Security
Sophos on Tuesday released its 2026 Sophos Active Adversary Report, revealing that nearly two-thirds (67%) of cyber incidents investigated last year were rooted in identity-related attacks, underscoring how attackers increasingly exploit stolen credentials, weak authentication and poorly secured identity systems rather than novel exploits.
The findings are based on 661 incident response (IR) and managed detection and response (MDR) cases handled between November 2024 and October 2025 across 70 countries and 34 industries.
According to the report, attackers are shifting away from vulnerability exploitation toward credential abuse. Brute-force attacks accounted for 15.6% of initial access methods, nearly matching exploited vulnerabilities at 16%, highlighting the growing effectiveness of identity compromise as a low-effort entry point.
Once inside a network, attackers are moving faster than ever. The median dwell time fell to just three days, driven both by quicker attacker movement and faster detection by defenders, particularly in MDR-monitored environments. Sophos found that it takes attackers only 3.4 hours on average to reach Active Directory, a critical milestone that often enables broader compromise.
Ransomware activity continues to favour off-hours operations. The report shows that 88% of ransomware payloads and 79% of data exfiltration events occurred outside normal business hours, reinforcing the importance of round-the-clock monitoring.
Identity weaknesses remain widespread. Sophos found that multifactor authentication (MFA) was missing in 59% of incidents, significantly easing the abuse of stolen or brute-forced credentials. At the same time, missing or insufficient security logs doubled year-on-year, often due to short data retention defaults on firewall appliances—sometimes as low as 24 hours—undermining detection and investigation efforts.
“The most concerning trend has been years in the making: identity has become the dominant root cause of successful attacks,” said John Shier, Field CISO at Sophos and lead author of the report. “Compromised credentials and phishing can’t be fixed with patching alone. Organizations need a proactive approach to identity security.”
The ransomware ecosystem is also becoming more fragmented. Sophos recorded the highest number of active threat groups in the report’s history, with 51 ransomware brands observed—24 of them new. Akira and Qilin were the most active groups, while only four ransomware families or techniques, including LockBit, have persisted continuously since 2020.
Despite industry concern, Sophos found no evidence of a major AI-driven transformation in attacker tactics. While AI has improved the scale and polish of phishing campaigns, it has not yet produced fundamentally new attack methods.
“AI is accelerating attacks, not reinventing them,” Shier said. “Right now, the basics still matter most—strong identity controls, reliable telemetry and rapid response.”
Based on the findings, Sophos recommends deploying phishing-resistant MFA, reducing exposure of identity infrastructure, patching edge systems promptly, ensuring 24/7 monitoring, and strengthening log retention to support faster detection and response.
The findings are based on 661 incident response (IR) and managed detection and response (MDR) cases handled between November 2024 and October 2025 across 70 countries and 34 industries.
According to the report, attackers are shifting away from vulnerability exploitation toward credential abuse. Brute-force attacks accounted for 15.6% of initial access methods, nearly matching exploited vulnerabilities at 16%, highlighting the growing effectiveness of identity compromise as a low-effort entry point.
Once inside a network, attackers are moving faster than ever. The median dwell time fell to just three days, driven both by quicker attacker movement and faster detection by defenders, particularly in MDR-monitored environments. Sophos found that it takes attackers only 3.4 hours on average to reach Active Directory, a critical milestone that often enables broader compromise.
Ransomware activity continues to favour off-hours operations. The report shows that 88% of ransomware payloads and 79% of data exfiltration events occurred outside normal business hours, reinforcing the importance of round-the-clock monitoring.
Identity weaknesses remain widespread. Sophos found that multifactor authentication (MFA) was missing in 59% of incidents, significantly easing the abuse of stolen or brute-forced credentials. At the same time, missing or insufficient security logs doubled year-on-year, often due to short data retention defaults on firewall appliances—sometimes as low as 24 hours—undermining detection and investigation efforts.
“The most concerning trend has been years in the making: identity has become the dominant root cause of successful attacks,” said John Shier, Field CISO at Sophos and lead author of the report. “Compromised credentials and phishing can’t be fixed with patching alone. Organizations need a proactive approach to identity security.”
The ransomware ecosystem is also becoming more fragmented. Sophos recorded the highest number of active threat groups in the report’s history, with 51 ransomware brands observed—24 of them new. Akira and Qilin were the most active groups, while only four ransomware families or techniques, including LockBit, have persisted continuously since 2020.
Despite industry concern, Sophos found no evidence of a major AI-driven transformation in attacker tactics. While AI has improved the scale and polish of phishing campaigns, it has not yet produced fundamentally new attack methods.
“AI is accelerating attacks, not reinventing them,” Shier said. “Right now, the basics still matter most—strong identity controls, reliable telemetry and rapid response.”
Based on the findings, Sophos recommends deploying phishing-resistant MFA, reducing exposure of identity infrastructure, patching edge systems promptly, ensuring 24/7 monitoring, and strengthening log retention to support faster detection and response.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
