Most attackers do not begin by choosing a victim personally.
They begin by looking for weakness.
Outdated software, exposed admin paths, risky modules, weak configurations, leaked files, missing controls, and known vulnerable surfaces all create visible signals.
These signals make a system easier to discover, easier to scan, and easier to classify as a soft target.
Once a soft target is identified, it may not remain private. It can be added to target lists, shared across groups, reused by automated tools, and attacked repeatedly by different people.
That is why defensive security is not only about surviving a single attack.
It is about keeping visible weaknesses under control before they become easy opportunities.
The objective is not to win every battle.
The objective is to build and maintain a system that is well-managed, well-controlled, and consistently difficult to compromise.