More than half of the cyberattacks recorded by Sophos in 2024 started when attackers gained access through external remote services, such as firewalls and VPNs, often by using valid credentials. This finding is based on over 400 cases handled by the cybersecurity firm’s Managed Detection and Response (MDR) and Incident Response (IR) teams.
According to the 2025 Sophos Active Adversary Report, 56% of incidents involved this attack method. The use of remote services and compromised accounts aligns with the top three ways attackers get into systems. Compromised credentials were again the leading root cause, accounting for 41% of cases, followed by exploited vulnerabilities (21.79%) and brute force attacks (21.07%).
“Passive security is no longer enough,” said John Shier, field chief information security officer at Sophos. “While prevention is essential, rapid response is critical. Organizations must actively monitor networks and act swiftly against observed telemetry. Coordinated attacks by motivated adversaries require a coordinated defense.”
Speed of attacks
The report also studied how quickly attackers can move once inside a network. In cases involving ransomware, data exfiltration, or extortion, it took just over three days — from the initial access to exfiltrating data. From that point, it took less than three hours for organizations to detect the attack.
In many cases, attackers reached a key network component, Active Directory, in just 11 hours. This gives them a better chance of controlling the entire system.
Sophos also found that dwell time, or how long attackers stay in a network before being detected, dropped to just two days in 2024. This is down from four days the year before. In MDR cases, dwell time was even shorter — just one day for non-ransomware attacks and three days for ransomware.
Proactive monitoring
Remote Desktop Protocol (RDP) remained a common entry point, involved in 84% of the cases while most ransomware attacks (83%) were launched outside local business hours.
“Our report confirms that organizations with proactive monitoring detect attacks faster and experience better outcomes,” Shier said.
The report also identified Akira, Fog, and LockBit as the most common ransomware groups seen in 2024, despite efforts to take LockBit offline earlier that year.