them across AWS, Azure, and Google Cloud Platform (GCP) is another. This is where Tenable Hexa AI transforms the game from periodic audits to a continuous, active bounty-hunting operation. This isn’t a chatbot! Tenable Hexa AI is an agentic AI engine built into the Tenable One platform that moves organizations from conversation to execution by automatically performing complex security tasks. It leverages the Tenable Exposure Data Fabric to interpret user intent and deliver finished results.

With one click from anywhere in the Tenable One Cloud Exposure interface, you open Tenable Hexa AI. From there, you describe what you're after in plain language, and Tenable Hexa AI does something most AI tools don't: it automatically builds the query for you inside the “Explorer”, Tenable's unified data model query tool. You can see exactly what it constructed, manipulate it, refine it, and save it as a standing policy your team can run again and again. Your query history is preserved, your investigations are traceable, and when your organization is ready, those findings can trigger automations you've approved and trust.

Think of it this way: Tenable Hexa AI is the zombie hunter. Explorer is the map that shows you where the zombies are. And the query it builds? That's your standing order to be on a continuous hunt.

Let's walk through what that looks like in practice, step by step, or watch our guided demo.
 

Step 1: Find the dangling keys, orphaned public IPs

The scene: You decommission a server. The team celebrates shipping the new version. But the public IP that pointed at that server? It's still out there, still associated with your DNS records and security whitelists, attached to nothing, watched by no one. We call these dangling IPs. They're the cloud equivalent of leaving your company's official stationery and a set of master keys on a park bench. Someone will find them. And they won't call you when they do.

How Tenable Hexa AI finds them: You tell Tenable Hexa AI what you're looking for in plain language, and it automagically builds an Explorer query that finds every AWS Elastic IP, Azure Public IP, or GCP External IP with no network interface, no running instance, and no attached resource to justify its existence. The logic is visible, editable, and ready to save as policy the moment you've confirmed the results. What you get back is a complete list of open doors in your environment that nobody is standing behind.

The bounty: Each unneeded Elastic IP costs roughly $3.60S/month. Across a large, fast-moving environment, orphaned IPs silently drain thousands annually for infrastructure that's actively making you less secure.

Step 2: The gate with no guard, load balancers without listeners

The scene: A load balancer without a listener is a high-tech security gate with no guard and no intercom. It's physically there. It's on your bill. But it isn't directing traffic, isn't protecting anything, and isn't being monitored, which means it's muddying your security audits while quietly running up a tab. It seems safe because it isn't active. That's exactly what makes it dangerous. Assumptions of safety are how the dead multiply.

How Tenable Hexa AI finds them: Describe the scenario and Tenable Hexa AI builds an Explorer query that sweeps every load balancer across your environment for a single condition: no listener attached. A load balancer listener is the configuration that tells the balancer what to do with incoming traffic. No listener means no purpose. The query Tenable Hexa AI constructs is immediately reviewable, so your team can validate the logic, adjust thresholds if needed, and lock it in as a standing policy that flags every ghost gate going forward.

The bounty: In AWS, an application load balancer without a listener runs $15 to $20/month. Find a hundred across your accounts and you've just recovered $20,000 in annual spend, with zero security value lost in the process.

Step 3: Frozen in time, stopped compute instances

The scene: Think of an orphaned compute instance like a house that was temporarily closed up after a renovation. The utilities are still on, the locks haven't been changed, and the last occupant left in a hurry. Nobody lives there. Nobody checks on it. But the bills keep coming, and anyone who tries the door finds it easier to get into than the house next door.

Stopped virtual machines account for a large portion of unpatched workloads across typical organizations, frozen at whatever vulnerability state they were in when someone hit "stop.” If an attacker breaches one, they inherit the IAM role or service account attached to it. Since nobody is logging in, nobody notices.

How Tenable Hexa AI finds them: Tell Tenable Hexa AI you want stopped instances that have been idle beyond a set threshold and still have volumes attached. It builds the Explorer query with the right filters already in place: stop time thresholds (90 days for AWS EC2, as few as seven days for Azure deallocated machines), state conditions, and volume attachment status. Your team can review the query, tune those parameters to match your environment's specific retention standards, and save it as a policy that runs continuously. The machine isn't just idle; it's sitting on data, and now you know exactly which ones.

The bounty: A stopped instance still accrues Amazon Elastic Block Store (EBS) storage charges. A fleet of abandoned instances, common in organizations scaling fast, can represent significant and immediately recoverable spend before you've even addressed the security exposure.

Step 4: Paying rent on junk, dated snapshots

The scene: A snapshot is meant to be a time capsule, a point-in-time backup you can restorefrom if something goes wrong. But most organizations have thousands of snapshots that are\years old, attached to nothing, and serving no documented recovery purpose. It's like owning amassive storage unit filled with boxes you haven't opened in five years. You're paying rent onjunk. And some of those boxes might contain hazardous materials.

In the cloud, snapshots are the hidden cost leader and one of the most overlooked sources of data exfiltration risk. Old snapshots often contain configuration files, credentials, and customer data from systems that no longer exist in their current form.

How Tenable Hexa AI finds them: Describe your retention concern and Tenable Hexa AI builds an Explorer query that surfaces every snapshot older than your specified threshold across AWS EBS, Azure, and GCP Compute simultaneously. The results come back organized and actionable.

Once your team reviews the query and confirms it aligns with your backup retention policy, save it. From that point forward, it's a standing policy: anything older than your threshold that isn't tied to a legal hold gets flagged automatically. It is no longer a useful asset but rather a liability with a storage invoice.

The bounty: Snapshot costs compound silently. Organizations running their first real cleanup pass frequently discover tens of thousands of dollars in recoverable spend, sometimes more, from snapshots alone.

Step 5: The unmonitored goldmine, unattached volumes

The scene: This is the one that should keep your security team up at night. An unattached volume is a disk full of real data that’s no longer in the radar of any of your security tools. Because it isn't "live" (not attached to a running OS), your EDR and antivirus are blind to it. No monitoring. No alerts. No tripwires.

An attacker with basic storage permissions doesn't need to breach your running servers. They can snapshot the unattached volume, export it to their own account, mount it in their] environment, and browse your configuration files, API keys, and customer records at their leisure. No alerts fired. No logs written on your side. No noise.

How Tenable Hexa AI finds them: Tenable Hexa AI builds an Explorer query that maps every storage volume with no running instance attached to it. Across AWS that means EBS volumes with no EC2 instance. In Azure, Managed Disks with no Virtual Machine. In GCP, Compute Disks with no VM instance. Review the query, confirm the logic, and save it as policy. What you're left with is a continuously maintained inventory of every unmonitored data blob in your environment, surfaced before an attacker finds it first. The reality is poignant; if a volume isn’t attached to a live operating system, your EDR can’t hunt that.

The bounty: Unattached EBS volumes run $0.08 to $0.10 per GB/month. A single forgotten 1TB database volume costs nearly $100/month to store. The financial case writes itself. The security case is even more urgent.

Step 6: The empty control plane of K8s clusters without nodes

The scene: A Kubernetes cluster without nodes is a management layer with nothing to manage. It's like building a fully staffed air traffic control tower for an airport with no runways. The infrastructure exists. The overhead exists. The attack surface exists. The planes do not. It seems dormant, and therefore safe. But that's precisely the assumption that lets these resources accumulate unnoticed: each one a cost center and a compliance headache waiting to be discovered by the wrong person first.

How Tenable Hexa AI finds them: Tenable Hexa AI constructs an Explorer query built around absence: every cluster with no node group and no hosted virtual machines. For AWS EKS and GCP GKE alike, the query surfaces every empty control plane in your environment. Review it, tune it to your standards, and save it as a policy. Clusters that were stood up, never fully provisioned, and never cleaned up are no longer invisible. The context makes the risk visible in a way a raw inventory list never could.

The bounty: An empty EKS control plane carries a flat cluster fee of roughly $73/month before a single workload runs on it. In environments scaling fast across multiple teams, these accumulate quietly. A handful of abandoned clusters found and removed can represent meaningful recovered spend before you’ve even counted the security benefits. 

One query. One bounty. Real numbers.

Here's where it gets good. Everything we just walked you through — five categories of zombie assets, spanning orphaned IPs,

idle load balancers, stale snapshots, unattached volumes, and detached network interfaces — we ran against a real AWS environment. We didn’t have to stitch together five separate searches after a week-long audit. All it took was one conversation with Tenable Hexa AI.

The cart came back very full!

In a single pass, Tenable Hexa AI surfaced 1,658 orphaned resources across the environment — an estimated monthly waste of $2,400 to more than $4,000. 

Worth noting, these findings and analysis are from a Tenable demo environment. A controlled, relatively small footprint whose primary purpose is showing customers how Tenable works. It isn’t a sprawling enterprise cloud built up over years of product launches, team reorganizations, departed engineers, and shifting infrastructure strategies.

Now imagine your environment. The resources spun up for a project that got cancelled in 2021 The test instances a team left running when they were absorbed into another org. The snapshots from a compliance audit that nobody remembered to retire. The load balancers from an architecture that was deprecated two product generations ago. Still quietly billing every month because nobody thought to look. Years of organizational memory loss, encoded in your cloud bill and your attack surface simultaneously.

The dead accumulate in real environments in ways a demo can only hint at. The cart Tenable Hexa AI fills in your environment won’t look like this one. It will almost certainly be much more bloated. 

This is more than a one-time cleanup: every query Tenable Hexa AI built is saved, reviewable, and running a standing policy now. The next time a zombie asset tries to quietly take up residence in your environment, the next asset physically labeled, “delete me”, that never gets deleted, the next load balancer someone spins up for a test in 2026 still billing… it doesn’t get six months. It gets hunted, and marked for a proper burial. 

One conversation. One cleaner, tighter, safer cloud environment. And a number you can actually take to the CFO.

Bring out your dead… and make them pay on the way out.

Part of a bigger picture

This hunt for zombie assets is part of our ongoing series where we showcase how Tenable Hexa AI handles the high-impact security tasks that traditionally break manual workflows. Identifying forgotten infrastructure is a major win for cloud security, but Tenable Hexa AI’s ability to bridge the gap between intelligence and action goes even further.

If you’re interested in seeing how Tenable Hexa AI tackles other critical challenges, check out our previous deep dives:

• Neutralize supply chain threats: See how Tenable Hexa AI correlates third-party software components with your internal assets to stop threats, like supply chain attacks, in its tracks.
• Orchestrate automated patching: Learn how to beat the "Mythos clock" by using custom agents to deploy patches the moment a vulnerability is validated.
• Automate remediation assignment: Discover how to match CVEs to their specific asset owners in seconds, getting the right fix to the right person without the manual spreadsheet shuffle.

Each of these use cases demonstrates how moving from conversation to execution can fundamentally change your security posture.

Ready to clean up your cloud graveyard? Discover how Tenable Hexa AI transforms exposure intelligence into machine-speed risk reduction. Learn more here.