Cyberattacks no longer wait for office hours. According to Arctic Wolf’s new 2025 Security Operations Report, more than half (51%) of security alerts worldwide are now triggered outside traditional working hours. Seventeen percent fall on weekends, when defenses are particularly thin.
The study analyzed more than 330 trillion security observations across Arctic Wolf’s Aurora platform and global SOCs, a 30% jump from the prior year. From that mountain of data, only one alert was generated for every 138 million observations, a sign of tighter filtering, but also a reflection of adversaries’ growing stealth.
Identity compromise dominated the year. In investigations that required human intervention, nearly three-quarters involved disabling accounts, resetting passwords, or cutting off access. Arctic Wolf found that the average customer environment now generates almost 33 billion observations annually, underscoring the challenge of finding the signal in the noise.
“Ultimately, this report offers more than reflection, it is a roadmap,” said Lisa Tetrault, Senior Vice President of Security Services at Arctic Wolf. “Whether you are a security leader, practitioner, or executive, our goal is to help you better understand the evolving threat landscape, benchmark your operations, and make informed decisions as we work together to end cyber risk.”
The company is leaning on automation to cope. Alpha AI, its automated triage system, handled 10% of alerts, eliminating more than 860,000 manual reviews. That helped cut Mean Time to Ticket by 37% over two years. On endpoints, its Aurora Defense product blocked an average of 13 threats per customer each week in the first three months of release.
Manufacturing, healthcare, and education topped the target list, driven by outdated infrastructure, valuable data, and low tolerance for downtime. The report marks the third year of Arctic Wolf’s annual review, which finds cyber losses rising despite record security budgets.
Experts say the picture fits broader trends.
A Deliberate Ploy
James Maude, Field CTO at BeyondTrust, explained: “Threat actors rarely work 9 to 5 so it is no surprise that 51% of alerts occur outside business hours and 15% happen on the weekend. In many cases this is not simply a time zone difference but a deliberate ploy to strike when you are away from the keyboard. This is especially effective for identity-based attacks as a user logging in on a weekend might not seem as suspicious an alert that malware is running.”
He says one of the key reasons that users’ identities are easily exploited out of hours is that they have standing privileges and more often than not are overprivileged. “When that is the case if a threat actor is able to compromise an identity, they acquire 24/7 access with all the privileges the user has during the working day. This is why it is essential to reduce and ideally eliminate standing privileges using modern just-in-time approaches that only grant privilege when needed and take a zero-trust approach to validating the user’s identity. Credentials are stolen, weaker forms of MFA can be bypassed, helpdesks might even help a threat actor reset the credentials, so the best line of defense is to reduce the “blast radius” in the event of an identity compromise. Making sure that no matter what time of day or night it is exploited, the privileges, access, and risk are limited in scope.”
Security Teams are Overwhelmed
“Security teams are progressively becoming overwhelmed, facing not just an unyielding surge in security alerts, but adversaries that are quicker, stealthier, and more sophisticated,” adds Tim Bazalgette, Chief AI Officer at Darktrace. “This is leaving incidents uninvestigated, increasing alert fatigue, and heightening the risk of missed threats. With the shortage of skilled cyber professionals continuing to grow, organizations are increasingly turning to AI-powered tools to improve efficiency in the SOC.”
Bazalgette says 88% of security professionals believe that the use of AI is vital to freeing up time for security teams to become more proactive, according to the 2025 State of AI Cybersecurity report. “Empowering defenders with AI has never been more critical than it is today and we must remain committed to driving innovation that helps organizations proactively decrease risk, reinforce their security posture, and elevate their teams.”
The Double-Edged Sword
Casey Ellis, founder of Bugcrowd, warned of AI’s double edge: “The proliferation of AI-powered vulnerability discovery tools, as well as the growth of AI-assisted code generation, means that a fresh, vulnerable attack surface is being created at an increasing rate, and the tooling to find and exploit this attack surface is doing so more effectively. All of this nets out to higher throughput into the SOC, which necessitates a shift in thinking around the economics of processing SOC alerts.”
Ellis says human incentives remain the primary driver here, and traditional SOC training, understanding threat landscapes, attacker behavior, and incident response, remains critical. AI can handle repetitive, low-order tasks like triaging alerts or identifying patterns, but it lacks the creativity and contextual understanding that humans bring to the table.
“SOC training will evolve to include AI literacy, but foundational skills will remain essential. AI will automate mundane tasks, allowing analysts to focus on complex, high-value work like threat hunting and strategic defense. The role of SOC analysts will shift toward managing AI systems, interpreting their outputs, and addressing the nuanced, creative challenges that machines can’t handle. Jobs won’t disappear, they’ll adapt,” Ellis adds.
Risk-Based Prioritization to Take Centre Stage
“The key is ensuring that SOC professionals are prepared for this shift through ongoing education, training, and tooling. AI is already accelerating the creation of attack surface and the ease of discovery and exploitation of certain classes of vulnerability. It’s reasonable to assume that these two things will net of to an increase in SOC alerts and the need for a shift in strategy to deal with it. I expect to see risk-based prioritization take center stage on the defender side, and there are a lot of ways that AI can help to scale this approach.”
The FBI’s 2024 Internet Crime Report logged $16 billion in losses, a 28% jump from the previous year. That disconnect between record-breaking budgets and worsening outcomes highlights a security gap money alone can’t fix.
Cybercriminals are changing their hours. The question is whether defenders can keep pace.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.