The Active Adversary Playbook 2022

Cyberattacker behaviors, tactics and tools seen on the frontline of incident response during 2021

Published June 2022


The new Active Adversary Playbook 2022 shares details about the changing attack landscape, tools, and behaviors that adversaries are using to evade detection.

Based on a detailed analysis of 144 incidents investigated by the Sophos Rapid Response team – this piece provides insights into how adversaries enter organizations and what they do once inside. Gain insight on behaviours, tactics, and tools used by attackers as seen on the frontline in this report.

Key findings include:

  • Attacker dwell time is up, and varies by company size
  • Exploitation of vulnerabilities is the most common way attacks start
  • RDP is used for internal movement by adversaries in four out of five incidents
  • Data exfiltration has increased over the last year

With these insights, the Active Adversary Playbook 2022 will help you be better prepared to defend your organization in the future.