Most cyber incidents not caused by innovative attacks, but overdue maintenance

The Hague, [24 February 2026] – Cyberattacks rarely succeed because criminals use innovative techniques; instead, they succeed because organizations fail to maintain fundamental cyber hygiene. Outdated IT systems, weak identity security, and insufficient monitoring are among the real underlying causes. These findings come from the 2026 Hunt & Hackett Trend Report, based on 54,400 SOC and IR incident analyses conducted in 2025.

Jurjen Harskamp, CEO of Hunt & Hackett, expresses concern: “Our trend report shows that organizations already struggle to defend against well-known attack techniques, even as threats grow rapidly. Attacks are becoming more advanced and harder to detect. This means many organizations are structurally lagging behind reality. New regulations help, but they do little to close that fundamental gap. Without a serious effort to improve resilience, we are likely to see more incidents in the coming years, not fewer.”

Familiar techniques, predictable weaknesses

The data shows that attackers mainly exploit weaknesses in identity security—such as stolen login credentials, unpatched vulnerabilities in internet-facing systems, and long-standing issues caused by neglected IT maintenance.

In most cases, the techniques used were already well-known, extensively documented, and detectable with the right controls. Yet in complex IT environments, organizations often struggle to implement and maintain these controls consistently and at scale.

Beyond these familiar techniques, the attacker’s toolkit is expanding. In addition to exploiting a growing attack surface and outdated systems, attackers increasingly focus on identity-based attacks and the use of generative AI. This makes it even more difficult for organizations to prevent or detect attacks. 

Financial motive is the largest concern

Of all incident response cases handled by Hunt & Hackett in 2025, 71 percent had a financial motive. Ransomware was the most common type of attack (43%), followed by email fraud (29%). Attackers often gained access through vulnerable remote services, edge devices, or the use of stolen login credentials.

In 86 percent of incident response cases, detection was hindered by incomplete logging and monitoring. Missing audit logs, limited log retention, or systems outside the security scope left room for attackers to operate unnoticed. Cloud environments, internet-facing devices, and supplier dependencies all expand the attack surface. Successful attacks are primarily made possible by a lack of prevention, visibility, and control—while truly innovative attack techniques play a smaller role (for now).

A structural problem, not a lack of knowledge

In the majority of incidents, essential prerequisites for prevention, detection, and investigation were missing. These include adequate log retention, consistent monitoring, and tested response plans.

Ronald Prins, co-founder of Hunt & Hackett, explains: “We’ve been talking for years about eliminating the ‘low-hanging fruit.’ The problem isn’t a lack of awareness, but a lack of execution power. Many organizations implement security tools and assume they will catch everything, but effective protection requires visibility across the entire attack path—not just more standalone tools.”

Organizations invest heavily in tools, but underestimate how critical governance, maintenance, and continuous validation are to making these tools effective.

Digital sovereignty starts with control

The report places its findings in the broader context of growing dependence on cloud platforms and external suppliers. According to Hunt & Hackett, digital sovereignty is fundamentally not about the physical location of data, but about control and insight. Without reliable visibility into what is happening within systems and networks, effective detection and response remain limited. The first step is therefore gaining visibility into security data independent of the cloud platform, ensuring alerts and insights can be verified.