Gurgaon, April 5 -- Sophos has published its 2025 Active Adversary Report, analysing attacker behaviour and techniques observed across more than 400 Managed Detection and Response (MDR) and Incident Response (IR) cases in 2024. The findings highlight continued reliance on external remote services and valid accounts as primary methods of initial network access.

Primary Access Methods and Root Causes

In 56% of the analysed incidents, attackers gained entry by exploiting external remote services, including edge devices such as firewalls and VPNs. In many of these cases, attackers used valid credentials, allowing them to bypass standard authentication mechanisms.

This trend is reflected in the root causes of attacks:

Compromised credentia...