.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Video Summary: Stopping Real-World Attacks - Lessons from the Cyber Frontlines
00:05 Introduction
Welcome to our Cyber Shorts series with Sophos, a LinkedIn Live series focused on bringing you insights into trending cybersecurity topics.
In this episode, we discuss findings from the 2026 Active Adversary Report and what they mean for organizations.
00:12 Meet the speakers
I’m Susie Evershed, joined by Hillary Wood, Senior Incident Response Analyst at Sophos.
Today’s conversation explores the latest report findings, including the growing role of identity in cyber incidents and the continued evolution of the threat landscape.
00:57 What data powers the report
This year’s Active Adversary Report is based on 661 critical cases handled by Sophos incident response teams between November 2024 and October 2025.
The report includes incidents across 34 industries and 70 countries, drawing from Sophos Emergency Incident Response, Managed Detection and Response, and, for the first time, Secureworks group customers.
02:08 How the findings are built
Sophos normalized data from these incidents across 52 fields, including tools, techniques, and key timestamps.
These data points form the foundation of the report’s insights into attacker behavior and defender response.
02:27 Identity attacks dominate incidents
The headline finding from this year’s report is that nearly two-thirds of incidents were rooted in identity-based attacks.
This reflects a continued shift toward attackers gaining access by abusing credentials and hijacked sessions rather than breaking in through traditional methods.
03:15 Common identity attack techniques
The report tracks a range of identity-related techniques, including brute force attacks, credential phishing, token theft, trusted relationship abuse, and compromised credentials.
Brute force was the most prominent attack type in this category.
04:08 MFA gaps remain a major issue
In just under 60% of incidents, multi-factor authentication was unavailable, not enforced, or misconfigured in a way that made it ineffective.
This continues to play a major role in attackers gaining initial access, particularly through brute-force attacks against VPN appliances.
05:09 More threat groups in the landscape
The report also found a larger number of threat groups in incidents this year.
Sophos tracked 51 unique ransomware brands in the dataset, up from 44 the previous year, including 24 new threat groups not seen in last year’s report.
05:57 Ransomware-as-a-service keeps growing
Many of the top groups observed are ransomware-as-a-service brands, showing how this model continues to thrive.
It allows lower-skilled attackers to use shared infrastructure and tooling to launch attacks more easily.
06:20 Most active ransomware groups observed
The top threat group in the dataset was Akira, which Sophos tracks as GOLD SAHARA, followed closely by Qilin, tracked as GOLD FEATHER.
Other groups in the top five included SafePay Inc, GOLD LEAPROG, GOLD IONIC, and GOLD ENCORE.
06:52 More groups, but familiar techniques
Although the number of threat groups is increasing, the tools and tactics they use remain relatively consistent.
That is good news for defenders, because it means proven defensive measures against common techniques still matter.
07:29 Attackers continue to operate out of hours
The report found that 88% of ransomware deployment and 79% of data exfiltration took place outside normal business hours.
This pattern has remained consistent over the years, showing that attackers prefer to act when organizations are less likely to notice and respond quickly.
08:29 Why 24/7 monitoring matters
These findings highlight the importance of around-the-clock monitoring and response capabilities.
Without proactive coverage, attackers can use off-hours activity to extend dwell time, exfiltrate data, and deploy ransomware before defenders can intervene.
09:03 MDR is reducing attacker impact
Since full MDR incidents were included in the dataset, Sophos has seen a significant drop in attacks progressing to ransomware deployment and data exfiltration.
This suggests analysts are detecting and blocking attackers earlier in the attack chain, before major damage is done.
09:53 What the report says about AI
Despite widespread discussion about AI’s role in cyberattacks, the report found minimal evidence that AI had a significant direct impact on incidents in this dataset.
While attackers may use AI to improve social engineering and increase attack scale, Sophos observed only one case involving a deepfake video, and that was caught before it became an incident.
11:13 AI is increasing speed and volume, not changing fundamentals
The report suggests AI is making attacks faster, noisier, and potentially more scalable.
However, the underlying tools and techniques used in incidents remain largely the same, which means security fundamentals still provide strong defensive value.
11:47 Key takeaways for organizations
The first major takeaway is the need for stronger identity protections, especially effective and phishing-resistant MFA.
The second is that even with more threat groups and increased AI use, defenders should stay focused on restricting access, tackling commonly used tools and techniques, and maintaining strong security fundamentals.
13:13 Closing
Thank you for joining this Cyber Shorts episode.
To explore the findings in more depth, read the full Active Adversary Report and stay tuned for future episodes, blog updates, and social content from Sophos.