Sophos' 2026 Active Adversary Report reveals that 67% of all incidents investigated last year were rooted in identity-related weaknesses. The report highlights a troubling trend whereby attackers increasingly exploit compromised credentials and weak multifactor authentication (MFA), often without introducing new tools or techniques.
Key findings from the report indicate a significant shift in tactics. While brute-force attacks (15.6%) are now nearly on par with exploitation methods (16%) as initial access vectors, the median dwell time for attackers has decreased to three days. This reduction reflects improved response efforts from defenders, particularly in Managed Detection and Response (MDR) environments. Notably, attackers can reach an organisation's Active Directory (AD) server in just 3.4 hours once they gain initial access.
The report also highlights that ransomware activity predominantly occurs outside regular business hours, with 88% of ransomware payloads and 65% of data exfiltration actions taking place during these off-hours. Compounding the challenges, a lack of telemetry due to increased data retention issues has doubled over the past year, hindering defence efforts.
“The most concerning finding in the report illustrates a long-standing issue: the dominance of identity-related root causes for successful initial access,” said John Shier, field CISO and lead author of the report. “Organisations must adopt a proactive approach to identity security to mitigate these risks.”
The report notes an increase in the number of active threat groups, with Akira (GOLD SAHARA) and Qilin (GOLD FEATHER) leading as the most prevalent ransomware brands. Across the dataset, 51 unique ransomware brands were observed, highlighting a vibrant and evolving threat landscape.
While predictions of AI transforming attacker behaviour have circulated widely, the report indicates that no significant shifts driven by AI have occurred this year. Generative AI has improved the sophistication of phishing attacks but has not yet led to fundamentally new attack techniques.
“AI may add scale and noise, but it won't replace attackers just yet,” Shier remarked. “Strong identity protection, reliable telemetry, and rapid response capabilities remain critical in defending against these threats.”
Based on the findings, Sophos advises organisations to:
- Deploy phishing-resistant MFA and regularly validate configurations.
- Minimise the exposure of identity infrastructure and internet-facing services.
- Rapidly patch known vulnerabilities, particularly on edge devices.
- Ensure continuous monitoring through MDR or equivalent capabilities.
- Preserve security logs for quick detection and investigation.
