During the Trend Micro World Tour held in Rotterdam, the diversity of the security company’s offering became clear once more. However, we wanted to know how the various disciplines within Trend Micro coalesce. With up-to-date incident response and future-oriented threat research, the company covers two very distinct areas of the security landscape. What does this mean for Trend Micro and for organizations?
At Trend Micro, there’s a close cooperation between the incident response (IR) team and the forward-looking threat team. Rense Buijen, Head of Global Incident Response, Red Team & Dedicated Intelligence Research, emphasizes the importance of knowing about the kinds of cyber threats looming on the horizon. For the IR team, this provides valuable context for current threats. Conversely, the opposite flow of information enables the team led by Feike Hacquebord, Principal Threat Researcher, to conduct more targeted investigations.
Despite the overlap, there is a clear division of tasks. Buijen explains: “Feike and his team are working on tomorrow’s threats.” However, Hacquebord’s team is not only concerned with the distant future; peering five years ahead is an eternity in the security sector. The next six months are more attainable to predict, for example. Hacquebord explains: “Sometimes, attacks are already taking place in certain sectors, but they have yet to venture out.” By discovering early on that certain attack methods or tactics are becoming in vogue in specific industries or regions, Trend Micro can protect organizations elsewhere.
A forward-looking view of cyber threats
Russia habitually acts as one of these canaries in the coal mine and is known for being a cyberattack innovation hub, “if you can call it that,” as Hacquebord describes it. This also applies to the business model of cybercriminals, which is constantly evolving and learning a lot from legitimate industries. Consider the phenomenae of dark web marketplaces, specializations, and Bring-Your-Own-Malware. This notion of Russian innovation, by the way, is a long-standing tradition. It was already visible in the initial emergence of ransomware years ago, according to Hacquebord.
To gain insight into future threats, Trend Micro carefully studies criminal circuits. The company applies strict boundaries, though. “Our policy is that we never pay [criminals]. We also do not hack.” Hacking in the public interest is reserved for law enforcement agencies, and doing so is only allowed in specific cases. However, Trend Micro does work with legitimate organizations that collect useful data from the digital underworld. Although they must also comply with the law, they may delve deeper into the dark web than Trend Micro does. The company also relies on leaks from criminal groups, which often provide valuable information. Fortunately, these collectives have a habit of arguing among themselves (and splintering off as a result). For example, it was discovered that the notorious Black Basta gang considers Trend Micro a formidable opponent: “That’s nice to read. But we only found out after someone leaked the chat logs.”
In addition to underground communications, Trend Micro intensively analyzes internet traffic for indicators of threats. This in-depth monitoring requires significant investment. Hacquebord notes that information gathered may only prove relevant years down the line. An illustrative example dates back to 2015, when Trend Micro warned about the large amounts of drivers’ data being collected by car manufacturers. It was only years later that Mozilla published a scorecard criticizing various brands for collecting personal data without permission. This raises the question: is Trend Micro that far ahead of the curve, or is the rest of the world simply slow to react?
Unique information position
It is strategically wise to keep an eye on Trend Micro’s researchers’ predictions about future threats. Few organizations offer comparable insights. Thanks to substantial investments and a global presence, the company has what Buijen calls a “generous information position.” This results in in-depth knowledge of state actors, cybercriminals, and new developments across the entire cyber landscape. This expertise forms the basis for Trend Micro’s products and services, as well as their overarching expertise.
Buijen notes that ransomware remains dominant in the overall landscape, but is additionally showing new developments in 2025. There is an increase in intimidation tactics to increase the pressure to pay a ransom. Attackers call employees, send threatening emails, and leak personal data (i.e. ‘doxxing’). This adds another mental dimension to an already stressful ransomware incident, which escalates it from being a business problem to a personal one as well. These new tactics cause considerable psychological pressure on victims, on top of the financial damage, which averages around 5 million euros per affected organization.
DDoS attacks also remain popular. Although these are considered relatively simple, which Buijen believes is justified despite some affected organizations referring to “advanced DDoS” methods. Ultimately, it is simply a matter of generating as much traffic as possible to bring systems down. This type of attack is regularly used as an additional means of pressure alongside ransomware.
Payments and prevention
Many victims ultimately choose to pay the ransom. Although the legality of such payments is sometimes unclear, it may be permissible in certain cases, for example after consultation with government agencies. Trend Micro refrains from negotiating with attackers: “We do not give advice,” explains Buijen. He acknowledges that the decision to pay or not to pay varies from situation to situation, as Trend Micro does not have full insight into the financial considerations of its customers. Some organizations even go bankrupt as a result of ransomware, and they may have stayed afloat by making the one-time payment. That is assuming the attackers don’t just take the money and run, though.
Trend Micro focuses primarily on limiting damage for customers and minimizing their downtime. Forensic information about stolen data is valuable, not only from a compliance perspective, but also to determine the severity of an attack. Based on this, an organization can decide for itself whether to pay. Buijen states: “That is really a business decision. It is not something we have a particular opinion about.” At any rate, Trend Micro’s greatest successes are difficult to quantify, because in those cases attacks are completely prevented or repelled.
Preventive approach
Trend Micro focuses on the early stages of cyber threats. By analyzing the technical nature of current attacks, insights are developed to avert future dangers. Nevertheless, completely preventing compromises remains a challenge. Phishing will always catch an employee at some point—a reality that organizations must take into account. “Awareness is crucial,” emphasizes Buijen.
Trend Micro strives to provide organizations with tools and resources to minimize risks. This is done with the understanding that cybercrime is all about opportunism, with the least protected organizations serving as the first targets. With every basic defense measure, an organization becomes a less attractive target for cybercriminals.
Distinguishing
It is an understatement to say that there are many security vendors. A few years ago, there were said to be around 3,500; this number has probably not decreased, or only slightly. Trend Micro needs to be able to distinguish itself from the competition. It does this through, among other things, its thorough research, which Buijen says is seen by others as industry-leading. Incidentally, we should not see this competition as a reason for conflict. According to Trend Micro, security researchers are friendly towards each other. Ultimately, they have the same goal, unlike the cyber threats they have to face.