Based on a detailed analysis of 144 incidents investigated by the Sophos Rapid Response team — this piece provides insights into how adversaries enter organizations and what they do once inside.

In this report, findings include:

• Attacker dwell time is up, and varies by company size
• Exploitation of vulnerabilities is the most common way attacks start
• RDP is used for internal movement by adversaries in four out of five incidents
• Data exfiltration has increased over the last year