The 2026 Sophos Active Adversary Report has shifted the narrative of modern cybersecurity. For years, the industry focused on patching as the ultimate defense. However, the data now shows that 67% of security incidents are rooted in identity-related weaknesses.
Attackers aren’t breaking in by exploiting complex software bugs anymore; they are simply logging in using stolen credentials, brute-force attacks, and phishing.
The report highlights a terrifying increase in attacker efficiency. Here are the most critical takeaways for IT leaders:
- Once inside a network, it takes attackers a median of just 3.4 hours to reach the Active Directory server. This gives them the keys before most internal teams even finish their first cup of coffee.
- Hackers are clock-watchers. 88% of ransomware payloads and 79% of data thefts occur outside of standard business hours, emphasizing the necessity for 24/7 monitoring.
- The time an attacker stays in your system before being detected has dropped to just three days. The window to react is closing faster than ever.
Despite the known risks, 59% of attacked organizations lacked MFA. Compounding this issue is a lack of telemetry, essentially the digital breadcrumbs left by attackers. Many companies lost vital evidence because their firewall logs were set to delete after just 24 hours, leaving defenders blind during an investigation.
“The dominance of identity-related root causes can’t be addressed by simple patch hygiene. Organizations must take a proactive approach to identity security.” — John Shier, Field CISO, Sophos.
While many feared 2026 would be the year of AI-driven super-viruses, the Sophos report offers a reality check. Generative AI is certainly making phishing emails more polished and harder to spot, but it hasn’t yet replaced the fundamental methods attackers use. The basics, strong identity protection and rapid response, remain the most effective shields.
