The recently released 2026 Sophos Active Adversary Report highlights a significant rise in identity-related cyber threats. The analysis indicates that 67% of cyber incidents investigated by Sophos teams last year involved identity compromises. The findings suggest attackers are increasingly relying on stolen credentials and environments without effective multi-factor authentication (MFA).
Key trends identified in the report show a shift from exploitation of vulnerabilities toward the use of compromised credentials. Brute-force activity accounted for 15.6% of initial access attempts, compared with 16% attributed to exploitation. The report also notes that the median dwell time has decreased to three days, reflecting both faster attacker activity and improved detection and response capabilities.
The report states that attackers were able to reach Active Directory (AD) servers within an average of 3.4 hours after gaining initial access to an organisation. It also finds that 88% of ransomware payloads were delivered outside of normal business hours, indicating the importance of continuous monitoring and response capabilities.
Telemetry gaps are identified as an ongoing challenge. Missing logs due to data retention limitations are reported to be increasing, partly because some firewall appliances retain logs only for limited periods. These gaps can impact visibility and incident investigation.
The report emphasises the need for stronger identity security measures, including phishing-resistant MFA and proper configuration of identity infrastructure. It notes that 59% of identified cases involved environments without MFA in place, highlighting a persistent vulnerability that attackers exploit.
The threat landscape continues to expand, with the report recording the highest number of active threat groups since its inception. Ransomware families such as Akira and Qilin are reported to be prominent in specific attacks, underscoring the importance of understanding attacker tactics, techniques, and procedures (TTPs).
Regarding artificial intelligence, the report finds no clear evidence that AI has fundamentally changed attacker behaviour. While AI tools may improve the efficiency of phishing campaigns, core attack methods remain focused on identity compromise, telemetry gaps, and response speed.
Based on these findings, recommended defensive measures include:
- Implementing and validating robust MFA configurations
- Limiting exposure of identity infrastructure to external threats
- Addressing known vulnerabilities promptly
- Ensuring continuous (24/7) monitoring of security environments
- Maintaining comprehensive security logs to support detection and incident response
