Many organizations facing a data-security incident struggle to understand how or why their organization was targeted in an attack. Most simply believe they are too small or too obscure to be targeted by malicious cyber actors. Even larger, well-known businesses are lulled into complacency, mistaking years without a major security incident as evidence that their business is an unlikely target, or believing that a small corner of their business, perhaps the new cloud instance they’re testing, will go unnoticed. They reason that with bigger or more prominent fish in the ocean, their relative obscurity is a strong line of defense. But this reasoning misunderstands how victims of cyber attacks typically become victims, and how easy it is for attackers to find and compromise vulnerable targets across the internet. While some victims are targeted for a specific purpose, especially by nation-state actors, many are not. More often they are opportunistic victims or victims of collateral damage directed at others. Understanding how attackers target victims is critical to proper network defense and to accurately assessing an organization’s risk scenarios.