@GossiTheDog 1) 3000 is not a big number on the Internet (quality matters though) 2) This is an overestimation because not all keys are useful (as the captured text also implies)

I haven't touched ASP.NET for a while, but I'd risk to say that app configuration also affects exploitability as i) not all apps rely on signed ViewState (IIRC) ii) deserialization gadgets are not universal.

These are of course solvable problems, but still need to be taken into account for risk assessment.