Sophos Active Adversary Report 2026 highlights rise in identity-led attacks and faster threat activity

Identity-related vulnerabilities accounted for the majority of cyber incidents investigated last year, according to the latest Sophos Active Adversary Report 2026. The report finds that 67% of security cases analysed by Sophos’ Incident Response (IR) and Managed Detection and Response (MDR) teams originated from compromised credentials, weak authentication controls or poorly secured identity systems.

The findings indicate a continued shift in attacker strategies, with threat actors increasingly relying on valid accounts rather than exploiting technical vulnerabilities. Compromised credentials, brute-force attempts and phishing campaigns remain among the most common entry points, often allowing attackers to bypass traditional perimeter defences.

Identity attacks and faster breach timelines

According to the report, brute-force activity accounted for 15.6% of initial access cases, nearly matching exploitation-based attacks at 16%. Attackers are also moving more quickly once inside networks, reaching Active Directory servers in an average of 3.4 hours after initial compromise ...