Every year Sophos drops their Active Adversary Report and every year I read it and every year I need something stronger than coffee to process the implications. This year is no different, except the numbers are somehow getting worse in the specific ways that tell you the industry still hasn’t absorbed the lessons from five years ago.

The 2026 Sophos Active Adversary Report analyzed 661 incident response and managed detection and response cases handled between November 2024 and the publication date in early 2026. Six hundred and sixty-one real incidents. Real organizations. Real breaches. And the patterns that emerge from that dataset are not comforting.

Here’s the headline finding that should be framed on every CISO’s wall: 67% of all incidents were rooted in identity-based attacks. Not malware. Not zero-days. Not sophisticated exploits. Stolen credentials and abused identities. Two-thirds of breaches came through the front door with someone else’s key.

Let that sit for a second.

The Data That Should Scare You

Let’s go through the findings that matter, because there are several and they all tell a coherent story about why defenders are still losing:

Finding 1: Credential attacks are catching up with vulnerability exploits as an initial access method. Brute-force activity now accounts for 15.6% of initial access, almost level with exploitation at 16%. That’s a significant shift. It means attackers are finding credential-based attacks so reliable that they’re investing in them at the same rate as zero-day exploitation. Why spend time finding and weaponizing vulnerabilities when you can just hammer VPN endpoints with credential lists until something opens?

Finding 2: Median dwell time declined to three days. Before you celebrate, understand what this means. Attackers are moving faster, not defenders getting better at detection. The shortened dwell time reflects attacker confidence — they’ve gotten efficient enough that they don’t need weeks to accomplish their objectives. They can get in, pivot, and execute in days. MDR environments showed better defensive response times, which is the only silver lining here.

Finding 3: Three hours and twenty-four minutes to Active Directory. Once an attacker is inside your organization, they reach the AD server in an average of 3.4 hours. Active Directory is the keys to the kingdom — it controls authentication, authorization, group policy, and ultimately access to everything. Once AD is compromised, the attacker effectively is your IT department. Three point four hours. If your incident response process takes longer than that to even detect a breach — and for most organizations, it does — you’re already fighting a war on the adversary’s terms.

Finding 4: 88% of ransomware payloads are deployed outside business hours. And 79% of data exfiltration happens off-hours. The picture is clear: attackers get in during business hours (when people are doing things that create the initial access opportunity — clicking phishing emails, entering credentials, plugging in USB drives), then wait for the weekend or overnight to do the destructive work. They know your SOC is understaffed at 2am on a Saturday. They know your senior responders are at home. They’ve timed their operations accordingly.

Finding 5: Missing logs doubled. Data retention issues — meaning missing logs that should have existed — more than doubled compared to the previous year. This was largely driven by firewall appliances with default log retention of seven days, sometimes as little as 24 hours. If attackers get into your environment on a Monday and you only keep 24 hours of firewall logs, the entire initial access event has already rotated out of your visibility by the time you’re investigating on Wednesday.

Finding 6: Akira and Qilin dominating. Among identified ransomware operations, Akira (GOLD SAHARA) dominated at 22% of incidents. Qilin (GOLD FEATHER) was the runner-up. Across all cases, 51 ransomware brands appeared — including 24 new ones. The ransomware ecosystem is still expanding, still fragmenting, and still pumping out new variants faster than most organizations can update their threat intelligence feeds.

Why It Matters

Here’s the synthesis, because the individual data points are less important than the story they tell together.

Attackers have industrialized the identity-based attack chain. They harvest credentials through phishing, buy them from initial access brokers on dark web markets, or brute-force exposed authentication endpoints. They use those credentials to log into legitimate services — VPNs, remote access tools, cloud platforms — rather than exploiting vulnerabilities that might trigger security alerts. They land, they wait, they move to Active Directory, and they strike at 2am on a Saturday when your team is at minimum capacity. They cover their tracks because they know default log retention windows are short. And they do all of this while blending in with legitimate user behavior, making detection genuinely hard.

The businesses that get hit by this playbook aren’t stupid. They’re understaffed, under-resourced, making reasonable-seeming tradeoffs (seven-day log retention is the vendor default for a reason — storage costs money), and operating security programs designed for a threat landscape that looked different five years ago. The threat has evolved faster than most organizational security programs have.

The 67% identity-attack figure is particularly important for European and mid-market organizations that may have invested heavily in perimeter security and endpoint protection but haven’t given the same attention to identity infrastructure. If your firewall is hardened but your VPN accepts username/password authentication without MFA, you’re well-defended against the wrong threat.

What Went Wrong (Systemically)

The MFA gap is the dominant failure mode. If two-thirds of incidents are identity-based, and brute-force is now matching vulnerability exploitation as an initial access vector, and attackers are specifically going after credentials — then MFA is the single control that most directly addresses the most common attack path. And yet. Organizations are still deploying critical services without MFA. Still accepting username/password for VPN authentication. Still running Active Directory environments without MFA on privileged access.

The log retention failure is a policy and budget failure masquerading as a technical one. Seven-day default log retention on firewall appliances isn’t a conspiracy — it reflects storage cost constraints baked into product defaults by vendors who are optimizing for appliance performance, not forensic investigation capability. But the security teams who accept those defaults without overriding them are making a choice, even if it doesn’t feel like one. And the choice they’re making is “I cannot investigate a historical breach if the detection takes more than a week.”

The 3.4-hour AD compromise timeline reflects a failure to adequately protect and monitor the most critical infrastructure component in most Windows environments. AD is the target. It always has been. Attackers know this. And yet AD security — privileged access management, tier separation, monitoring for suspicious AD queries and modifications — remains an area where many organizations are dramatically under-invested.

The off-hours ransomware timing is a staffing and monitoring problem. If you know (and you should know, because this data has been consistent across multiple years of reporting) that ransomware deploys on weekends and overnight, and your SOC is understaffed at those times, and you’re not running managed detection and response to cover the gaps — you’re giving attackers exactly the window they need. MDR is specifically called out in the Sophos report as improving defensive response times. That’s not a coincidence.

The Fixer’s Playbook

MFA everywhere, starting with identity perimeter. VPN, remote access, cloud platforms, admin consoles, Active Directory privileged access. Phishing-resistant MFA — hardware tokens or FIDO2 passkeys — for anything in your privileged tier. Regular old TOTP for everything else. Get it done. As I’ve written in my analysis of why basic security hygiene remains the most important control, the sophisticated attacks succeed because the basics aren’t in place.

Fix your log retention. Immediately. Override vendor defaults on firewall appliances. Minimum 30 days on-device. 90 days or more streaming to a SIEM or log aggregation platform that network devices can’t modify or delete. Missing logs means missing investigation capability, which means missing the ability to understand how you were breached, which means you’ll be breached the same way again.

Invest in Active Directory protection. AD Tier separation to protect Domain Controllers from regular workstations. Privileged Access Workstations for AD administration. Monitoring for suspicious AD enumeration activity, new privileged account creation, and Group Policy modifications. Alerting on access to LSASS (credential dumping). If your AD security posture hasn’t been reviewed in the last 12 months, do it now — 3.4 hours from initial access to AD compromise means your detection needs to be fast.

24/7 coverage — MDR or staff it. If you can’t staff a SOC overnight and on weekends, buy managed detection and response. The Sophos data shows MDR environments achieve significantly better defensive response times. The alternative — hoping your scheduled scans and business-hours SOC catch a Saturday 2am ransomware deployment — is not a strategy, it’s a prayer.

Credential hygiene and monitoring. Password policies that force complexity aren’t enough if users are reusing credentials across personal and corporate accounts. Deploy a breach credential monitoring service that alerts when corporate email addresses appear in credential dumps. Monitor for brute-force activity against all external-facing authentication endpoints and alert on anomalous login patterns — unusual hours, unusual geographies, unusual user agents.

As I’ve discussed in my research on cyber-resilient organizational frameworks, resilience isn’t about preventing every attack — it’s about detecting fast, containing quickly, and restoring operations before the damage becomes catastrophic. The Sophos data shows the detection and containment window is now measured in hours, not days. Your processes need to match that reality.

The Final Call-Out

The 2026 Active Adversary Report is telling us, with 661 data points of evidence, that identity is the new perimeter, that attackers work on your schedule, not theirs, and that the controls that would prevent most of these incidents — MFA, AD protection, log retention, 24/7 monitoring — are known, documented, available, and still not deployed at the scale they need to be.

Akira is hitting 22% of identified ransomware incidents. Qilin is right behind it. Fifty-one ransomware brands were active in the case set. Twenty-four of them are new.

You know what’s not new? MFA. Password managers. Log aggregation. MDR. These aren’t novel, cutting-edge ideas from a research lab. They’re the basics. And the gap between “knows the basics” and “has actually implemented the basics” is where ransomware gangs are making their living.

Three hours and twenty-four minutes to your Active Directory. How fast is your detection?