In the technology industry, 2025 was widely billed as the year artificial intelligence would transform cyberwarfare. According to a new report from the security firm Sophos, that revolution largely failed to materialize.
“GenAI adds speed, volume, and noise to the threat landscape… but for now, that’s about it,” the company writes in its 2026 Active Adversary Report, which draws on 661 incident response cases handled between November 2024 and October 2025.
Instead of novel AI-driven exploits, investigators found something more familiar. “This confirms what we and many others have been saying for a few years: Attackers aren’t breaking in, they’re logging in.”
The report argues that the most consequential shift in cybersecurity is not the rise of autonomous AI attackers but the steady dominance of identity-based attacks. In 2025, 67.32 percent of root causes were related to compromised identity, including brute-force attacks, credential phishing, authentication token theft and other forms of credential abuse. Cases involving compromised credentials alone accounted for 42.06 percent of root causes.
The data suggests that attackers increasingly bypass software vulnerabilities altogether. Exploitation of vulnerabilities accounted for 16.04 percent of cases, nearly tied with brute-force attacks at 15.58 percent. Phishing represented 6.35 percent of identifiable cases, more than doubling from the previous year.
The report summarizes the trend bluntly: “Attackers aren’t breaking in, they’re logging in.”
Even where vulnerabilities were exploited, the window between patch release and attack was long. The median time between a vendor advisory and exploitation was 322 days. The median time between publication of a proof of concept and exploitation was 296.5 days. In many cases, attackers relied on older weaknesses rather than cutting-edge flaws.
“The most concerning finding in the report has actually been years in the making: The dominance of identity-related root causes for successful initial access. Compromised credentials, brute-force attacks, phishing, and other tactics leverage weaknesses that can’t be addressed by simple patch hygiene. Organizations must take a proactive approach to identity security,” said John Shier, Field CISO and lead author of the report.
Ransomware patterns were similarly consistent. Five ransomware brands accounted for 51 percent of incidents, with Akira alone responsible for 22.58 percent of cases. Overall, 51 unique ransomware brands were observed in 2025.
“Law enforcement action continues to cause disruption in the ransomware ecosystem. Although we still see activity from LockBit, the dominance and reputation it once had has clearly been impacted. However, it means we are seeing a raft of other groups vying for dominance and many more emerging groups. For defenders, it’s important to understand the groups and their TTPs in order to best protect your organization,” Shier added.
Data theft continued to rise. Exfiltration attacks reached 12.71 percent of cases, the highest percentage recorded since the company began publishing its Active Adversary reports in 2021. In nearly half of ransomware cases with confirmed exfiltration, the stolen data was publicly leaked within 19.5 days.
One small but potentially significant shift involved tools rather than tactics. Impacket, an open-source toolkit used to move laterally within networks, accounted for 36.01 percent of all tools observed and saw an 83.08 percent increase in usage over 2024. Because Impacket depends on Python, the report suggests a straightforward defensive measure: “Unlike PowerShell, unless Python is required by the organization, it should be summarily blocked, at least on non-development workstations, to prevent Impacket use.”
The firm also warns that cost-cutting in logging and monitoring may be backfiring. Missing logs were the second most common contributing factor in incidents. In some cases, firewall logs were retained for only seven days or even 24 hours. “You aren’t going to learn what you don’t want to know,” the report notes.
Multi-factor authentication remains unevenly deployed. MFA was either not enabled or not fully configured in 59.46 percent of incidents in 2025. The report identifies three common categories: organizations that believed MFA was enabled but it was not, those that had misconfigured MFA and those that knowingly had not enabled it.
The study argues that properly configured MFA remains one of the most effective defenses against identity-based attacks. “MFA is a fundamental barrier against adversary initial access, with a decades-long history and multiple means of implementation.”
As for artificial intelligence, the firm documented only one verified instance of generative AI use in its case load, a video deepfake delivered via social media that did not lead to an incident because it was promptly reported. “Score one for the humans,” the report says.
While generative AI has improved the quality and scale of phishing campaigns, investigators found no evidence of a sweeping shift toward autonomous AI attackers. “So far, enthusiasm is vastly outpacing evidence,” the report concludes.
For defenders, the lesson is less about preparing for futuristic threats than fixing persistent weaknesses. “Prevention still beats detection, both in outcomes and in time and effort spent defending,” the authors write.
The report closes on a sober note. “Why go to the trouble of leveraging AI, really, when so many tried-and-true attacker TTPs are still working well?”