A new report from Sophos reveals that in 56% of Managed Detection and Response (MDR) and Incident Response (IR) cases, attackers gained access using valid credentials. The 2025 Active Adversary Report analysed over 400 cases from 2024, showing how quickly attackers breach systems and exfiltrate data.
External remote services, such as firewalls and VPNs, were the primary entry points for attackers, who leveraged valid accounts in more than half of the cases. For the second consecutive year, compromised credentials were the leading cause of breaches, making up 41% of attacks. Exploited vulnerabilities and brute force attacks followed at 21.79% and 21.07%, respectively.
The report also highlights how fast attackers progress through their operations. In cases involving ransomware, data exfiltration, and data extortion, attackers typically exfiltrated data within 72.98 hours, or around three days. Detection occurred only a median of 2.7 hours after the exfiltration, underscoring the speed of modern cyberattacks.
Key findings from the report include the fact that attackers can breach Active Directory systems in just 11 hours, which can give them control over critical parts of a network. The report also noted that ransomware groups like Akira, Fog, and LockBit were the most commonly encountered in 2024. Dwell time, the period between an attack’s start and its detection, dropped to just two days in 2024, largely due to the inclusion of MDR cases.
To bolster defences, Sophos recommends closing exposed RDP ports, implementing phishing-resistant multifactor authentication, patching vulnerable systems promptly, and deploying proactive monitoring through EDR or MDR. Organisations should also establish and regularly test their incident response plans through simulations.
