Talos Year in Review: 5 Priorities to Spot Malicious Activity

On April 28, 2026, Cisco Talos published its Year in Review, outlining five priorities for defenders to detect malicious activity amid faster exploit development and growing credential abuse.

The report states that artificial intelligence tools and publicly available proof-of-concept code have shortened the time needed to weaponize vulnerabilities from months to hours. Talos researchers observed AI-generated phishing sites and no-code toolkits that can capture credentials and forward them to disposable external stores in minutes. Proof-of-concept exploit code for newly disclosed flaws can appear within hours of disclosure, letting attackers quickly prioritize exposed targets.

Identity is identified as the main battlefield. The report documents increases in MFA spray attacks against identity platforms, a 178% year-over-year rise in device compromise, and cases where attackers register their own devices as trusted multi-factor authentication methods. Talos found that network infrastructure such as VPNs, Active Directory controllers and firewalls are being used to steal session tokens and bypass authentication controls.

When attackers authenticate with valid credentials, their actions often differ from normal user behavior. The report notes intrusions that access systems outside a user’s role, lateral movement using tools like PsExec, command execution at unusual hours and activity at a scale typical users do not exhibit.

On vulnerabilities, Talos cites rapid exploitation of newly disclosed flaws such as React2Shell and ToolShell and reports that older flaws like Log4Shell remain frequently targeted more than four years after disclosure. The report recommends remediating based on internet exposure and access impact and reducing time-to-patch for externally reachable systems.

Talos highlights a persistent long tail of legacy and embedded risk. Nearly 40% of the top 100 most targeted vulnerabilities affect end-of-life systems, and 32% are more than a decade old. Commonly affected components include PHP frameworks, Log4j and ColdFusion, which can be poorly inventoried and tightly coupled to business-critical systems.

Systems that broker trust-network management platforms, application delivery controllers and shared software platforms-are attractive to attackers because they store credentials and enable changes across many devices. The report notes these systems are often less monitored and more difficult to patch and advises enhanced monitoring, strict access controls and segmentation around management and control planes.

Talos reports that despite increased automation and AI-assisted tooling, attacks still generate detectable patterns. Scalable attacks tend to reuse infrastructure, tools and sequences of activity. The report points to anomalous authentication flows, abnormal system access and unusual device registrations as indicators of compromise.

The report recommends focusing detection on meaningful anomalies, narrowing alerts to reduce fatigue, and using automation for triage and enrichment while maintaining human review. The document states, “Attackers still rely on the same vulnerabilities. They reuse the same tools and techniques. They follow repeatable patterns. And, critically, they don’t behave like your users.”

The Year in Review combines incident response telemetry and trend analysis and lists five priorities for defenders: protecting identity and privileged access, prioritizing vulnerabilities by exposure and impact, addressing legacy and embedded risk, securing systems that broker trust, and centering detection on behavioral patterns.