Follow Us on Google
By Chinenye Anuforo
Sophos, a British cybersecurity company that provides AI-native software and hardware to protect over 500,000 organisations and millions of consumers worldwide,
has revealed that identity-related weaknesses accounted for the majority of cyber incidents investigated last year.
It added that this highlights growing risks tied to compromised credentials and weak authentication systems.
In its 2026 Active Adversary Report released yesterday, the cybersecurity firm disclosed that 67 per cent of all cases handled by its Incident Response (IR) and Managed Detection and Response (MDR) teams between November 1, 2024, and October 31, 2025, were rooted in identity-based attacks.
The report, which analysed 661 cases across 70 countries and 34 industries, found that attackers increasingly exploited stolen credentials, brute-force techniques and weak or missing multifactor authentication (MFA) to gain initial access into organisations.
According to the findings, brute-force activity accounted for 15.6 per cent of initial access methods, nearly matching exploitation of vulnerabilities at 16 per cent, showing a notable shift toward credential abuse. In 59 per cent of cases examined, MFA was either absent or improperly configured, enabling attackers to bypass traditional perimeter defences.
Sophos noted that once inside a network, attackers moved rapidly. The median dwell time, the period between compromise and detection declined to three days, reflecting both faster attacker activity and improved defensive response, particularly in MDR-monitored environments. The report also revealed that it takes attackers an average of 3.4 hours to reach Active Directory servers after breaching an organisation.
Ransomware activity continues to occur largely outside regular business hours. The study showed that 88 per cent of ransomware payloads were deployed after hours, while 79 per cent of data exfiltration activities occurred during the same period, reinforcing the need for round-the-clock monitoring.
Other News
The report further identified a growing challenge with incomplete security logs, noting that missing telemetry due to data retention issues doubled over the past year.
This trend was largely linked to firewall appliances configured with short default log retention periods.
Field Chief Information Security Officer and lead author of the report, John Shier, described the dominance of identity-related compromises as a long-developing concern.
He said compromised credentials, phishing and brute-force attacks exploit structural weaknesses that cannot be resolved by routine patching alone, urging organisations to adopt a more proactive identity security strategy.
Sophos researchers also recorded the highest number of active threat groups since the inception of the report, indicating a broader and more fragmented threat landscape.
The ransomware brands Akira (GOLD SAHARA) and Qilin (GOLD FEATHER) were identified as the most active, with Akira accounting for 22 per cent of observed incidents. In total, 51 ransomware brands appeared in the cases studied, including 27 returning groups and 24 newly observed ones. Only a handful,LockBit, MedusaLocker, Phobos and abuse of BitLocker have remained consistently active since 2020.
The firm noted that while law enforcement actions have disrupted established ransomware networks, the vacuum has led to the emergence of multiple competing groups, complicating attribution and response efforts.
On artificial intelligence, Sophos said it found no evidence of a significant AI-driven transformation in attacker behaviour. Although generative AI has enhanced the speed and sophistication of phishing campaigns and social engineering tactics, it has not yet introduced fundamentally new attack techniques.
The company advised organisations to deploy phishing-resistant MFA, secure identity infrastructure, promptly patch vulnerabilities especially on edge devices, ensure continuous monitoring, and retain security logs to enable faster detection and investigation.
