CyberCX Hack Report uncovers top cyber weaknesses leaving organisations exposed
Melbourne, Australia – Tuesday 12 May, 2026
CyberCX Hack Report uncovers top cyber weaknesses leaving organisations exposed
- One in three CyberCX security assessments uncovered a severe finding
- Artificial Intelligence (AI) systems contain higher rates of severe vulnerabilities
- Three in four social engineering penetration tests contained a severe finding
- Government outperforms non-government in areas like data security and privacy
CyberCX, part of Accenture, has released its Hack Report for 2026, revealing that around one in three security assessments the company performs contain at least one severe finding, which means that if a threat actor identified these vulnerabilities before CyberCX did, that organisation could have been hacked.
The Hack Report lifts the lid on the state of cyber vulnerabilities across the economy, drawing on over 70,000 findings from CyberCX’s Security Testing and Assurance (STA) practice, one of the largest private sector teams of offensive security experts in the world. The Report draws on insights and data from more than 7,500 engagements for over 1,400 customers over three years, providing a globally unique vantage point from which to view and understand the state of vulnerabilities in 2026.
The key findings in the report include:
- One in three security assessments uncovered a severe finding – The number of security assessments that have at least one severe finding dropped to 29% in 2025, down from 33% in 2023. While this downward trend is encouraging, it still means that one in three assessments are making findings that could result in an organisation being hacked. It is unlikely these improvements are outpacing the rate at which threat actors are increasing their capabilities.
- AI systems contain higher rates of severe vulnerabilities – Half of all penetration tests of AI applications within an organisation contained at least one severe finding, which is almost double the rate of web application penetration tests (the most common penetration test). This likely reflects the pace at which organisations are adopting and deploying AI tools and systems without the security governance and controls present for other technologies and underscores the importance of a secure AI approach.
- Three in four social engineering penetration tests contained a severe finding – As organisations harden their technical defences, attackers will look for other ways in. Social engineering penetration tests – which focus on human interaction rather than software vulnerabilities – found a severe vulnerability 77% of the time, demonstrating that defenders need to look beyond just technical fixes.
- Industries that use operational technology (OT) and heavy machinery have higher rates of severe findings – All industries and organisations face unique challenges. Manufacturing and construction, healthcare, and logistics and transport had the highest rates of severe findings, while communications, media and technology, and financial services and insurance had the lowest rates. This likely indicates a reliance on legacy systems that are harder to secure and upgrade.
- Government outperforms non-government sector on data security and privacy – When comparing the government and non-government sectors against a base rate of severe findings, government organisations are 9.4% less likely to have severe findings related to data security and privacy, compared to non-government which is almost 2% above the base rate. This likely reflects better defined and enforced government data handling and privacy policies.
Elsewhere, adversary simulation exercises – that seek to emulate real-world threats – doubled as organisations seek to measure and improve their detection and response capabilities, while findings with a root cause in Application Security (AppSec) rose sharply while other major categories trended downwards.
Liam O’Shannessy Executive Director, Security Testing & Assurance, CyberCX, said: “The Hack Report paints a picture of cyber maturity that is slowly improving for defenders, but is being rapidly outpaced by the scale of threats from attackers who are creative, determined and are out-innovating defenders.
“Organisations are adopting AI systems faster than they can secure them. While AI can enhance capability and efficiency for organisations of all shapes and sizes, insecure adoption also introduces cyber risks. Half of the penetration tests we performed on AI systems and tools last year uncovered severe findings, which is about double the rate of our standard web application penetration tests.
“Added to this, the threat of cyber criminals using AI tools to find and exploit vulnerabilities looms ever larger. Social engineering penetration tests – which focus on human interaction rather than software vulnerabilities – found a severe vulnerability in 77% of tests. Through deepfakes, voice phishing and other techniques, AI in the hands of threat actors is actively turbocharging the effectiveness of social engineering attacks. This is a reminder that as organisations harden their technical defences, attackers will target other vulnerabilities.
“By sharing insights from more than 7,500 CyberCX offensive security engagements, our hope is that defenders and security teams will come away better informed on where to focus their efforts and limited security resources to protect their organisations against a growing number of threats in a fast-evolving risk landscape.”
About CyberCX
CyberCX, part of Accenture, is the leading provider of end-to-end cyber security and cloud services across New Zealand and Australia. With a workforce of 1,400 cyber security professionals CyberCX is a trusted partner to private and public sector organisations, helping customers confidently manage cyber risk, respond to incidents, and build resilience in an increasingly complex and challenging threat environment.
