2026 Active Adversary Report finds 67% of attacks stem from identity weaknesses as threat groups multiply worldwide
Sophos has released its 2026 Active Adversary Report, revealing that identity-based intrusions have become the dominant entry point for attackers, accounting for 67% of all incidents handled by Sophos Incident Response (IR) and Managed Detection and Response (MDR) teams over the past year. The findings underscore how credential theft, weak or missing MFA, and poorly secured identity systems are now the primary drivers of modern cyber breaches.
The report shows brute‑force attacks (15.6%) are now nearly on par with exploited vulnerabilities (16%) as initial access methods, signalling a shift away from technical exploits toward the abuse of valid credentials a tactic that requires no new tools and is proving harder for organizations to detect.
Sophos also found that once inside a network, attackers are moving faster than ever. They reach an organization’s Active Directory server in just 3.4 hours, condensing the window defenders have to respond. Median dwell time dropped to three days, driven by both attacker agility and quicker responses particularly within MDR‑protected environments.
“The dominance of identity‑related root causes has been years in the making organizations must take a proactive approach to identity security.”
— John Shier, Field CISO, Sophos
Ransomware operators continue to favour striking when defenders are offline, with 88% of payload deployments and 65% of data‑exfiltration actions occurring during non‑business hours. Meanwhile, missing logs especially from firewalls with default retention of only seven days, and in some cases just 24 hours doubled compared to last year, hampering investigations.
The threat landscape is broadening as well. Sophos observed 51 ransomware brands, including 24 new entrants, with Akira and Qilin among the most active. Only four techniques LockBit, MedusaLocker, Phobos, and abuse of BitLocker have remained consistent since 2020.
Despite speculation, the report found no significant shift to AI‑driven attack techniques. Generative AI is amplifying phishing speed and quality but has not fundamentally changed attacker tradecraft.
Sophos recommends organizations deploy phishing‑resistant MFA, reduce exposure of identity systems, patch edge devices quickly, strengthen telemetry retention, and ensure 24/7 monitoring through MDR.
