Identity Attacks Surge as Global Threat Groups Proliferate, Sophos 2026 Report Reveals
Cybercriminals are increasingly abandoning complex hacks in favor of simply logging in with stolen credentials. The 2026 Sophos Active Adversary Report, released on Wednesday, reveals that a staggering 67% of all cyber incidents investigated over the past year were rooted in identity-related attacks.
The findings underscore a critical shift in the digital battlefield: attackers are moving away from exploiting software vulnerabilities and toward the exploitation of human and systemic weaknesses, such as compromised passwords and missing multifactor authentication (MFA).
Modern attackers are moving with unprecedented velocity. According to the report, once an adversary gains initial access to a network, it takes a median of just 3.4 hours to reach the Active Directory (AD) server- the “keys to the kingdom” for most organizations.
While the overall median dwell time – the period an attacker remains undetected – has declined to three days, Sophos experts attribute this not only to faster attacker movements but also to more aggressive responses from Managed Detection and Response (MDR) teams.
“The dominance of identity-related root causes is a concern years in the making,” said John Shier, Field CISO at Sophos and lead author of the report. “Compromised credentials and brute-force attacks leverage weaknesses that can’t be addressed by simple patch hygiene. Organizations must take a proactive approach to identity security.”
Despite the rise of new tactics, ransomware remains a primary threat, particularly when IT staff are offline. The report found that 88% of ransomware payloads are deployed outside of standard business hours, and 79% of data exfiltration occurs during these same windows. This “dark-hour” strategy emphasizes the growing necessity for 24/7 security monitoring.
The ransomware landscape is also becoming more fragmented. Following significant law enforcement disruptions of major players like LockBit, a record number of threat groups have emerged to fill the vacuum. Sophos tracked 51 different ransomware brands this year, with Akira (22% of incidents) and Qilin leading the pack.
Addressing the industry-wide speculation regarding Artificial Intelligence, the report offers a grounded reality check. While generative AI has “polished” the quality of phishing emails and social engineering scripts, Sophos found no evidence that AI has created fundamentally new attack techniques.
“AI is adding scale and noise but not yet replacing attackers,” Shier noted. “Right now, the fundamentals still matter: strong identity protection, reliable telemetry, and the ability to respond quickly.”
A critical hurdle for defenders remains a lack of “telemetry” – the digital breadcrumbs left behind during an attack. Cases of missing logs due to short data retention periods doubled over the last year. Many firewall appliances, for instance, were found to have default retention settings of only 24 hours to seven days, leaving investigators blind to how a breach actually began.
To counter these evolving threats, Sophos recommends that organizations prioritize phishing-resistant MFA, ensure 24/7 monitoring, and extend their log retention policies to support rapid forensic investigations.
Go to TECHTRENDSKE.co.ke for more tech and business news from the African continent and across the world.
Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke
