Sophos unleashes their 2026 Active Adversary Report — and it’s a mirror held up to 2025’s cyber mess. No fireworks. No AI overlords storming the gates. Just the same tired attackers, picking the low-hanging fruit of bad passwords and phishing hooks.
Here’s the thing. Everyone — and I mean everyone — swore 2025 would be the year AI rewired the threat landscape. Supercharged scams! Autonomous malware! Cue the dramatic music. Instead? Crickets. Except for some phishing jazz-ups, it’s business as usual.
But.
One shift screams for attention. Identity attacks — brute force, phishing, stolen creds — now rule initial access. Eighty-four percent of cases from small outfits under 1,000 souls. Manufacturing tops the victim list at nearly 20%. Feel that familiarity?
Identity-related tactics such as compromised credentials, brute-force attacks, and phishing, are by far the most common reason attackers gain initial access.
Sophos nails it there. Straight from their key takeaways. And they’re not wrong.
Why Haven’t Cyber Attackers Evolved Their Game?
Attackers? Lazy geniuses. Or maybe just smart. Why fix what’s not broken? Tools, techniques, procedures — TTPs in the jargon — barely twitched. Legit tools abused as always. No one’s blocking ‘em. Telemetry gaps? Still blinding defenders. Phishing-resistant MFA? A pipe dream for most.
Picture this: a sprawling empire of neglected basics, where Python scripts slither in unchallenged (block it, Sophos says — smart move). Network breaches outpace ransomware, thanks to proactive MDR spotting trouble early. Reactive IR? Tougher sledding.
Data’s from 661 cases, Nov 2024 to Oct 2025. IR and MDR teams, Secureworks included. Small biz heavy — 56% under 250 employees. Sectors? Manufacturing, finance, construction. Same as last year. And the year before.
Business email compromise? Spiked fourfold. Not more attacks — Sophos’ new hourly IR gigs let cash-strapped firms probe suspicions cheap. Peace of mind, or clarity on M365 compromises. Penny-wise telemetry cuts? Pound-foolish, they warn. Duh.
My hot take? This stagnation echoes the early 2000s worm fests — Blaster, Slammer — when patching was king, but everyone skimped. History’s looping, folks. Companies still treat security like an afterthought expense. Bold prediction: without mandated phishing-proof MFA (think passkeys, now), identity dominance holds till 2030. Bet on it.
Sophos’ corporate spin? Minimal. They hype prevention over detection — fair, since it saves time, cash, grief. But that “one weird blocking trick”? Python blocks. Sounds gimmicky, smells like PR. Yet data backs it: abused everywhere. Try it.
Is AI Just Noise in the Cyber Threat Machine?
GenAI? Adds speed, volume, noise. That’s it, per Sophos. Phishing gets slicker, sure — deepfake voices, tailored lures. But meaningful difference? Nah. Overdramatic headlines ate that narrative.
Look, I’ve seen the demos. ChatGPT spits scam emails faster than a caffeinated intern. Volume up, sure. But defenders? Tools evolve too. Noise filters sharpen. It’s an arms race where attackers sprint, defenders jog — and hold the line.
What grinds my gears: the hype cycle. Vendors peddle AI shields like snake oil. Sophos stays grounded — props. But boards? They chase shiny, ignore roots. Identity? Boring fix. Patch hygiene? Snooze. Result: attackers feast.
Case study teases a multiplier effect — creds snag during active attacks. Nasty. Prevention recap? Gold. Block abused tools. Amp telemetry. Deploy real MFA. Simple. Effective. Ignored.
And the stats wallop home. Network breaches lead. MDR crushes IR outcomes — proactive wins. BEC surges from better access, not doom. Raw data on GitHub — dig in, skeptics.
Small paras for punch. Because why not.
Telemetry skimps hit hard. No signal in noise. Defenders fumble blind. Fix it, or pay.
Prevention beats cure. Always did. Time, effort, outcomes — all favor upfront blocks.
What Does This Mean for Your Defenses?
You’re a mid-size manufacturer? You’re prime bait. Phishing your door? Always open. Brute-force hammering? Logs ignored.
Sophos’ dataset — 34 sectors, small-heavy — mirrors real world. Not cloud unicorns. Your shop.
Unique angle: this report’s a reality check post-AI bubble. Remember Log4Shell panic? Fizzled for most. Here, persistent TTPs demand persistent hygiene. No silver bullet. Grind it out.
Dry humor time: attackers didn’t get the AI memo. Still typing passwords like it’s 2010. We’re the dinosaurs, chasing holograms.
Deeper dive — MDR’s 69% slice shows monitoring pays. IR reactive? Costly chaos. Shift proactive, or bleed.
BEC detail fascinates. Hourly IR? Genius pivot. Small signals get prodded, not full mobilizations. Scalable smarts.
But identity dominance? Years brewing. Patch alone won’t cut it. Multipliers in progress — creds cascade breaches. Vicious.
Prevention guide shines. Block Python (why? Living-off-land fave). Enforce MFA worth a damn. Collect all the logs. Boring? Vital.
Hype callout: AI’s no panacea. Sophos admits — speed/noise only. Until autonomous ops mature (doubt it soon), basics rule.
Wrapping the sprawl: threats static, us dynamic? Nah. Complacency kills. Act.
🧬 Related Insights
- Read more: MyLovely.AI’s Massive Leak: 113K Explicit Prompts Tied to User IDs
- Read more: ChatGPT’s Code Runtime Hides a Data Siphon — Your Secrets at Risk
Frequently Asked Questions
What does the 2026 Active Adversary Report reveal about cyber threats?
It shows attackers stuck on old TTPs, with identity attacks dominating initial access — no big AI shift.
Why are compromised credentials still the top cyber threat?
Weak MFA and phishing gaps make them easy wins; prevention like passkeys is rare.
How can businesses prevent attacks from Sophos’ report?
Block abused tools like Python, boost telemetry, deploy phishing-resistant MFA — prevention first.
