ConnectWise Report Highlights Identity Abuse as Top MSP Cyber Threat
Event summary
- ConnectWise released its 2026 MSP Threat Report on March 5, 2026, detailing a shift in cyberattack strategies toward identity abuse.
- The report highlights ransomware operators prioritizing speed and access reliability, with groups like Akira targeting backup infrastructure early.
- VPN infrastructure was a consistent entry point for attacks, with credential stuffing and inherited secrets being common methods.
- Software supply chain compromises expanded, with campaigns like 'Shai-Hulud' propagating trojanized updates across thousands of environments.
- ConnectWise is enhancing its platform with Privileged Access Management (PAM), Managed Endpoint Detection and Response (Managed EDR), and immutable backup capabilities.
The big picture
The 2026 MSP Threat Report underscores a critical shift in cybersecurity, where attackers are increasingly exploiting trusted identities and legitimate system tools to gain access to MSP-managed environments. This trend highlights the need for MSPs to move earlier in the attack lifecycle, focusing on identity, privilege, execution context, and resilience. ConnectWise's enhancements to its platform reflect the broader industry move toward proactive, platform-level defenses.
What we're watching
- Identity Security
- How MSPs will adapt their identity security and privileged access governance to counter the abuse of trusted identities.
- Regional Nuances
- Whether regional differences in cyberattack methods will continue to influence global MSP security strategies.
- AI Impact
- The pace at which AI will further scale and automate cyberattacks, making established tactics more convincing and harder to detect.
Related topics