AI-First businesses are paying an‘ AI Speed Tax’ when recovering from cybersecurity incidents according to report
Sophos Active Adversary Report 2026: Identity attacks dominate as threat groups proliferate
CISO news
AI-First businesses are paying an‘ AI Speed Tax’ when recovering from cybersecurity incidents according to report
astly, a leader in global edge cloud platforms, has published the findings from its fourth
F annual Global Security Research Report. It reveals that AI-first businesses – those integrating AI into key processes and offerings from the outset rather than as a secondary enhancement – are paying an AI tax by failing to modernise security in step with AI’ s rapid expansion across IT infrastructure. These businesses report taking nearly seven months on average to fully recover from cybersecurity incidents, 80 days longer than businesses that do not identify as AI-first.
The financial toll of a cybersecurity incident for AI-first businesses exceeds that of non-AI-first businesses by more than 135 %. In fact, almost half( 44 %) of AI-first organisations claim that AI was directly exploited in their most recent security incident, compared to just 6 % for non-AI-first organisations.
“ The speed of AI adoption is reshaping security infrastructure almost overnight. For AI-first businesses, the priority isn’ t to slow down innovation – it’ s to modernise security at the same rate that AI is transforming their infrastructure,” said Marshall Erwin, CISO at Fastly.
AI scraping alone has become a material cost centre for nearly twothirds( 64 %) of organisations, with average annual infrastructure impacts exceeding US $ 348,000.
“ From unmonitored agentic activity to escalating scraping costs, the risks are real, operationally and commercially,” said Erwin.
Sophos Active Adversary Report 2026: Identity attacks dominate as threat groups proliferate
ophos, a global leader of innovative security solutions for defeating cyberattacks, has released the 2026 Sophos
S
Active Adversary Report. The report analysed 661 Incident Response and Managed Detection and Response cases handled between November 2024 and October 2025, spanning organisations across 70 countries and 34 industries.
Identity attacks accelerate while MFA gaps persist
The report shows a continued rise in attacks rooted in identity compromise( 67 %), including stolen credentials, brute-force activity and phishing. While exploited vulnerabilities remain a factor, attackers increasingly rely on valid accounts to gain initial access, allowing them to bypass traditional perimeter defences.
John Shier, Field CISO and lead author of the report, said:“ The most concerning finding in the report has actually been years in the making: The dominance of identity-related root causes for successful initial access. Compromised credentials, brute-force attacks, phishing and other tactics leverage weaknesses that can’ t be addressed by simple patch hygiene.”
More threat groups, broader risk
The highest number of active threat groups were recorded in the report’ s history, expanding overall threat landscape.
Shier said:“ Law enforcement action continues to cause disruption in the ransomware ecosystem. Although we still see activity from LockBit, the dominance and reputation it once had has clearly been impacted. However, it means we are seeing a raft of other groups vying for dominance and many more emerging groups.”
WWW. INTELLIGENTCISO. COM 11