// Alias Robotics · Cybersecurity SuperIntelligence · Álava 2026-06-09

PENTESTING
ÁLAVA

What one Cybersecurity SuperIntelligence observed when it turned its attention, in a single day, on 675 organizations sharing one regional technology ecosystem. Proof, not promises.

732 organizations 10,105 findings 624 critical 1 intelligence · 1 day
Request your own assessment → contact@aliasrobotics.com
scroll to descend ↓
🔎 Is a specific domain in scope? Company names and domains are intentionally omitted from this portrait. To check whether a domain was assessed, search the companion domain directory. Open the domain directory →
The observation

A whole ecosystem, mapped before lunch.

Traditional security assumes an attacker is scarce, one target at a time, days of effort, a human in the loop. A superintelligence dissolves that assumption. In the span of hours it enumerated, fingerprinted, cross-referenced and risk-ranked an entire cohort of organizations in the Parque Tecnológico de Álava and the wider Basque region: a gym chain, a national newspaper, aerospace suppliers, a battery startup, a materials-testing multinational, a medical-implant maker, a hotel chain, an engineering R&D division, an ERP vendor, and a public-sector agency. The findings below are not 675 isolated audits. They are a single, simultaneous portrait of a region's attack surface.

How was an entire region analyzed in a single day?
We pointed hundreds of AIs at Álava's entire digital footprint. In hours they surfaced thousands of security flaws. The intelligence is built at Alias Robotics, here in the Basque Country, and specialized in cybersecurity. Instead of reviewing companies one by one, we asked it to look inside all of them at once, over 200 organizations in a single day. We did this as security research: no personal data touched, nothing published that could be used to attack. But the cybercriminals out there can do exactly the same.
0
Organizations swept
one regional cohort
0
Security findings
incl. mapped CVEs
0
Critical exposures
across 367 organizations
0
Carrying live exposure
+112 offline · 22 hardened
The severity of the reality

Mostly survivable. Repeatedly not.

Across the cohort the intelligence catalogued every issue by severity. Critical exposures clustered where the oldest software met the most sensitive data, unencrypted logins, injection, identity-grade CORS.

So how is Álava doing on cybersecurity?
The conclusion is worrying: Álava, and the Basque Country at large, are not ready for the shift AI is forcing on cybersecurity. Of the 200+ companies we looked at, almost all have some door left open; very few are protected today. And we say today deliberately, security is not a product someone sells you, it is a process you must secure and review constantly. This is not one company's problem. It is widespread.
10,105
findings
The cohort

675 windows into the same weather.

Each card is one organization as the intelligence saw it: its sector, the state it was left in, and the shape of its exposure. The colored spine marks the most severe issue found.

All 732 Critical Legacy / EOL CORS Exposed secrets Exposed portal
The proof

Exposure, in its own words.

A superintelligence does not assert, it demonstrates. Below are representative exposures the sweep surfaced, shown as sanitized evidence. Reusable secrets, tokens and personal data are redacted; these are illustrations of class, not operational artifacts.

In plain terms, what happens to a company that gets hit?
Anything, and nothing good. Customer and employee data stolen. Systems locked and held for ransom. Production halted for days. Accounts drained, identities impersonated. For a small company an attack like this can mean closure. And this is only a first study on companies, what if it hits a hospital or a public administration? What if the stakes are our medical records, or a surgical robot stops in the middle of an operation?
█ redacted: keys, tokens, serials & PII are masked. Proof of class, not a handout.
The anatomy

The same wounds, again and again.

The intelligence did not find 675 unique problems. It found a handful of recurring failure patterns, spread across the cohort like a regional weather system. Counts below are organizations exhibiting each pattern.

2,500+ vulnerabilities, what does that actually mean?
A vulnerability is a security flaw, a weak point someone with bad intentions could slip through: outdated software nobody patched, a trivial password, a door left ajar by accident. We found more than 2,500 across Álava's companies. Not all are equally serious, but over a hundred are critical, the kind that does real damage if someone exploits it.
The asymmetry

Why this changes the math.

Every defender on this map planned for a human-paced adversary. None planned for one mind that could hold all 675 of them in working memory at once.

What is this new AI-driven intrusion scenario?
Until now an attacker was a person or a group, going target by target, days or weeks per company. AI breaks that rule: a single AI can watch hundreds of companies at once, without tiring, without forgetting. What used to be slow and expensive is now fast and cheap. Security no longer depends on each company alone, but on a whole territory's ability to detect and respond in time. That is why the public sector must invest, and do it with technology built and maintained here, not by renting foreign AI and handing our data to outside governments. What protects Álava must be produced in Álava.

What the intelligence brought

∞ parallelism
  • 675 targets enumerated, fingerprinted and cross-correlated in parallel, in one day.
  • Recognized a group-wide CORS flaw across an entire media group's network from a single host.
  • Mapped 44 plugin CVEs on one site and chained three into an unauthenticated RCE path.
  • Pivoted instantly: when a target was offline, it harvested partners and co-tenants instead.
  • Surfaced injection, IDOR and data-exposure risks across the cohort, methodically, without fatigue.

What the defenders left standing

2018-era stacks
  • End-of-life everything: PHP 5.6, 7.3, 7.4; Drupal 8; jQuery from 2013; WordPress plugins years stale.
  • Identity-grade CORS reflecting any origin with credentials on login and account endpoints.
  • Front doors ajar: exposed Plesk, Laravel, CMS and FortiGate SSL-VPN portals with no rate limiting.
  • Secrets in the open: API keys in client JS and DNS TXT records; plaintext HTTP logins; PII via IDOR.
  • One organization had patched, hardened and configured headers correctly. One.

A region's cyber-resilience is being measured against an adversary that never tires, never forgets, and sees all of you at once.

Why are AI hacking risks bigger now, and is it already happening?
One reason: speed and scale. An AI-equipped attacker can scan a whole territory in hours, find each company's weak point, and strike many at once. We proved it in under a day, for research. If we can do it, so can criminals, and they already are, worldwide. By the end of this year, the time from finding a vulnerability to exploiting it is expected to be one hour; by 2028, one minute. No human team can respond in a minute. That is why we research cybersecurity superintelligence.
🛡️
The control group. One organisation ran a fully-patched Sitefinity CMS, every tested Telerik & Sitefinity RCE mitigated, admin endpoints authenticated, HSTS/CSP/X-Frame-Options in place. The superintelligence swept it and found nothing. Of 675 organizations, only a handful, mostly SaaS-hosted, reached this bar. It is proof the gap is not unbridgeable, only unaddressed.
Your turn

See your own attack surface, first.

This is what one sweep found across a single region. Alias Robotics can point the same Cybersecurity SuperIntelligence at your estate, and hand you the findings before anyone else does.

What should the Basque Country do about it?
First, accept this is no longer solved company by company: it needs a territory-wide strategy, and investment now to build our own AI defenders. But not through technology centres, nor percentage-subsidized grants funnelled to the usual players: that model does not scale, and it leaves the Basque Country behind. Companies like Alias Robotics lead internationally; with backing, we can defend from home.
Request an assessment → contact@aliasrobotics.com