Jurjen Harskamp, CEO of Hunt & Hackett, is concerned: "Our trend report shows that well-known and relatively simple attack techniques can already have a significant impact on organizations. This is while the complexity of threats is increasing rapidly. Attacks are becoming more sophisticated and harder to detect. This means that many organizations are structurally lagging behind reality. New laws and regulations help, but do little to change that fundamental gap. Without a serious catch-up in resilience, there is a good chance that we will see more incidents in the coming years, not fewer."

Known Techniques, Predictable Gaps

The data shows that attackers primarily exploit weaknesses in identity security, such as stolen login credentials, unpatched vulnerabilities in internet-facing systems, and long-standing vulnerabilities due to accumulated neglected IT maintenance.

In most cases, the techniques used were already well known, extensively documented, and detectable with the right controls. Yet, it proves difficult for organizations in complex IT environments to implement and maintain those controls structurally and at scale.

As Harskamp explains: "In large organizations with complex IT and OT environments, it is anything but simple to keep everything secure. Over time, vulnerabilities accumulate due to legacy systems, embedded components, and complex dependencies that are often only partially understood. Because systems are layered and interconnected, resolving one vulnerability can have repercussions elsewhere. Attackers take advantage of these gaps and delays."

In addition to the known techniques, the attack surface is also expanding. Besides exploiting the growing attack surface and using neglected maintenance, the focus is also shifting to identity-based attacks and the use of generative AI. It is becoming increasingly difficult for organizations to prevent or detect attacks.

Financial Motive Biggest Concern

Of all incident response cases that Hunt & Hackett handled in 2025, 71 percent were financially motivated. Ransomware was the most common (43%), followed by email fraud (29%). Access was often gained via vulnerable remote services, edge devices, or the use of stolen login credentials.

In 86 percent of the incident response cases, incomplete logging and monitoring hindered detection. Missing audit logs, limited log retention, or systems that fell outside the security perimeter gave attackers room to enter unnoticed.

Cloud environments, devices with direct internet access, and dependencies on suppliers increase the attack surface. Successful attacks are primarily made possible by the lack of prevention, visibility, and control; truly innovative techniques play (for now) a smaller role.

Structural Problem, Not a Lack of Knowledge

In the majority of incidents, basic conditions for prevention, effective detection, and investigation were lacking. Think of sufficient log retention, consistent monitoring, and tested response plans.

Ronald Prins, co-founder of Hunt & Hackett: 'We have been talking for years about solving 'low-hanging fruit'. The problem is not a lack of awareness, but a lack of execution power. Many organizations implement security tools and assume that they will catch everything, but effective protection requires visibility over the entire attack path, not just more and more separate tools.'

Organizations are investing heavily in tooling, but underestimate how essential governance, maintenance, and continuous control are to make that tooling work effectively.

Digital Sovereignty Starts with Control

The report places these findings in the broader context of increasing dependence on cloud platforms and external suppliers.

According to Hunt & Hackett, digital sovereignty is fundamentally not about the physical location of data, but about control and insight. Without reliable visibility into what is happening within systems and networks, effective detection and response remain limited. Therefore, the first step is to gain visibility into security data independent of the cloud platform so that alerts and insights are verifiable.

What Organizations Can Do Now

The report identifies four priorities that directly reduce risk:

1. Strengthen identity security: Limit excessive access rights, protect administrator accounts, and enforce strong multi-factor authentication.
2. Limit exposure: Patch internet-facing systems quickly and remove unnecessary services from the public internet.
3. Increase visibility: Ensure that critical systems generate security logs, actively monitor them, and retain them long enough (preferably independent of the cloud platform) for incident investigation, proactive detection, and threat hunting.
4. Test response: Practice incident response scenarios and ensure that forensic evidence can be secured quickly.

About the Trend Report 2026

The 2026 Hunt & Hackett Trend Report is based on operational data from the Security Operations Center and the Incident Response Team in the Netherlands, supplemented with insights from external experts. The report provides a practice-driven view of how cyber attacks actually develop and where structural vulnerabilities persist. The report further explores how geopolitical tensions, shared methods of hacktivists, states, and cybercriminals, and our digital sovereignty affect cybersecurity in the Netherlands. Read the trend report here.