Compromised credentials, weak authentication, and gaps in identity systems drove most cyberattacks last year, according to a new report from Sophos, a cybersecurity solutions company.
The firm said 67% of incidents investigated by its Incident Response (IR) and Managed Detection and Response (MDR) teams were linked to identity-related attacks, underscoring how attackers gain access without deploying sophisticated malware.
The findings from the 2026 Active Adversary Report point to a growing reliance on stolen usernames and passwords, brute-force attempts, and phishing campaigns to infiltrate organizations. These methods allow attackers to bypass traditional defenses, especially when multifactor authentication (MFA) is absent or poorly configured.
“The most concerning finding in the report has actually been years in the making: the dominance of identity-related root causes for successful initial access,” said John Shier, field CISO of Sophos and lead author of the report. “Compromised credentials, brute-force attacks, phishing, and other tactics leverage weaknesses that can’t be addressed by simple patch hygiene. Organizations must take a proactive approach to identity security.”
Sophos reported a noticeable shift in attack patterns. Brute-force activity accounted for 15.6% of initial access methods, nearly matching exploitation of vulnerabilities at 16%. At the same time, 59% of cases lacked MFA, making it easier for attackers to use stolen credentials.
Once inside a network, attackers are moving faster. The median dwell time dropped to three days, reflecting both quicker attacker movement and faster response from defenders. Sophos also found that it takes attackers just 3.4 hours, on average, to reach Active Directory servers, a critical target for controlling enterprise environments.
Ransomware activity continues to follow predictable timing patterns. Sophos said 88% of ransomware payloads were deployed outside business hours, while 79% of data exfiltration attempts also occurred during off-hours, when monitoring may be weaker.
The report also flagged visibility gaps as a growing concern. Missing telemetry due to short log retention periods has doubled, particularly in firewall systems where default settings may store data for only seven days or less.
Sophos recorded the highest number of active threat groups to date, with 51 ransomware variants identified. Akira and Qilin were the most active, with Akira alone accounting for 22% of incidents. Despite ongoing activity, older groups such as LockBit have lost some dominance due to law enforcement actions.
“Law enforcement action continues to cause disruption in the ransomware ecosystem,” Shier said. “Although we still see activity from LockBit, the dominance and reputation it once had has clearly been impacted. However, it means we are seeing a raft of other groups vying for dominance and many more emerging groups.”
Despite concerns about artificial intelligence (AI), Sophos said it has yet to see a major shift in attacker behavior driven by the technology. Instead, AI is being used to scale existing tactics like phishing.
“AI is adding scale and noise but not yet replacing attackers,” Shier said. “Right now, the fundamentals still matter: strong identity protection, reliable telemetry, and the ability to respond quickly when something goes wrong.”
The report analyzed 661 IR and MDR cases from organizations across 70 countries and 34 industries between November 2024 and October 2025.