Eye Security analysed 630 anonymised cybersecurity incidents across Europe between January 2023 and November 2025, drawing insights into detection, dwell time, root causes, and operational outcomes. From ransomware to business email compromise, the incident data shows how threat actors exploit trust, time, and technology, and how Managed Detection and Response (MDR) changes the outcome.
At a glance: the numbers behind breaches
-
Manufacturing and Industry (18.6%), Real Estate and Construction (12.1%), and Transportation and Logistics (10.3%) make up over 40% of all incidents.
-
Business email compromise (BEC) accounted for 70% of all incidents.
-
Phishing, spearphishing, and social engineering combined account for 33% of all incidents.
-
In MDR-enabled environments, incidents are resolved up to 90% faster, with BEC dwell time dropping from 24 days (about 3 and a half weeks) to under 24 minutes.
-
Ransomware negotiation was conducted in 70% of cases, with only 27% leading to payments. Average ransom demand was $613k.
Manufacturing, construction, and logistics remain the region’s cyber pressure points
Across the 2023–2025 period, the three sectors collectively represented over 40% of all recorded incidents. The manufacturing sector on its own accounted for 18.6%, approximately one in five cases. This concentration highlights its role as a critical economic function and its heightened susceptibility to targeted phishing and other initial-access vectors.
Real estate and construction (12.1%) emerged as an unexpected hotspot, presumably driven by rapid digitalisation, remote project management, and fragmented subcontractor ecosystems that expand attack surfaces. Business email compromise (BEC) represented the primary initial access vector in this case. Transportation and logistics (10.3%) followed closely, with threat actors exploiting the sector’s role in supply chains. Here, again, we see phishing/spearphishing as the predominant entry points.
At the same time, retail, finance, and healthcare continue to attract financially motivated threat actors. Retail and consumer goods (8.9%), financial services (8.1%), and healthcare (7.0%) all saw a surge in business email compromise.
How much time incidents require: hours invested in incident handling
Between January 2023 and November 2025, Eye Security handled 630 cybersecurity incidents, requiring a combined 4,647 hours (about 6 and a half months) of investigation, containment, and recovery work. In 2025 alone, the team managed 306 incidents, compared to 225 in 2024 and 99 in 2023, reflecting both a growing customer base and an expanding operational footprint.
The largest number of hours per incident over the reporting period was spent on ransomware, with MDR customers primarily facing ransomware attacks due to Shadow AI or unmonitored infrastructure. Whereas clients operating in MDR-enabled environments spent an average of 39 hours (about 3 days) handling an end-to-end ransomware incident, non-MDR external clients had to factor in an average 71 hours (about 6 days) per incident.
Business Email Compromise, the second most common case type over the reporting period, required an average of 19 hours per incident for non-MDR customers. In contrast, MDR clients affected by BEC only spent an average of two hours per case. This represents a reduction of nearly 90% in time to resolution and is a direct reflection of the efficiency gains made possible through 24/7 monitoring, automated escalation, and immediate response.
Time threat actors remained undetected in company networks
Image 1. The numbers show significant reduction in time-to-resolution and dwell time with MDR in place
During the period January 2023 – November 2025, Business Email Compromise (BEC) and ransomware incidents showed the longest periods in which attackers remained undetected inside company networks. The data also showed significant differences between organisations with MDR coverage and those without.
Business email compromise
Among customers without an MDR service in place, the median dwell time for a BEC incident, measured from initial compromise to detection, was 24 days (about 3 and a half weeks) and 12 hours (35,280 minutes) whereas those operating in MDR-enabled environments only saw median dwell times of 23.8 minutes.
The extended dwell times in non-MDR Business Email Compromise cases can be attributed to their reliance on human discovery mechanisms, such as the manual identification of anomalous payment requests.
This gap shows the massive impact of continuous monitoring, automated detection, and 24/7 human analysis for threats such as BEC, which often go unnoticed for weeks without MDR support.
Compromise assessment
In 38 compromise assessment incidents, the median dwell time for MDR clients was 39 minutes. This reflects the capability of the MDR service to rapidly flag anomalies before they evolve into full-scale breaches. Non-MDR customers, in contrast, recorded a median dwell time of 390 minutes (about 13 hours) across 24 incidents. While shorter than other categories such as BEC, this still highlights the lag inherent in manual detection and reactive response models.
Incident root causes: shifting to the trust perimeter
Image 2. Root cause investigations reveal a clear shift toward identity and trust-based attack vectors
Analysis of 630 incidents reveals that the majority of known compromises originated from human or relationship-driven vectors. The single largest root cause category was phishing. These findings reflect an evolution in attacker strategy. Rather than breaking in, threat actors are increasingly using legitimate credentials or pre-existing trust paths.
Since January 2025, Multi-Factor Authentication (MFA) has been bypassed in 62% of the cases, highlighting how easily attackers can exploit weak implementations, misconfigurations, or trusted sessions to gain access despite additional authentication layers.
Social engineering techniques included classic phishing, phishing via links, spearphising via attachment, and spearphishing via services. This demonstrates the scale at which attackers continue to exploit human behaviour and process gaps. Even as detection tools improve, many organisations lack the operational discipline to follow up effectively, that is, by monitoring, investigating, and responding to deviations after an initial alert. Without this continuous oversight, attacks can progress unnoticed, highlighting that resilience depends on disciplined, human-led processes alongside automated controls.
By contrast, vulnerability exploitation and public-facing application abuse were responsible for only about 5.5% of cases, with the majority originating from non-MDR clients. Whereas vulnerability exploitation is widely observed in external cases, the relatively low number at Eye Security’s customer base can be attributed to proactive attack surface scans, recommendations, and threat hunts regarding critical vulnerabilities.
As threat actors continue to weaponise relationships and workflows, resilience in 2026 depends on 24/7 monitoring, zero-trust access models, and proactive supply-chain validation.
The MDR advantage: speed as the ultimate defence
Since June 2025, Eye Security has systematically tracked detection categories across all managed incidents. During this period, the MDR service handled 127 incidents, with the overwhelming majority detected by SOC systems, raised and escalated through the standard workflow. Only a handful of incidents required human review or were affected by minor detection gaps. Four incidents did not match any existing detection rules at that time, leading to the threat being discovered by other means.
These numbers demonstrate that detection workflows are highly effective, automated, and reliable, with minimal operational risk. The data additionally highlights that the MDR approach consistently identifies threats early, ensuring rapid containment and minimal business impact.
Conclusion and outlook: shifting from reactive strategies to speed at scale
In 2026, cyber resilience means detecting threats at machine speed and containing impact at human scale.
“Identities must be hardened, anomalous activity must trigger immediate investigation, and alerts must be met with both automation and human expertise. Threat intelligence and 24/7 SOC operations remain strategic levers of resilience. AI, used wisely, becomes an amplifier. It gives defenders the same scale, speed, and adaptability that threat actors now wield, turning familiar points of entry into opportunities for early detection.”
—Lodi Hensen, VP of Security Operations
