Call a Specialist Today! 888-785-4405 | Free Shipping!Free Shipping!


Sophos cybersecurity brand logo with shield emblem

The active adversary playbook 2022

Cyberattacker behaviors, tactics, and tools seen on the frontline of incident response during 2021.

Get the playbook Learn more
Active Adversary Playbook 2022 report cover

Download the playbook

Get frontline insights into how adversaries operate and what tools they use during active attacks.

What you'll learn

  • The anatomy of active attacks including root causes and main attack types
  • The toolsets adversaries have been employing to facilitate attacks
  • The main ransomware adversaries observed

Armed with these insights, you'll better understand what adversaries do during attacks and how to spot and defend against such activity on your network.

Or unlock all of our downloadable resources

Introduction

Defending against rapidly evolving, increasingly complex cyberthreats requires understanding how adversaries operate.

Adversaries continuously adapt and evolve their behavior and toolsets, leverage new vulnerabilities, and misuse everyday IT tools to evade detection and stay one step ahead of security teams.

It can be hard for an organization's IT and security operations professionals to keep up with the latest approaches used by adversaries. Particularly when it comes to targeted, active attacks that involve more than one perpetrator, such as an initial access broker (IAB) breaching a target and then selling that access on to a ransomware gang for use in their attack.

The aim is to help security teams understand what adversaries do during attacks and how to spot and defend against such activity on their network.

The findings are based on data from incidents investigated by the Sophos Rapid Response team during 2021. Where possible, the data is compared against the incident response findings outlined in the Active Adversary Playbook 2021.

Incident response demographics 2021

Based on 144 incidents targeting organizations of all sizes across a wide range of industry sectors.

Organizations were located in the U.S., Canada, the U.K., Germany, Italy, Spain, France, Switzerland, Belgium, Netherlands, Austria, the United Arab Emirates, Saudi Arabia, the Philippines, the Bahamas, Angola, and Japan.

The most represented sectors are manufacturing (17% of incident response cases) followed by retail (14%), healthcare (13%), IT (9%), construction (8%), and education (6%).

Strengthen your defenses against active adversaries

Connect with our team to discuss how Sophos can help protect your organization.

Get expert guidance

Our team can help you assess your security posture and recommend the right combination of Sophos products to defend against the adversary tactics detailed in this playbook.

  • Free technical consultation
  • Custom deployment planning
  • Flexible licensing options

Explore more threat intelligence and security research from Sophos.

Sophos Managed Detection and Response

24/7 threat hunting and incident response from Sophos experts to stop adversaries before damage occurs.

Discover Sophos MDR services

Sophos Extended Detection and Response

AI-driven detection and investigation across endpoints, email, cloud, identity, and network.

Explore Sophos XDR

State of Ransomware 2025

Latest insights into ransomware prevalence, impact, and cost from our annual global survey.

Read the report