Technical Debt Is Worth Gold to Cybercriminals

Rebecca Lumley and Tom Moester (Hunt & Hackett) at Cybersec Netherlands 2026

For years, technical debt was primarily viewed as an internal IT issue. Legacy systems that needed to survive for a few more years. Outdated software components that would not be replaced anytime soon. Cloud environments that expanded faster than the governance around them. And dependencies that nobody fully understands or even knows where they reside.

This development is exactly what will be discussed on September 9 and 10 at Cybersec Netherlands 2026, where Tom Moester and Rebecca Lumley of Hunt & Hackett will deliver the day-two keynote, “The painful cost of ‘we’ll fix it later’: how cybercriminals exploit technical debt for profit.” Their central argument is that technical debt is no longer merely an operational or governance challenge. In an increasingly digital economy, it has become an attractive business opportunity for cybercriminals who systematically target organizations where years of deferred maintenance have expanded the attack surface.

At a time when organizations are under pressure to accelerate digital transformation, technical debt is often seen as an unavoidable byproduct of innovation. However, a growing number of cybersecurity experts argue that this legacy requires a different perspective. Technical debt is no longer just an operational problem—it has become a profitable asset for cybercriminals.

From Vulnerability to Business Model

While traditional security programs often focus on individual vulnerabilities, increasing attention is being paid to the underlying factors that make systems attractive to attackers. The risk is not a single missing patch, but rather the accumulation of outdated technology, insufficient visibility into dependencies, and postponed modernization efforts.

This is visible across virtually every layer of digital infrastructure. Organizations now manage a mix of on-premises systems, multiple cloud platforms, SaaS services, OT environments, edge devices, and AI integrations. At the same time, software supply chains continue to grow in complexity. A single application may depend on hundreds of external components and open-source libraries. The result is an ever-expanding attack surface where technical debt can accumulate unnoticed for years.

The Professionalization of Cybercrime

A second trend is accelerating the problem: cybercrime is becoming increasingly professionalized. Attackers now frequently operate according to specialized business models, with different groups responsible for specific stages of an attack.

One of the most important players in this ecosystem is the so-called Initial Access Broker (IAB). These actors focus exclusively on identifying vulnerable organizations and gaining access to their systems. That access is then sold to ransomware groups or other criminal networks.

In this market, technical debt carries direct economic value. Outdated systems, poorly managed cloud environments, and forgotten digital assets provide a relatively inexpensive way to gain entry into organizations.

AI Accelerates the Hunt

The rise of artificial intelligence is also reshaping the threat landscape. Security teams increasingly rely on AI for detection and analysis, but the same technology can be leveraged by attackers.

Researchers are observing a growing trend toward the automated identification of vulnerable systems. This allows cybercriminals to select potential targets faster and at greater scale. Not every vulnerability needs to be exploited immediately. Instead, the focus is on identifying environments where multiple forms of technical debt converge, creating new attack paths and opportunities.

Gaining Insight into Digital Resilience

For executives and security leaders, this means that traditional vulnerability management programs may no longer be sufficient. After all, a high CVSS score does not necessarily indicate which systems are genuinely attractive to an attacker.

As a result, organizations increasingly require a broader approach—one that evaluates not only individual vulnerabilities, but also the underlying technical debt, dependencies, and potential attack chains. The central question is shifting from “Which threat actor poses a risk?” to “Which parts of our environment make us attractive to attackers?”

A Cyber Resilience Strategy

This shift is at the heart of the keynote “The painful cost of ‘we’ll fix it later’: how cybercriminals exploit technical debt for profit” at Cybersec Netherlands 2026. During their presentation, Tom Moester and Rebecca Lumley will demonstrate how cybercriminals increasingly view technical debt as an economically exploitable asset. They will explore the growth of specialized cybercriminal markets, the role of AI in identifying vulnerable targets, and how organizations can address technical debt as a core component of their cyber resilience strategy.

For organizations looking to strengthen their digital resilience, this discussion goes far beyond patch management alone. Because those who continue to view technical debt merely as overdue IT maintenance risk finding that cybercriminals are ultimately the ones collecting the bill.