Insights from the 2026 Sophos Active Adversary Report
Sophos, a renowned name in cybersecurity solutions, has recently unveiled its 2026 Sophos Active Adversary Report. This comprehensive analysis covered 661 Incident Response and Managed Detection and Response cases from November 2024 to October 2025. The investigation spanned organizations from 70 countries and 34 different industries. One key takeaway is that 67% of the incidents scrutinized involved identity-related attacks.
Key Findings from the Report
Shift to Credential Compromise
A major trend observed in the report is the shift in attack methods. There has been a notable movement away from exploiting software vulnerabilities towards compromised credentials. In fact, brute-force activity, which accounts for 15.6% of cases, is nearly on par with exploitation techniques, which stand at 16% as methods of initial access.
Dwell Time Decreases
The report highlights a significant reduction in median dwell time, now at just three days. This decline can be attributed to faster methods practiced by attackers, as well as more agile responses from defenders, particularly in environments with Managed Detection and Response systems.
Speed of Attackers
Once infiltrators gain access, they are reaching Active Directory systems with alarming efficiency. On average, it takes only 3.4 hours from the moment of breach until they access the Active Directory server.
Ransomware Activity
Interestingly, the report notes that 88% of ransomware deployments occur during non-business hours, and 65% of data exfiltration activities happen when organizations are typically closed. This underlines how attackers often exploit times when their targets are most vulnerable.
Challenges with Telemetry
A critical issue highlighted is the growing lack of telemetry data which hampers defense strategies. The proportion of missing logs due to data retention problems has doubled over the previous year. This issue primarily stems from firewall appliances, many of which default to log retention periods as short as seven or even 24 hours.
The Rise of Identity Attacks
The report underscores an unsettling trend: attacks based on identity compromise, like stolen credentials and phishing, are becoming more prevalent. Traditionally exploited vulnerabilities still play a role; however, attackers are increasingly leveraging valid accounts to breach networks, evading conventional perimeter defenses. Alarmingly, 59% of cases lacked Multi-Factor Authentication (MFA), making it easier for attackers to misuse stolen credentials.
Expert Insights
John Shier, Field CISO and lead author of the report, expressed concern about the continued dominance of identity-related attacks. He stated, “The dominance of identity-related root causes for successful initial access has been developing for years. Addressing weaknesses in identity security requires more than just patch management—organizations need to take a proactive stance.”
Expanding Threat Landscape
The report reflects a growing complexity in cybersecurity threats, showing the highest number of active threat groups ever recorded. This expansion complicates the attribution of attacks and increases risks for organizations.
Shier commented, “Ongoing actions by law enforcement have disrupted the ransomware ecosystem, diminishing the influence of groups like LockBit. However, this has led to a surge of emerging groups, heightening the urgency for organizations to understand their tactics, techniques, and procedures (TTPs) to better safeguard themselves.”
The Role of Artificial Intelligence
Despite much excitement surrounding AI’s potential in cybersecurity, the report found no substantial shift in attack behaviors due to AI innovations. While Generative AI has enhanced the sophistication of phishing and social engineering tactics, it has yet to yield entirely new methods of attack.
Shier noted, “AI has contributed to increasing the scale and sophistication of attacks, but it hasn’t displaced human attackers. Essential defensive strategies remain unchanged: organizations must prioritize strong identity protection, reliable telemetry, and quick response capabilities.”
Recommendations for Strengthening Defense
Based on the findings from the 2026 Active Adversary Report, Sophos provides several actionable recommendations for organizations:
- Implement phishing-resistant Multi-Factor Authentication (MFA) and verify its configuration.
- Limit exposure of identity infrastructure and services accessible via the Internet.
- Address known vulnerabilities promptly, particularly on edge devices.
- Maintain continuous 24/7 monitoring through Managed Detection and Response strategies.
- Ensure the retention of security logs for rapid detection and investigation.
These strategies are critical for organizations aiming to fortify their defenses in an increasingly complex threat landscape.
