The Sophos Active Adversary Report celebrates its fifth anniversary this year. The report grew out of a simple question: What happens after attackers breach a company? Knowing the adversary’s playbook, after all, helps defenders better battle an active attack. (There’s a reason we started life as “The Active Adversary Playbook.”) At the same time we were discussing ways to instrument a testing environment to answer that what-happens question, Sophos was preparing to launch an incident response (IR) service. A cross-team project was born.

For five years, we’ve presented our data – first solely from the IR service, but eventually expanding to include data from IR’s sister team supporting current MDR customers — and provided analysis on what we think it means. As we continue to refine our process for collecting and analyzing the data, this report will focus on some key observations and analysis – and, to celebrate a half-decade of this work, we’re giving the world access to our 2024 dataset, in hope of starting broader conversations. More information on that, and the link to the Active Adversary repository on GitHub, can be found at the end of this report.