Cisco Talos: Prioritize Identity, Patch Exposed Systems
Cisco Talos urged organizations to treat identity systems as critical assets, secure MFA flows, patch publicly exposed systems first and hunt legacy risks after a 178% spike in device compromises.
In a Year in Review briefing released in late April 2026, Cisco Talos reported a 178% increase in device compromises and urged defenders to prioritize identity infrastructure, patch exposure and hunt legacy risks.
The briefing noted that wider availability of AI tools and public exploit code has lowered the barrier for attackers, speeding attacks against identity services, unmanaged legacy systems and platforms that broker trust. Talos said many attacks still follow predictable patterns and often create behavior that differs from normal user activity.
Talos laid out immediate defensive priorities. Organizations should treat identity infrastructure as a critical asset and strengthen multi-factor authentication workflows with stricter verification and monitoring of actions after login. Teams should prioritize patches for systems that are directly reachable from the internet rather than relying solely on severity scores. Security operations should actively search for long-tail legacy risks and add monitoring for management-plane systems.
The advisory recommended tuning detection to surface anomalous events so analysts can focus on likely intrusions and reduce alert volume.
The briefing cited recent incidents to illustrate the risks. One breach at a home security company began with a compromised single sign-on account after a voice-phishing attack, which allowed attackers to move into corporate systems. A widely used Python package was altered to deliver an information-stealer and its build pipeline pushed the malicious code into a Docker image used for deployment. A SQL injection flaw in a popular LLM package was exploited within 36 hours of public disclosure.
The report found that phishing has reemerged as the leading initial access vector against health care and public administration targets. Talos noted that rapid incident response in observed cases prevented those intrusions from becoming widespread ransomware incidents.
“Defenders maintain a distinct advantage if they know exactly where to look,” the briefing stated, adding that attackers frequently reuse infrastructure and have difficulty imitating legitimate user behavior.
The advisory finished with operational steps for security teams: enforce stricter verification in MFA flows, build behavioral baselines for post-login activity, triage patches by internet exposure, hunt for forgotten or unsupported systems, and increase telemetry on management and control planes.
