The 2025 Sophos Active Adversary Report

Cyber adversaries are evolving rapidly, leveraging legitimate tools and stolen credentials to infiltrate systems with alarming speed. The 2025 Sophos Active Adversary Report, analyzing over 400 real-world cases, uncovers that 56% of breaches involved attackers logging in with valid credentials, often exploiting external remote services like VPNs and firewalls. With a median dwell time dropping to just 2 days and attackers reaching Active Directory within 11 hours, the window for detection and response is narrower than ever. This report provides critical insights into attacker behaviors and emphasizes the necessity for proactive defense strategies.

Key Takeaways

• 56% of breaches involved attackers using valid credentials to access systems, highlighting the importance of securing authentication mechanisms.
• The median time from initial access to Active Directory compromise is 11 hours, underscoring the need for rapid detection.
• 83% of ransomware deployments occurred outside regular business hours, exploiting periods of reduced vigilance.
• Organizations with proactive monitoring experienced significantly reduced dwell times, with Managed Detection and Response (MDR) cases showing a median dwell time of 1 day for non-ransomware attacks.