News
Cybersecurity & Forensics Pulse · Q2 2026
April 18, 2026
Our quarterly read on the threat actors that stayed busy, the sectors taking the heaviest fire, and the unglamorous defensive habits that actually held the line through Q2.
The first half of 2026 has been less about novel exploits and more about discipline — on both sides. Attackers are industrialising what already works; defenders who invested in fundamentals are seeing the payoff. Here is what we saw across our incident-response and monitoring engagements this quarter.
Who stayed active
Ransomware-as-a-service affiliates remain the dominant commercial threat, but the model has fragmented. Smaller crews now lease tooling, split proceeds, and rotate infrastructure faster than enforcement can map them. Initial access brokers continue to feed the pipeline, and the price of a valid corporate credential pair has fallen — a direct consequence of credential phishing scaling through automation.
State-aligned activity skewed toward quiet persistence rather than disruption: living-off-the-land techniques, dormant footholds in edge devices, and patient lateral movement. The goal was access and optionality, not noise.
Sector trends
- Manufacturing and logistics absorbed the most ransomware pressure — flat networks and operational-technology fragility make downtime expensive and recovery slow.
- Healthcare and public bodies remained heavily targeted; legacy systems and tight budgets are a persistent mismatch against a professionalised adversary.
- Professional services (legal, accounting, advisory) saw a rise in business-email-compromise tied to invoice and mandate fraud.
What held
The defensive measures that consistently blunted intrusions were not exotic. Phishing-resistant multi-factor authentication stopped the majority of credential-replay attempts. Tested, segmented, offline backups turned several would-be catastrophes into bounded recovery exercises. And organisations with rehearsed incident playbooks contained faster — measured in hours, not days.
The gap between organisations that drilled their response and those that improvised it was, again, the single clearest predictor of how badly an incident hurt.
Patch latency on internet-facing systems remains the recurring weak point. Most of the intrusions we investigated this quarter exploited a vulnerability that had a fix available — often for weeks. The lesson is unchanged but worth repeating: exposure management and rapid patching of perimeter assets beat almost any downstream control.
Our recommendation for Q3 is to resist the urge to buy more tooling and instead pressure-test what you already own. Run a tabletop exercise. Confirm your backups restore. Verify MFA coverage has no quiet exceptions. The threats evolving fastest are still being defeated by basics applied consistently.
