ANNUAL REPORT — Sophos 2026 Active Adversary Report: identity is the dominant intrusion root cause [SINGLE-SOURCE]

Sophos published its 2026 Active Adversary Report (drawing on 661 IR/MDR cases) on 2026-06-02 (Sophos X-Ops, 2026-06-02). Per PD-9 this report gets one treatment; the findings that change defender priorities rather than the survey scorecard: identity-based compromise — stolen/valid credentials, brute force, and phishing — was the leading root cause, and missing or misconfigured MFA was present in a majority of incidents. Time from initial access to Active Directory compromise has compressed materially, with Impacket among the most frequently observed post-exploitation toolkits and AnyDesk the most-abused legitimate remote-access tool. The recurring telemetry blind spots are the actionable part: firewall logs were missing in roughly half of ransomware cases, and a meaningful share of compromised Windows Servers were running end-of-life builds. [SINGLE-SOURCE] (vendor IR telemetry report).

Why it matters to us: The hunt targets generalise directly to public-sector AD estates — alert on Impacket artefacts (impacket-* tool names in process trees, secretsdump-style NTDS access, SMBExec/WMIExec parent processes), instrument the initial-access-to-DC-compromise window, inventory EOL Windows Servers, and verify firewall log retention before an incident rather than during one.