Cisco Talos closed its 2026 Year in Review on a sober identity security finding: device-compromise attacks rose 178% year over year, and ransomware chains now lean almost entirely on valid accounts and credentialed tools rather than novel exploits.
- Talos’s incident-response telemetry shows attackers prioritize what is exposed and reachable, with React2Shell and ToolShell weaponized inside hours of disclosure while Log4Shell remains in the top-100 four years after the patch shipped.
- Nearly 40% of the 100 most-targeted vulnerabilities sit on end-of-life systems, and 32% are over a decade old; the long tail of legacy and embedded code is the durable attacker advantage, not new zero-days.
- Network management platforms, application delivery controllers, and other trust-broker systems are now first-class targets because they hold credentials and configurations at scale; they are also the least-monitored layer in most environments.
Identity Security as the Main Battlefield in Talos’s Findings
Talos’s Year in Review wrap-up argues identity security is where defender attention belongs because attackers prefer authentication over exploitation when both are available. The named patterns in the report are operationally specific: MFA spray attacks against IAM platforms, attackers registering their own devices as trusted MFA methods, session-token theft from VPNs and Active Directory Controllers, and ransomware playbooks that thread valid accounts and credentialed tools through every stage of the attack chain. Talos lists treating identity infrastructure as Tier-1 critical, hardening MFA device-registration workflows with strict verification, enforcing rate-limiting and conditional access on authentication systems, and building behavioral baselines around what authenticated users actually do as the four moves that compress the attacker’s working window.
The behavioral-baseline point matters more than the IAM-hardening point because hardening assumes the attacker has not yet succeeded; baselines work after they have. Talos’s framing makes the distinction explicit: even when attackers authenticate cleanly, they access systems outside the user’s role, move laterally with PsExec, and operate at off-hours scales. Each of those actions is a detection opportunity that incident response teams can convert into automated triage signal.
Why the Long Tail of Legacy Vulnerabilities Outweighs the Zero-Day Anxiety
The Talos report’s most contrarian finding contradicts the prevailing narrative that AI-accelerated exploitation is the central change in the threat landscape. Talos data shows attackers still concentrate on what is reachable and embedded: 40% of top-100 targeted vulnerabilities affect end-of-life systems, 32% are over a decade old, and many sit inside frameworks like Log4j, ColdFusion, and PHP that are tightly coupled to business-critical applications. These are precisely the vulnerabilities that traditional CVSS-driven prioritization mishandles, because exposure and accessibility are not in the score.
What Talos under-emphasizes is the operational consequence for vendor-management teams. The legacy and embedded category is not just a patching backlog problem. It is a software-bill-of-materials problem disguised as a patching backlog: defenders cannot remediate what they cannot inventory. Treating development frameworks and libraries as part of the attack surface, the language Talos uses, requires asset-management capability most security teams have not built. The 178% jump in device-compromise attacks against this same population of poorly-inventoried infrastructure is what turns the long tail into the central exposure.
How CISOs Can Convert the Talos Five Priorities Into a 90-Day Program
Talos’s five priorities only matter if they sequence into an executable program. The order below moves from highest-leverage to longest-build, so each move underwrites the next.
Reclassify identity infrastructure as Tier-1 in the next CMDB review. The IAM platform, the directory service, and the privileged access management stack should sit alongside the crown-jewel data stores in monitoring posture and change control. Talos’s 178% device-compromise increase tells you the perimeter has already moved; the asset register should reflect that.
Re-rank the vulnerability backlog by exposure, not CVSS. The Talos data on Log4Shell persistence and the rapid weaponization of React2Shell and ToolShell argues for a rolling reassessment of what is internet-facing and reachable. A monthly external-attack-surface scan that feeds the patch queue with reachability annotations beats a quarterly CVSS sort.
Apply trust-broker monitoring controls to ADCs, network management, and shared platforms. Talos calls out these systems as low-monitored, high-leverage targets. Logging admin-plane access, alerting on configuration changes outside change windows, and segmenting privileged access to these platforms close the gap the Year in Review documents.
Tune detection toward behavioral anomalies, not signature matches. Even AI-orchestrated ransomware campaigns reuse infrastructure, tools, and procedural sequences. A smaller set of high-confidence behavioral detections fed by the IAM baselines from priority one will out-perform a larger set of signature-based alerts at the volumes Talos describes.
The strategic takeaway from Talos’s Year in Review is that identity security remains the operational battlefield even as AI changes the surrounding economics; the defenders who stop chasing zero-days and start watching what authenticated accounts do next will spot the next ransomware chain before it locks the first share.
Join our LinkedIn group Information Security Community!
