In the cybersecurity world, the hacker in a hoodie exploiting a zero-day vulnerability is a classic trope.
But according to the Sophos Active Adversary Report 2026, today’s reality is much more mundane, and more dangerous. Attackers aren’t “breaking in” anymore; they’re just logging in.
The report, which analyzed over 600 incidents globally, reveals that 67% of all security breaches last year were rooted in identity-related weaknesses. Basically, your password hygiene, not a complex software bug, is likely the biggest hole in your defense.
The 3.4-Hour Sprints
The most startling takeaway from the data is the sheer speed of modern attacks. Once a threat actor gains initial access, it takes them a median of just 3.4 hours to reach the Active Directory (AD) server.
For the uninitiated, the AD is the keys to the kingdom, the system that manages permissions for everyone in the company. If an attacker hits the AD before your IT team finishes their lunch break, it’s game over.
Key Speed Metrics:
- Median Dwell Time: Dropped to just 3 days (down from weeks in previous years).
- The After-Hours Rule: 88% of ransomware payloads are deployed outside of standard business hours to catch defenders off-guard.
- MFA Ghosting: In 59% of successful breaches, Multi-Factor Authentication (MFA) was completely missing or poorly configured.
The Ransomware Fragmentation
While law enforcement has successfully shaken the table for big names like LockBit, the ecosystem hasn’t shrunk, it has just fragmented. Sophos tracked 51 different ransomware brands this year, the highest in the report’s history.
Akira and Qilin are currently the market leaders, but the landscape is now a sea of emerging groups vying for dominance.
For CISOs, this means attribution is getting harder, and the variety of Tactics, Techniques, and Procedures (TTPs) is wider than ever.
AI: More Polish than Power
Despite the hype that GenAI would create a new breed of super-malware, Sophos found that the reality is currently much more Vibes than Violence.
Attackers are using AI to make phishing emails look more professional and to scale their social engineering, but they aren’t using it to invent fundamentally new ways to hack. As
John Shier, Sophos Field CISO and lead author of the Active Adversary Report 2026 puts it:
“The most concerning finding in the report has actually been years in the making: The dominance of identity-related root causes for successful initial access. Compromised credentials, brute-force attacks, phishing, and other tactics leverage weaknesses that can’t be addressed by simple patch hygiene. Organizations must take a proactive approach to identity security.”
“Law enforcement action continues to cause disruption in the ransomware ecosystem. Although we still see activity from LockBit, the dominance and reputation it once had has clearly been impacted. However, it means we are seeing a raft of other groups vying for dominance and many more emerging groups. For defenders, it’s important to understand the groups and their TTPs in order to best protect your organization,” continued Shier.
The 2026 report confirms that cybersecurity is shifting from a technical problem to an operational one.
You can have the most expensive firewall in the world, but if your employee’s credentials are on a brute-force list and you haven’t enforced phishing-resistant MFA, that firewall is just an expensive paperweight.
The Dwell Time crash to three days means the window for human intervention is closing. If you aren’t using Managed Detection and Response (MDR) or some form of 24/7 automated defense, you’re effectively leaving your front door open every night at 5:00 PM.
Is your startup still relying on Password123 and vibes? It might be time to audit your MFA settings. Let us know your thoughts on the shift to identity-based attacks in the comments.
You can read the Sophos Active Adversary Report 2026 full report here.
