Identity-related attacks are expected to dominate cyberspace in 2026, and probably wreak more havoc if measures are not adequately taken.

This is according to Sophos, a global leader of innovative security solutions for defeating cyberattacks, in its 2026 Sophos Active Adversary Report.

Sophos disclosed that 67 per cent of all incidents investigated by Sophos Incident Response (IR) and Managed Detection and Response (MDR) teams last year were rooted in identity-related attacks.

The findings highlighted how attackers continue to exploit compromised credentials, weak or missing multifactor authentication (MFA), and poorly protected identity systems, often without needing to deploy new tools or techniques.

According to it, a shift from exploited vulnerabilities toward compromised credentials, with brute-force activity (15.6 per cent) drawing almost level with exploitation (16 per cent) as an initial access method

It explained that median dwell time declined to three days, driven by attackers’ movements, but also by defenders reacting more swiftly. This was particularly notable in MDR environments.

Sophos warned that attackers are getting faster at reaching Active Directory (AD). It said once an attacker is inside an organisation, it takes them just 3.4 hours to get to the AD server.

Further revelations include that ransomware remained a firmly off-hours activity. 88 per cent of ransomware payloads are deployed out of hours, and 79 per cent of data exfiltration actions take place out of hours, emphasising the continued need for 24/7 coverage.

It said lack of telemetry undermined defence efforts, saying missing logs due to data retention issues doubled over the last year. This rise was largely driven by firewall appliances, where the default was only seven days, and in some cases, 24 hours.

The report showed a continued rise in attacks rooted in identity compromise, including stolen credentials, brute-force activity, and phishing.

While exploited vulnerabilities remain a factor, attackers increasingly rely on valid accounts to gain initial access, allowing them to bypass traditional perimeter defences.

Sophos claimed there was also a lack of MFA in 59 per cent of cases, facilitating the abuse of stolen and compromised credentials to penetrate an organisation.

Field CISO and lead author of the report, John Shier, said: “The most concerning finding in the report has actually been years in the making: The dominance of identity-related root causes for successful initial access. Compromised credentials, brute-force attacks, phishing, and other tactics leverage weaknesses that can’t be addressed by simple patch hygiene. Organisations must take a proactive approach to identity security.”

Sophos researchers observed the highest number of active threat groups recorded in the report’s history, expanding the overall threat landscape and increasing the challenge of attribution.

According to them, Akira (Gold Sahara) and Qilin (Gold Feather) were the most active ransomware brands observed, with Akira dominating across 22 per cent of incidents. It disclosed that 51 ransomware brands appeared across cases, including 27 returning brands and 24 new ones.

Only four brands or techniques, LockBit, MedusaLocker, Phobos, and abuse of BitLocker, have persisted continuously since 2020, the first year of Active Adversary Report data.

“Law enforcement action continues to disrupt the ransomware ecosystem. Although we still see activity from LockBit, the dominance and reputation it once had have clearly been impacted. However, it means we are seeing a raft of other groups vying for dominance and many more emerging groups. For defenders, it’s important to understand the groups and their TTPs to best protect your organisation,” Shier added.

Meanwhile, despite widespread predictions, Sophos found no evidence of a major AI-driven transformation in attacker behaviour. While generative AI has increased the speed and polish of phishing and social engineering, it has not yet produced fundamentally new attack techniques.