Cyberattackers employ over 500 unique tools in 2022, Sophos report reveals

Unpatched vulnerabilities and compromised credentials have been identified as key root causes of attacks, while ransomware remains the most common "end game."


At a glance

  • Sophos' Active Adversary Report for Business Leaders revealed that cyberattackers utilized over 500 unique tools and tactics in 2022, including 118 "Living off the Land" binaries, which are more challenging for defenders to block.

  • Unpatched vulnerabilities, such as ProxyShell and Log4Shell from 2021, were identified as the most common root cause for initial system access, followed by compromised credentials.

  • Ransomware continues to dominate the threat landscape, accounting for 68% of attacks investigated by Sophos' Incident Response team and nearly three-quarters of the company's IR investigations over the past three years.

  • Dwell time, or the period between an attack's initiation and its detection, decreased from 15 to 10 days for all attack types in 2022, indicating an ongoing race between attackers and defenders.

  • The report emphasizes the importance of proactive monitoring and layered defenses for organizations to improve attack severity outcomes and strengthen security strategies and defenses.


Sophos, a cybersecurity company, recently published its Active Adversary Report for Business Leaders, providing an in-depth analysis of cyber adversaries' evolving behaviors and attack techniques in 2022. Data gathered from over 150 Sophos Incident Response (IR) cases revealed that attackers utilized more than 500 unique tools and tactics, including 118 "Living off the Land" binaries (LOLBins). These LOLBins, unlike malware, are executables native to operating systems, making them more challenging for defenders to block when exploited for malicious purposes.

The report identified unpatched vulnerabilities as attackers' most common root cause for initial system access. Half of the investigations found that adversaries exploited 2021 vulnerabilities, ProxyShell and Log4Shell, to infiltrate organizations. Compromised credentials were the second most common root cause of cyberattacks.

John Shier, field CTO at Sophos, highlighted the need for businesses to utilize tools and services to help alleviate some of the defensive burdens, allowing organizations to focus on their core priorities. The study showed that ransomware continues to be a prevalent threat, accounting for 68% of attacks investigated by the Sophos IR team and nearly three-quarters of the company's IR investigations over the past three years.
Interestingly, dwell time – the period between an attack's initiation and detection – decreased in 2022 from 15 to 10 days for all attack types. For ransomware cases, dwell time dropped from 11 to 9 days, while non-ransomware attacks declined from 34 days in 2021 to 11 days in 2022. The report found no significant variations in dwell times between different organization sizes or sectors.

Shier emphasized the importance of proactive monitoring and layered defenses for improved outcomes in terms of attack severity. The Sophos Active Adversary Report for Business Leaders offers organizations actionable threat intelligence and insights to enhance security strategies and defenses.

The report is based on 152 incident response (IR) investigations across 31 countries, including the U.S. and Canada, the U.K., Germany, Switzerland, Italy, Austria, Finland, Belgium, Sweden, Romania, Spain, Australia, New Zealand, Singapore, Japan, Hong Kong, India, Thailand, the Philippines, Qatar, Bahrain, Saudi Arabia, the United Arab Emirates, Kenya, Somalia, Nigeria, South Africa, Mexico, Brazil, and Colombia and 22 sectors, including manufacturing, healthcare, education, and retail. For further information on attacker behaviors, tools, and techniques, visit Sophos.com to access the 2023 Active Adversary Report for Business Leaders.