Eye Security’s 2026 State of Incident Response Report shows that cyberattacks on companies are increasingly going undetected, and the damage occurs within minutes. According to the report, attackers are now focusing less on hacking systems and more on exploiting existing access points.

Identity-based attacks dominate the field, with passwords being involved in 97% of incidents tracked by Eye Security. Abuse of legitimate accounts is a primary cause of cloud security incidents and drives the business of initial access brokers.

However, the study’s results show that attackers’ fundamental methods remain unchanged. “Even in 2026, compromise will still begin with phishing, exploiting misconfigured or vulnerable internet-enabled systems, social engineering, or attacks via the software supply chain,” explains Lodi Hensen, VP of security operations at Eye Security.

BEC attacks are particularly common

Business email compromise (BEC) is the most common form of attack, according to the study: More than 70% of incidents fall into this category. In 40% of these cases, phishing served as the initial point of entry. Analysts say that BEC attacks can remain undetected for weeks without continuous monitoring.

Furthermore, the study highlights that ransomware remains one of the biggest threats. “The proliferation of Ransomware-as-a-Service (RaaS), BuilderLeaks, and access broker marketplaces has lowered the barriers to entry and created a professional ecosystem,” the authors explain.

The report reveals a dangerous trend: the commercialization of insider knowledge. “Groups like ShinyHunters are actively recruiting employees to buy access credentials. This blurs the line between external attacks and insider threats,” the security researchers explain. “For ransomware actors, this purchased access is often faster and more reliable than technical hacking.”

Companies in the industrial, construction, and transport and logistics sectors are particularly affected. Many ransomware attackers exploit everyday vulnerabilities: unprotected applications, insecure remote access, or phishing emails through which employees unknowingly disclose login credentials. The analysis evaluated a total of 630 security incidents in Europe from 2023 to 2025.