Sophos Active Adversary Report 2026: Identity Attacks Dominate

For more than a decade, security teams have been told to harden the perimeter — patch faster, segment networks, deploy next-generation firewalls, monitor for malware. Sophos's 2026 Active Adversary Report [Sophos] makes a quietly devastating argument: that work is no longer where the breach is happening. After analyzing 661 incident response and managed detection cases handled between November 2024 and October 2025 across 70 countries and 34 industries, Sophos found that 67.32% of all root causes were identity-related — compromised credentials, brute-force activity against exposed services, and phishing that harvested both passwords and MFA tokens. Attackers, in the now-familiar phrase, are not breaking in. They are logging in.

For the leaders responsible for IT and security strategy, this changes the math. Identity has quietly become the production environment that everything else depends on — and most organizations are still defending it like a back-office concern.

The argument of the report is not that perimeter controls are obsolete. It is that the center of gravity has moved. Identity infrastructure — directories, federation, MFA, service accounts, session tokens — has become the most reliable path into mid-market environments because it is the layer organizations have invested in least consistently. The data that follows is the receipt for that imbalance, and it points to a different set of priorities for the next twelve months.

What the Report Actually Measured

The 2026 dataset is unusually large and unusually hands-on. Sophos's combined Incident Response and Managed Detection and Response teams investigated 661 cases in the reporting window, with 84% of the dataset coming from organizations under 1,000 employees [Sophos]. That sampling matters: it is not enterprise telemetry filtered through a SIEM, but post-incident forensic work where the analysts reconstructed exactly how each compromise began.

The findings are also industry-broad. Manufacturing led at 19.82% of cases, followed by financial services (8.93%), construction (8.62%), information technology (6.96%), and healthcare (6.35%). The pattern holds across all of them — identity attacks are the most common root cause regardless of vertical, regulatory regime, or geography. That uniformity is the strongest signal in the report. When a single class of failure dominates across 34 industries and 70 countries, the failure is not industry-specific. It is structural.

The Identity-First Attack Chain

When Sophos broke down the 67.32% identity figure, the distribution itself was instructive. Compromised credentials accounted for 42.06% of all root causes — meaning a valid username and password pair was already in the attacker's possession before the incident began. Brute force, almost always against an exposed VPN, RDP gateway, or single sign-on portal, accounted for another 15.58%. Phishing — increasingly through adversary-in-the-middle kits that capture both the credential and the MFA prompt — added 6.35%.

The shape of that distribution is the story. Brute-force activity (15.58%) drew nearly level with traditional vulnerability exploitation (16%) as an initial access method. For the first time in a decade of Active Adversary reporting, an attacker is roughly as likely to guess their way in as they are to exploit an unpatched flaw. And the larger compromised-credential category dwarfs both — those credentials came from prior phishing campaigns, info-stealer malware on personal devices, dark-web combolists, and reused passwords harvested from unrelated breaches.

Why MFA Failed in 59% of Cases

The 59% MFA gap is not a single failure. Sophos's analysts grouped the cases into three patterns, all of which appear in real environments today:

• The "we thought it was on" gap: The organization believed MFA was enforced, but a policy exception, a service account exclusion, or a legacy authentication protocol allowed a credential-only login path to remain open.
• Misconfigured MFA: MFA was deployed, but session tokens lasted long enough — sometimes weeks — that an attacker who replayed a stolen token from a phishing kit was authenticated as the user without ever needing to satisfy a fresh challenge.
• Knowingly absent MFA: The organization had not deployed MFA on the path the attacker used, often because it was a vendor portal, a shadow-IT SaaS application, or a finance system the security team did not own.

The Sophos team highlighted one case study where a single phishing wave produced credentials that were replayed in three successive intrusions over several weeks because the organization's MFA implementation accepted long-lived tokens and did not require step-up authentication for sensitive actions. The attacker did not need to break MFA. They needed MFA to be configured the way most organizations configure it: a one-time check at login, not a continuous trust signal.

Speed: 3.4 Hours From Access to Active Directory

If 67% is the report's headline, 3.4 hours is its quiet emergency. That is the median time Sophos's analysts measured between an attacker's first authenticated foothold and their first attempt to access Active Directory — a 70% acceleration over the 2024 dataset. Detection time for the same activity, by contrast, increased 16% year-over-year.

The implication is that the window for human-driven response is closing. Once an attacker is inside identity infrastructure, lateral movement, credential harvesting, and persistence become matters of hours, not days. The median total dwell time across all 2026 cases held steady at three days — but the meaningful dwell happens in the first afternoon. Two-day medians for MDR-monitored environments versus five-day medians for unmonitored IR cases tell the same story from a different angle: continuous detection compresses the window in which an attacker can act unobserved.

For IT leaders evaluating their own posture, the question is not whether the team would eventually notice. It is whether endpoint detection and response coverage and identity telemetry will surface the activity inside the first three to four hours, when the attacker is still doing reconnaissance and has not yet pivoted to data theft or ransomware staging.

The modern intrusion path: stolen credential → token replay → directory access → lateral movement, often within a single business afternoon.

Ransomware Without the Drama

The ransomware section of the report is striking for how routine it has become. Sophos observed 51 distinct ransomware brands in the dataset — 27 carried over from the prior year and 24 newly emerged — and the top five (Akira, Qilin, SafePay, Inc, Play) were responsible for 51% of all ransomware deployments. Akira alone accounted for 22.58% of cases, followed by Qilin at 11.06%.

More telling than the brand distribution is the timing. 88.10% of ransomware payloads were detonated during non-business hours, and 78.85% of confirmed data exfiltration also happened off-hours. This is operational discipline on the attacker's part: they wait until the security team is at minimum staffing, fewer eyes are on the SIEM, and on-call response times stretch. For organizations that rely on a small in-house team operating during business hours, the asymmetry is decisive — the attack is being executed at the moment the defender is least able to respond.

Data exfiltration itself rose to 12.71% of incidents — its highest level since 2021 — and almost half (49.77%) of ransomware cases included confirmed exfiltration before encryption. The shift toward double extortion is not new, but the speed is: the median exfiltration occurred 3.3 days after initial access and only 1.87 hours before detection. Defenders are catching the activity, but they are catching it just barely, and only after the data is gone.

The Tooling Has Quietly Shifted

For most of the past decade, Cobalt Strike was the dominant post-exploitation framework in incident reports. In the 2026 dataset it has fallen out of the top tier entirely — Sophos's analysts noted that it "declined to obscurity," barely appearing in the top 35 tools. What replaced it is more interesting than what disappeared.

The Impacket suite — a collection of Python libraries for Windows network protocol manipulation — appeared in 36.01% of cases, up 83% year-over-year. It is open source. It is dual-use. It is widely available on legitimate developer machines. And critically, executing it requires Python to be available on the host. The defensive implication is concrete: Python on a non-developer endpoint is now a high-fidelity signal. Most finance, sales, and operations workstations have no business running it. Blocking or aggressively monitoring Python execution outside engineering teams is one of the highest-leverage controls a defender can deploy this year.

The shift away from Cobalt Strike toward open-source tooling also has a strategic implication. Detection content built over the last five years was heavily tuned for Cobalt Strike beacons and command-and-control patterns. Impacket leaves a different fingerprint — Windows protocol-level activity that looks very close to legitimate administration. This is one of the reasons time-to-detect lengthened in 2026 even as MDR adoption increased.

A Note on Vulnerability Exploitation

Sophos confirmed specific CVE exploitation in only 52 cases out of 661 — and within that small subset, CVE-2024-40766, a SonicOS access control vulnerability, accounted for 67.31% of confirmed exploits. The median time between patch release and observed exploitation in the dataset was 322 days. Vulnerability management still matters, particularly on internet-facing edge devices and end-of-life systems (which tripled in incidents this year), but the data does not support treating it as the dominant attack vector. It is a secondary concern behind identity for almost every organization in the sample.

With 88% of ransomware deployed during non-business hours, 24/7 detection coverage is no longer a premium feature — it is the floor.

Where the GenAI Story Actually Is

The report contains one finding that runs against the prevailing industry narrative: across 661 incidents, Sophos confirmed exactly one verified case of generative AI use by an attacker — a deepfake. The team's own framing is direct: "enthusiasm is vastly outpacing evidence." GenAI is being used by attackers, but its current contribution is speed and democratization — better-written phishing, faster code, lower barrier to entry — not new categories of attack.

The practical takeaway for security leaders is to resist budgeting against the AI threat in isolation. The threat that hit 67% of organizations in this dataset was not generated by AI; it was generated by reused passwords, missing MFA, and stolen tokens. AI-specific defenses without identity-first defenses get the priority order wrong.

What to Actually Do This Quarter

The Sophos team's recommendations cluster into a manageable set of priorities, each tied to a specific finding in the data. The order below reflects what the report's own evidence implies should be done first.

Beyond the first four, four more controls show up repeatedly across the report's case studies and recommendations:

• Block Python on non-development workstations. The Impacket suite cannot execute without it. Application allowlisting on finance, sales, and operations endpoints is one of the highest-leverage controls available.
• Extend log retention well beyond defaults. Sophos noted that 7-day default firewall retention is now far too short — most investigations need weeks of telemetry. Missing logs were the second-most common forensic gap.
• Continuously monitor Active Directory. If attackers reach AD in 3.4 hours, the directory itself is the first place high-fidelity detection content needs to live: anomalous group membership changes, golden/silver ticket signatures, abnormal Kerberoasting activity, and service account anomalies.
• Inventory and accelerate end-of-life remediation. EOL systems tripled in incidents year-over-year. Each one is a known, predictable failure point.

An Identity-First Defense, in Practice

The defensive architecture the report's findings imply is less a single product and more a layered set of controls organized around the identity plane. The diagram below captures how the layers reinforce each other — each compensating for the failure modes the others cannot fully prevent.

For organizations evaluating where to start, the most important sequencing decision is to address the authentication layer before investing further in detection. A 24/7 detection capability that fires on identity anomalies it cannot prevent is valuable, but a phishing-resistant authentication layer that prevents many of those anomalies in the first place is more valuable, costs less to operate, and reduces alert volume meaningfully. Sophos's "prevention still beats detection" framing is, more than anything, an argument about prioritization.

Phishing-resistant authentication — passkeys and FIDO2 hardware keys — is the single highest-leverage control implied by the 2026 data.

The Honest Read for IT Leaders

The report is unusually candid about what it does not contain. There is no novel zero-day. There is no AI-driven attack swarm. There is no nation-state innovation that mid-market security teams need to chase. What the data describes instead is the patient, repeated success of the same identity-shaped attack against the same identity-shaped gaps, year after year. The reason 67% of incidents share a common root is that 67% of the gap is shared.

For ITECS clients, the practical implication is that the next twelve months of cybersecurity investment should weight identity infrastructure ahead of almost everything else. That includes a hard look at where MFA is and is not deployed, a migration plan toward phishing-resistant authentication for at least administrative users, an honest assessment of off-hours detection coverage, and an inventory of service accounts and long-lived tokens that bypass interactive authentication entirely. As an authorized 1Password reseller and managed services partner, ITECS works with clients to harden the credential layer end-to-end — from password vaulting and rotation through SSO consolidation and passkey rollouts — alongside the broader EDR and managed detection stack.

None of this is glamorous work. The Sophos team's central observation is that it does not need to be — it just needs to be done before the next stolen token arrives.

Sources

• Sophos — Nowhere, man: The 2026 Active Adversary Report
• Sophos Press Release — Identity Attacks Dominate as Threat Groups Proliferate (Feb 2026)
• Security MEA — Two-Thirds of 2025 Cyber Incidents Stemmed From Identity Compromise
• Intelligent CISO — Coverage of the Sophos Active Adversary Report 2026