Sophos’ 2026 Active Adversary Report reveals that 67% of incidents investigated by its Incident Response (IR) and Managed Detection and Response (MDR) teams were linked to identity-related attacks. These attacks exploited compromised credentials, weak or missing multifactor authentication (MFA), and poorly protected identity systems, often without the need for new tools or techniques.

The report highlights several trends, including a shift from exploiting vulnerabilities to using compromised credentials, with brute-force activity and exploitation methods almost equally contributing to initial access. Attackers are also moving faster within organizations, reaching Active Directory servers in just 3.4 hours after breaching systems. Ransomware payloads and data exfiltration actions continue to occur mostly outside of business hours.

Despite continued vulnerabilities, a key issue is the lack of MFA, which was missing in 59% of cases, allowing attackers to leverage stolen credentials. Sophos also observed an increase in the number of active threat groups, with Akira and Qilin being among the most active ransomware families.

While there has been a lot of hype around AI, the report found no major AI-driven transformation in attacker behavior, with generative AI mostly improving phishing and social engineering efforts rather than creating fundamentally new attack techniques.

To address these threats, Sophos recommends organizations deploy phishing-resistant MFA, reduce exposure of identity infrastructure, promptly patch known vulnerabilities, ensure 24/7 monitoring, and retain security logs to support rapid detection and investigation.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!