Cisco Talos: Five cybersecurity priorities for defenders

Cisco Talos published its Year in Review on April 28, 2026, and identified five areas defenders should prioritize: identity protection, patching externally exposed systems, retiring or isolating legacy components, hardening management and control platforms, and detecting anomalous activity.

The report shows credential abuse and misuse of valid accounts across incident data. Multi-factor authentication systems face MFA spray attacks and cases where attackers register their own devices as trusted factors. Device compromise rose 178% year over year. Network infrastructure such as VPNs, Active Directory controllers and firewalls are frequently targeted because they can be used to steal session tokens, bypass authentication and impersonate users.

During a conference Q&A referenced in the report, a Talos responder advised: “A helpful way to respond is to focus on the here and now — focus on what you can control, and what you have influence over.”

Talos documents rapid exploitation of newly disclosed vulnerabilities when proof-of-concept code becomes available. The report cites React2Shell and ToolShell as examples that were weaponized within hours of disclosure. Older flaws remain in widespread use; Log4Shell continues to be exploited more than four years after disclosure. The report recommends prioritizing remediation by internet exposure and access impact, shrinking time-to-patch for externally reachable systems and continually reassessing which services and ports are reachable from the outside.

Legacy and embedded components account for a substantial portion of targeted vulnerabilities. The Year in Review states that nearly 40% of the top 100 most targeted vulnerabilities affect end-of-life systems and that about 32% of those vulnerabilities are more than a decade old. Many of these flaws exist in embedded frameworks, libraries and application components that are poorly inventoried and tightly integrated with business systems. The report calls for better visibility into software dependencies and clear plans to isolate or retire systems that cannot be patched.

Systems that broker trust and control attract attackers because they store credentials and can make changes at scale. Talos highlights network management platforms, application delivery controllers and shared management software as frequent targets. These platforms are often less monitored and harder to update. The report advises identifying management-plane and control-plane systems, adding enhanced monitoring and stricter access controls, limiting administrative accounts and enforcing segmentation around those systems.

On detection, the report notes that automation and AI have lowered the barrier to entry for attackers but that adversary activity still produces detectable patterns. Automated campaigns tend to reuse infrastructure and follow predictable sequences, producing anomalies such as unusual authentication flows, access to systems outside a user’s role, atypical device registrations and activity at odd hours. Talos recommends narrowing detections to higher-confidence anomalies to reduce alert volume, combining automated triage with human investigation and training teams to analyze patterns of behavior rather than isolated alerts.

The Year in Review presents the five priorities as immediate operational areas for security teams: secure identity, patch externally exposed systems, retire or isolate legacy components, harden management and control platforms, and detect anomalous activity across environments.