Report
![Sophos]()
It takes two: The 2025 Sophos Active Adversary Report
For five years, we’ve presented our data – first solely from the IR service, but eventually expanding to include data from IR’s sister team supporting current MDR customers — and provided analysis on what we think it means. As we continue to refine our process for collecting and analyzing the data, this report will focus on some key observations and analysis – and, to celebrate a half-decade of this work, we’re giving the world access to our 2024 dataset, in hope of starting broader conversations. More information on that, and the link to the Active Adversary repository on GitHub, can be found at the end of this report.
Report Snap Shot
Key takeaways
- Differences between MDR and IR findings show, quantitatively, the statistical value of active monitoring
- Compromised credentials continue to lead to initial access; MFA is essential
- Dwell time drops (again!)
- Attacker abuse of living-off-the-land binaries (LOLBins) explodes
- Remote ransomware poses a unique challenge / opportunity for actively managed systems
- Attack impacts contain lessons about potential detections
![Top 10 Cybersecurity Myths [Infographic]](/getmedia/f2f2e014-ed47-4277-a751-85ea3f65cc74/top-cybersecurity-myths.jpg?maxsidesize=350&resizemode=force)
