Intrusions continue to center on credential access and timed execution outside standard business hours. The Sophos Active Adversary Report 2026 analyzes 661 incident response and managed detection and response cases handled between November 1, 2024 and October 31, 2025, spanning organizations in 70 countries.
The dataset examines how attackers gain access, how quickly they reach key systems, and when ransomware and data theft occur.
Identity-related root causes as a proportion of all cases covered in the last four years of the Active Adversary Report. (Source: Sophos)
Identity compromise leads initial access
Identity related techniques accounted for 67% of root causes across the cases analyzed. The category includes compromised credentials, brute force activity, phishing, and other forms of identity abuse.
“The most concerning change, meanwhile, has also been years in the making: The dominance of identity-related root causes — brute-force attacks, phishing, and other compromised-credential tactics — for successful initial access. This constellation of tactics leverages weaknesses that can’t be addressed by simple patch hygiene and occasionally acts as a bonus multiplier for attacks in progress,” Sophos researchers explained.
The proportion places credential misuse at the center of intrusion activity observed during the reporting period. Identity-based access represented the most frequently identified starting point in the incidents reviewed.
The persistence of identity compromise within industries reflects the continued exposure of authentication systems and user accounts. Credential-related access methods appeared more often than vulnerability exploitation or other technical entry points in the dataset.
Movement to directory services happens quickly
After initial access, attackers frequently pivot toward centralized identity infrastructure. The median time to reach Active Directory was 3.4 hours from the start of the intrusion. That early window represents the period when containment has the greatest potential to limit downstream impact.
AD remains a high value target because it governs authentication, authorization, and policy enforcement across large portions of enterprise environments. Gaining a foothold there expands visibility into user accounts, group memberships, and administrative pathways.
The speed reflected in the 3.4 hour median underscores how compressed early attack timelines have become. The interval between credential misuse and directory level access can fit within a single work shift.
Throughout the dataset, median dwell time was three days. That figure measures the time between the start of malicious activity and detection by defenders.
A three day window provides room for reconnaissance, credential harvesting, privilege escalation, and staging for ransomware or data theft. It reflects the gap between initial compromise and the point when suspicious behavior surfaces through monitoring tools or investigative response.
Ransomware deployment concentrates outside business hours
Timing patterns show that the most disruptive stages of ransomware incidents often occur when organizations are operating with reduced staffing. In 88% of ransomware cases, encryption was deployed during non business hours.
Data exfiltration followed a similar pattern, with 79% of theft activity also occurring outside the typical workday.
Off hours deployment increases the likelihood that encryption or large scale data transfers proceed without immediate interruption. It places emphasis on monitoring coverage that extends beyond standard schedules.
AI shows incremental impact
Expectations of a dramatic shift driven by generative AI did not materialize in the cases reviewed.
The findings describe generative AI as adding speed, volume, and noise to the threat landscape. Improvements in phishing language, grammar, and personalization reflect that influence. Attackers can produce more polished messages and iterate quickly throughout campaigns, increasing the scale of outreach without changing the underlying access methods.
Generative tools also lower the technical barrier for creating convincing lures, scripts, and fraudulent communications. That effect broadens participation in social engineering activity and supports higher campaign throughput. The technology acts as a force multiplier for existing techniques.
“While it seems inevitable that GenAI will someday cross the threshold into fully autonomous attacks, and possibly generate novel attack vectors and malware along the way, we aren’t there yet. In the short term, the attacker gains will be — again — speed, volume, and democratization,” the researchers said.
The dataset does not identify autonomous AI-driven campaigns replacing established tactics. Identity compromise, directory targeting, ransomware deployment, and data theft remained central elements in the cases examined.
