IR Trends Q1 2026: Phishing Reemerges as Top Initial Access Vector, as Attacks Targeting Public Administration Persist

IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persist

Phishing reemerged as the most observed means of gaining initial access, accounting for over a third of the engagements where initial access could be determined. Phishing has not been the top vector for initial access since Q2 2025.Public administration and health care tied as the most targeted industry verticals, each accounting for 24 percent of all engagements. This is the third consecutive quarter where public administration has been the mos…

Phishing reclaims the top initial access spot, attackers experiment with AI tools

Phishing returned as the leading method attackers used to break into organizations in the first quarter of 2026, accounting for over a third of engagements where initial access could be determined, according to Cisco Talos. It is the first quarter phishing has led the category since Q2 2025, when exploitation of public-facing applications took over following widespread attacks against on-premises Microsoft SharePoint servers. That SharePoint exp…