.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
In my nearly 30 years as a professional in information security, I find that we are often trying to solve the wrong problems. The security market can be a very noisy place, and while there is no lack of information to consume, we often struggle to find the right information. The signal-to-noise ratio has never been worse, and we need accurate and timely information to stay on top of such a fast-moving and critical function.
Sometimes we are asking the wrong questions
I remember doing a “security audit,” which I suppose we would now more accurately call a penetration test, around 1996. The organization had a Check Point firewall and some UNIX servers, and the firewall was blocking everything except FTP and SMTP to the Sun Solaris boxes behind it. The FTP server was wide open and had been commandeered to host warez, and the SMTP server was Sendmail and configured as an open relay. The question they wanted answered was “Is the firewall configured and working properly?” The answer was yes -- yes, but you have a very serious security problem nonetheless.
When I started working at Sophos in October 2003, people were clamoring for client firewalls and anti-spyware software. What might have been more effective at the time would have been to embrace the newly launched Patch Tuesday process and disable scripting support in Outlook and Outlook Express, or lock down macro use, or disable Autorun, or any combination of these now-obvious adjustments. We are often distracted by visible problems, like browser toolbars, rather than the more critical invisible problems.
Speaking difficult truths
Most of us look to our peers for advice, and we often judge our own security maturity and progress against the same peer group. At a high level this works well, but it begins to fall apart when we look at our failures. Enter our friend(?) the non-disclosure agreement: Everything we learn from our mistakes we must keep quiet about. We are forbidden to discuss or share our lessons learned. Sadly, I have seen the effect of this hundreds of times when organizations choose for whatever reason to sweep messes under the carpet. Their individual choice may have made sense for each organization, but back at Sophos we watched as customer after customer fell like dominoes to the same issues. (This has been, as you might expect, a factor in our ongoing efforts to operate with as much transparency as possible, whether in the months of data analysis and review that go into each Report or in company-wide projects such as 2024’s Pacific Rim.)
The worst outcome of the legal peril companies and executives generally face from their security failures is that they then get to watch others repeat their mistakes over and over again. Probably. It is hard to know as the other victims can’t disclose their errors either.
From Bangkok to Calgary
When John Shier came up with the idea for the Active Adversary report six years ago, I immediately got excited by the idea. His motivation was to learn more about what happened after attackers gain initial access to targeted organizations, but my excitement was that we might finally have a way to truly share the root causes to help security leaders learn from their peers' mistakes. By anonymizing and aggregating many cases together, we could get to the core problems without harming anyone’s reputation or trust.
This year’s report is derived from more than 600 cases from around the world and from a diverse set of industries. Despite all this variety, the data shows that many organizations are struggling with similar core issues that lead them to situations where incident response is required.
For example, while only 16% of incidents in 2025 involved an exploited vulnerability, it can be helpful to look a little more closely to know what to prioritize when planning our patching. Delving deeper, 52% of vulnerabilities exploited were in security appliances and 33% were in internet-facing applications. (Not to mention the utter dominance of CVE-2024-40766, the high-profile SonicWall vulnerability, in this year’s results, something we discuss in the Report.) This pinpoints where many of us have work to do, and where the industry’s best practices guidance around patch prioritization needs a rethink in 2026. Expect more published data around this line of inquiry from the writers of the Active Adversary Report later this year.
Allons-y
We all have a lot of work to do, and this report is here to help guide your efforts. It is the best report yet, and our largest since we began publication in 2020. As with last year’s report, our data has been shared with Verizon for inclusion in this year’s Data Breach Investigation Report (DBIR). We also share data on our GitHub in the spirit of transparency; this year’s upload will include data from the period 2022 to 2025.
I encourage you to read the full report to benefit from the authors’ insights, as often the devil is in the details, and our researchers can help apply a useful lens to interpreting the findings. If you choose to explore the data further by grabbing a copy from GitHub and doing additional analysis, we’d be pleased to hear about it.