Rebecca PY Sophos’ 2026 Active Adversary Report finds that identity-based attacks now account for 67% of major cyber incidents, driven by compromised credentials and weak MFA. The study shows attackers moving faster inside networks while defenders race to close growing visibility and identity security gaps.
MALAYSIA, 26 FEBRUARY 2026 – Sophos has released its 2026 Sophos Active Adversary Report, revealing that identity-related attacks were responsible for 67% of all cyber incidents investigated by its Incident Response (IR) and Managed Detection and Response (MDR) teams over the past year. The findings show attackers increasingly exploiting compromised credentials, weak or missing multifactor authentication (MFA), and poorly secured identity systems rather than relying on sophisticated new exploits.
The report highlights a notable shift in initial access methods, with brute-force attacks accounting for 15.6% of incidents, nearly matching exploitation of vulnerabilities at 16%. Once inside a network, attackers are moving faster than ever, taking just 3.4 hours on average to reach Active Directory servers. Median dwell time dropped to three days, driven by both accelerated attacker activity and quicker defensive responses, particularly in MDR-protected environments.
Ransomware activity continues to favor non-business hours, with 88% of ransomware payloads deployed outside standard working times and 79% of data exfiltration occurring during off-hours. Sophos also flagged a growing visibility gap, noting that missing security logs due to insufficient data retention doubled year-on-year, largely due to firewall appliances retaining logs for as little as seven days or, in some cases, just 24 hours.
Identity-based attacks such as credential theft, phishing, and brute-force attempts are accelerating, with 59% of incidents involving systems that lacked MFA. According to Sophos, attackers are leveraging valid accounts to bypass traditional perimeter defenses, underscoring the need for organizations to rethink identity security as a core pillar of cyber defense.
The report also recorded the highest number of active threat groups in its history, reflecting a more fragmented and competitive ransomware ecosystem. Akira and Qilin emerged as the most active ransomware brands, while 51 distinct ransomware groups were observed overall. Only a small number of brands and techniques, including LockBit and MedusaLocker, have remained consistently active since 2020.
Despite widespread concern over artificial intelligence transforming cybercrime, Sophos found no evidence of a major AI-driven shift in attacker tactics. While generative AI has improved the scale and sophistication of phishing and social engineering campaigns, it has yet to introduce fundamentally new attack techniques.
Based on its analysis, Sophos urges organizations to strengthen phishing-resistant MFA, reduce exposure of identity infrastructure, patch edge vulnerabilities promptly, ensure continuous monitoring, and retain security logs to support rapid detection and investigation. The report analyzed 661 IR and MDR cases across 70 countries and 34 industries between November 2024 and October 2025.