Sophos Active Adversary Report 2026 highlights rise in identity-led attacks and faster threat activity

Identity-related vulnerabilities accounted for the majority of cyber incidents investigated last year, according to the latest Sophos Active Adversary Report 2026. The report finds that 67% of security cases analysed by Sophos’ Incident Response (IR) and Managed Detection and Response (MDR) teams originated from compromised credentials, weak authentication controls or poorly secured identity systems.

The findings indicate a continued shift in attacker strategies, with threat actors increasingly relying on valid accounts rather than exploiting technical vulnerabilities. Compromised credentials, brute-force attempts and phishing campaigns remain among the most common entry points, often allowing attackers to bypass traditional perimeter defences.

Identity attacks and faster breach timelines

According to the report, brute-force activity accounted for 15.6% of initial access cases, nearly matching exploitation-based attacks at 16%. Attackers are also moving more quickly once inside networks, reaching Active Directory servers in an average of 3.4 hours after initial compromise.

Median dwell time – the period attackers remain undetected – dropped to three days, reflecting both faster attacker movement and improved defensive responses, particularly in organisations using managed detection services.

Ransomware activity continues to occur largely outside business hours. The report states that 88% of ransomware payload deployments and 79% of data exfiltration attempts took place during nights or weekends, underscoring the need for continuous monitoring.

Persistent MFA gaps and visibility challenges

Despite the growing focus on identity security, multifactor authentication was missing in 59% of the investigated incidents. Sophos researchers noted that attackers increasingly leverage legitimate credentials to maintain persistence and avoid detection.

Another recurring issue highlighted in the report is the lack of sufficient telemetry. Missing or limited log retention doubled year-on-year, often due to default configurations on firewall appliances that store data for as little as 24 hours to seven days, reducing investigators’ visibility during incident response.

Expanding ransomware landscape

The report recorded the highest number of active threat groups since Sophos began tracking adversary activity. Ransomware operations such as Akira and Qilin were among the most frequently observed, while a total of 51 ransomware brands appeared across analysed incidents.

Although established groups like LockBit remain active, law enforcement pressure has altered the ransomware ecosystem, resulting in the emergence of multiple new actors competing for prominence.

Limited impact of AI on attacker tactics

While generative AI has influenced phishing campaigns and social engineering tactics, the report found no evidence of a significant shift in core attack techniques driven by AI. Instead, traditional security fundamentals, including strong identity controls and effective monitoring, continue to play a central role in defence strategies.

Recommendations for organisations

Based on the findings, the report advises organisations to prioritise phishing-resistant MFA, reduce exposure of internet-facing identity infrastructure, maintain timely patching practices, ensure continuous monitoring capabilities, and improve log retention policies to support faster detection and investigation.

The Sophos Active Adversary Report 2026 analysed 661 IR and MDR cases between November 2024 and October 2025, covering organisations across 70 countries and 34 industry sectors.