Municipalities are the most citizen-facing part of government. They interact intensively with the public and are responsible for services that affect daily life: From civil records to housing, permits, social services, and beyond. When something breaks, it’s not just an IT issue. It impacts real people, real quick.

That makes their digital infrastructure more than just technical. It’s critical.

We’ve seen that municipal IT teams are often actively engaged with security. Still, despite good intentions and structured processes, our data shows clear blind spots – and they’re not minor.

In cybersecurity, raw numbers mean little in isolation. A vulnerability may sound alarming, but how common – or concerning – is it, really?

That’s where peer comparison comes in. It shows not just what exists, but how typical it is across similar organizations. It helps surface systemic weaknesses, identify outliers (good and bad), and add real-world context to security decision-making. Especially in government, where maturity levels and budgets vary widely, that context is essential.

Most external scans stop at domains and open ports. We took it a step further. Our platform assessed ten critical elements of each municipality’s internet-facing infrastructure – all from the perspective of an outside attacker.

Absolutely, we looked at exposed domains, subdomains, and services. The basics, if you will. But we also mapped shadow assets: Forgotten systems that still respond online but sit outside most inventories. We included infrastructure geolocation, checked for leaked credentials, tracked phishing infrastructure, scanned for hardcoded secrets, and performed live vulnerability assessments.

In our experience, most organizations monitor only a handful of these areas. And usually only for their primary domain (e.g., gemeente-xyz.nl), while other assets (e.g., additional domains like werkbij-gemeente.nl, parkeren-gemeente.nl, or third-party integrations) go unnoticed. This leaves major parts of the attack surface unnoticed.

The full report will be released at the end of the month, but here are a few of our early findings:

• Major attack surface, for both small and big municipalities Even small municipalities show sizeable attack surfaces: Multiple domains, dozens of subdomains, IP ranges, and exposed applications. The volume isn’t negligible, and every asset has to have some degree of security.
• Unnecessary exposure of ‘high-value targets’ Public admin portals (e.g., CMS backends, network management panels) are often online without clear business justification. These aren’t inherently wrong – but they are high-signal exposures.
• Outdated assets undeniably hurt your security One example showed 32 high-to-critical vulnerabilities on a single exposed system – likely forgotten. This isn’t about blaming; it’s about visibility.
• Phishing infrastructure is real thing One municipality had 24 suspected phishing domains targeting it. Same name, slightly altered spelling. These don’t exist in your organizational reality. But they do in ours.

*note: Disclosure in accordance with our Responsible Disclosure Policy.

We don’t just scan. We monitor, continuously. If you’re serious about managing exposure, automation is key. Our platform helps you see what attackers see and take action before they do.

We recently benchmarked the digital exposure of Dutch municipalities to discover what’s typical, what’s evolving, and where the smallest tweaks could have the biggest impact.