Identity Is the New Battleground
A landmark cybersecurity report has revealed that two-thirds of all cyber incidents in 2025 had one thing in common: they began not with a sophisticated breach, but with something far simpler — a stolen password or an unlocked digital door.
The 2026 Sophos Active Adversary Report, drawing on 661 investigated cases across 70 countries and 34 industries, found that 67% of security incidents stemmed from identity-related weaknesses. Compromised credentials, the absence of multi-factor authentication (MFA), and poorly secured identity systems handed attackers a near-frictionless path into organizations.
The Numbers That Should Worry Every IT Team
The scale of the problem is stark. MFA was missing in 59% of cases, allowing attackers to exploit stolen or brute-forced credentials with little resistance. Brute-force attacks (15.6%) nearly matched vulnerability exploitation (16%) as a primary entry method — a significant shift that signals attackers are moving away from technical complexity toward sheer persistence.
Once inside, threat actors moved swiftly. Attackers reached Active Directory servers within just 3.4 hours of initial access — a critical milestone that typically precedes organization-wide compromise.
Striking After Hours, Faster Than Ever
Attackers have also refined their timing. 88% of ransomware payloads were deployed outside business hours, while 79% of data exfiltration occurred off-hours — deliberately targeting the window when defenses are thinnest. Despite this aggression, median dwell time fell to just three days, reflecting faster attacker execution and improved defensive response.
A Crowded Threat Landscape — and AI Still Waiting in the Wings
Sophos recorded the highest number of active ransomware groups in the report’s history — 51 brands in total, including 24 newly emerged. Akira led with 22% of incidents. Notably, widespread fears of AI-powered attacks remain largely unrealized; generative AI has increased the scale of phishing but has not yet introduced fundamentally new attack methods.
The takeaway for organizations is unambiguous: patch MFA gaps, retain security logs, and monitor around the clock — because attackers certainly are.
