OpenClaw has reached roughly 500,000 internet-facing instances, nearly doubling from 230,000 in a single week, according to a live Censys check performed by Etay Maor, VP of Threat Intelligence at Cato Networks, during an exclusive VentureBeat interview at RSAC 2026. “The first week it came out, there were about 6,300 instances. Last week, I checked: 230,000 instances. Let’s check now… almost half a million,” Maor told VentureBeat.

The platform has no centralized kill switch, no enterprise management console, and no fleet-wide patching mechanism. When a compromise hits, individual administrators must update each instance manually. Most have not.

The BreachForums Listing

The consequences of that architecture played out on February 22. A threat actor using the handle “fluffyduck” posted a listing on BreachForums advertising root shell access to a U.K. CEO’s computer for $25,000 in Monero or Litecoin, according to Cato CTRL researcher Vitaly Simonovich, who documented the listing on February 25. The selling point was the CEO’s live OpenClaw instance, not the shell access itself.

The buyer would get every conversation the CEO had with the AI agent, the company’s full production database, Telegram bot tokens, Trading 212 API keys, and personal details the CEO had disclosed to the assistant about family and finances. The threat actor noted the CEO was actively interacting with OpenClaw in real time, making the listing a live intelligence feed rather than a static data dump.

The CEO’s OpenClaw instance stored everything in plain-text Markdown files under ~/.openclaw/workspace/ with no encryption at rest. “The CEO’s assistant can be your assistant if you buy access to this computer,” Maor told VentureBeat. “It’s an assistant for the attacker.”

The Attack Surface by the Numbers

VentureBeat compiled the current threat surface from multiple sources: Bitsight identified 30,000+ exposed instances with security risks during a scan window. SecurityScorecard found 15,200 instances exploitable via known remote code execution vulnerabilities. Three high-severity CVEs define the attack surface — CVE-2026-24763 (CVSS 8.8, command injection), CVE-2026-25157 (CVSS 7.7, OS command injection), and CVE-2026-25253 (CVSS 8.8, token exfiltration to full gateway compromise). All three have been patched, but with no centralized update mechanism, patch adoption is uneven.

CrowdStrike’s Falcon sensors now detect more than 1,800 distinct AI applications across its customer fleet, generating around 160 million unique instances on enterprise endpoints, according to the VentureBeat report.

Ghost Agents and Missing Offboarding

Maor framed the visibility failure through the OODA loop during the RSAC interview. Most organizations cannot see which AI tools are running on their networks. Employees bring in productivity tools that become shadow AI. Organizations adopt tools, run pilots, lose interest, and move on — leaving agents running with credentials intact.

“We need an HR view of agents. Onboarding, monitoring, offboarding. If there’s no business justification? Removal,” Maor told VentureBeat. “We’re not left with any ghost agents on our network, because that’s already happening.”

Cisco’s Response

Cisco launched DefenseClaw at RSAC 2026, packaging Skills Scanner, MCP Scanner, AI BoM, and CodeGuard into an open-source framework running inside NVIDIA’s OpenShell runtime. Cisco President Jeetu Patel framed agents as “teenagers” in the VentureBeat interview: “Supremely intelligent, but they have no fear of consequence. The difference between delegating and trusted delegating of tasks to an agent… one of them leads to bankruptcy. The other one leads to market dominance.”

DefenseClaw addresses instance-level scanning. It does not address fleet-level governance or the kill switch gap.

Why This Matters for Builders

For solo operators and small teams running OpenClaw, the takeaway is operational: if your instance is internet-facing, it is findable. If it stores credentials in plaintext, those credentials are one compromise away from BreachForums. The platform’s architecture assumes every operator is their own security team. At 500,000 instances, that assumption is failing at scale.