Intrusions into organizational systems are increasingly focused on credential access and timed execution outside regular business hours, as highlighted in the recent Sophos Active Adversary Report 2026. This comprehensive analysis scrutinizes 661 cases of incident response and managed detection and response, which took place between November 1, 2024, and October 31, 2025, encompassing organizations across 70 countries. The report serves as a critical resource in understanding how attackers gain entry, the speed at which they can infiltrate key systems, and when significant activities like ransomware deployment and data theft typically occur.
The report reveals a troubling trend: identity-related techniques accounted for a significant 67% of the root causes behind the attacks examined. These tactics include compromised credentials, brute force attempts, and phishing, among other forms of identity exploitation. Sophos researchers noted a particularly concerning aspect of this trend: the consistent dominance of identity-related root causes has been years in the making. Tactics such as brute-force attacks and phishing are increasingly successful means of gaining initial access, exploiting vulnerabilities that cannot be simply patched. These methods not only facilitate easier entry but also amplify the effectiveness of ongoing attacks.
The prominence of credential misuse marks a concerning focal point for intrusion activities throughout the reporting period. Identity-based access points were identified as the most common entry methods in the incidents analyzed. This ongoing vulnerability within industries underscores the persistent exposure of authentication systems and user accounts. The report indicates that methods involving credential access disorders were observed more frequently than vulnerability exploitation or other technical entry routes, further emphasizing the need for organizations to prioritize the security of their authorization systems.
Following initial access, a rapid pivot toward centralized identity infrastructure is common among attackers. The median time taken to reach Active Directory, a crucial component governing authentication and authorization across various enterprise environments, was merely 3.4 hours from the start of the intrusion. This narrow window presents an opportunity for organizations to contain the breach and minimize potential downstream impacts. Given that Active Directory controls numerous user accounts, group memberships, and administrative pathways, it remains a high-value target for cybercriminals.
The median dwell time across the dataset was reported at three days. This figure represents the period from the commencement of malicious activities until detection by cybersecurity defenses. A dwell time of three days affords attackers ample opportunity to conduct reconnaissance, harvest credentials, escalate privileges, and stage for ransomware attacks or data theft. This delay highlights a critical gap between initial compromise and the detection of suspicious behaviors by security monitoring tools or investigative responses.
The report also uncovers significant timing patterns in ransomware deployment, indicating that the most disruptive phases of such incidents typically occur when organizations have reduced staffing levels. Alarmingly, 88% of documented ransomware cases reported that encryption processes were initiated outside normal business hours. Similarly, 79% of data theft activities occurred during these off-peak times. Executing these actions during periods of lower workforce presence enhances the likelihood that encryption processes and large-scale data transfers can proceed without immediate disruption, underscoring the necessity for monitoring that extends beyond standard operational hours.
The impact of generative AI on the cyber threat landscape, while noted, does not appear as transformative as anticipated. Researchers characterized generative AI’s influence as introducing speed, volume, and complexity to the existing threat environment. While the technology enhances attackers’ ability to craft more refined phishing messages and personalized communications, it has not fundamentally changed established access methods. Generative tools have diminished the technical barriers for creating convincing lures and fraudulent messages, effectively broadening participation in social engineering activities and increasing campaign throughput.
Despite expectations that generative AI might usher in fully autonomous attacks or novel attack vectors, the dataset indicates that we are not yet at that stage. For now, the gains for attackers are primarily in terms of efficiency and scale rather than a shift in foundational tactics. Identity compromise, directory targeting, ransomware execution, and data theft remain central elements in the incidents under review, highlighting the need for organizations to bolster defenses against these persistent threats.
In conclusion, as organizations move forward, the insights gleaned from the Sophos Active Adversary Report will be invaluable in shaping their cybersecurity strategies. Enhanced monitoring during off-hours, improved authorization protocols, and a focus on mitigating identity-related vulnerabilities will be vital in navigating a landscape characterized by increasingly sophisticated cyber threats.