From covert state-backed espionage to financially motivated cybercrime, from politically charged hacktivism to digital sabotage—threat actors targeting the Netherlands come in many forms, and their tactics are constantly evolving.

In this talk, the Cyber Threat Intelligence (CTI) team of the Dutch National Cyber Security Centre (NCSC) offers a rare behind-the-scenes look at how they investigate and analyze these threats in support of the Dutch government and critical infrastructure sectors.

Through real-world case studies, we’ll demonstrate how our team monitors, classifies, and contextualizes activity from a wide range of threat actors—including nation-states, cybercriminal groups, hacktivists, and actors with sabotage-related intents. You’ll see how this intelligence fuels key NCSC products like the CTI-Report and the quarterly Threat Landscape Analysis, which provide essential context and action-oriented insights to our partners.

We’ll also present Pharos for the first time: a powerful, in-house developed tool that continuously scans the internet for signs of malicious infrastructure. By leveraging sources like Censys, Shodan, and VirusTotal through custom queries, Pharos helps us identify suspicious IPs, domains, certificates, and more—before they’re used in active campaigns. We will explain how we leverage this type of intelligence, not only for ourselves but within a broader cybersecurity ecosystem.

Join us for a deep dive into the operational world of national CTI: where strategic intelligence meets technical investigation, and where safeguarding the digital security of the Netherlands is a daily mission.