Cyberattacks are increasingly happening outside office hours, challenging security teams to adapt

Arctic Wolf’s 2025 Security Operations Report reveals a rise in cyberattacks outside traditional working hours, with threats becoming more stealthy and sophisticated, prompting calls for automation and zero-trust approaches.

Cyberattacks have increasingly shifted beyond traditional office hours, posing significant challenges for security teams worldwide. Arctic Wolf’s 2025 Security Operations Report reveals that a majority—51%—of security alerts now occur outside standard working hours, and 17% arise over weekends, when defences are notably diminished. This trend underscores the relentless nature of cyber threats and the evolving tactics of attackers who exploit times when organisations are less prepared to respond.

The report, which analysed over 330 trillion security observations via Arctic Wolf’s Aurora platform and global Security Operations Centers (SOCs), found a remarkable reduction in noise with just one alert triggered for every 138 million observations. This indicates tighter filtering capabilities but also highlights the growing stealthiness of threat actors. Identity compromise emerged as the leading concern, with nearly three-quarters of human-intervened investigations involving account disabling, password resets, or access revocation. The volume of observations per customer environment averaged nearly 33 billion annually, illustrating the daunting task faced by security teams in discerning genuine threats from vast data flows.

Lisa Tetrault, Senior Vice President of Security Services at Arctic Wolf, described the report as more than a reflection: “It is a roadmap for security leaders, practitioners, and executives to understand the dynamic threat landscape, benchmark operations, and make informed decisions to end cyber risk.” The company is increasingly leveraging automation to cope with alert volume, with its Alpha AI triage system handling 10% of alerts and preventing over 860,000 manual reviews. This automation contributed to a 37% reduction in Mean Time to Ticket over two years. Additionally, its Aurora Defense product actively blocked an average of 13 threats per customer weekly during its initial release period.

Industry sectors such as manufacturing, healthcare, and education appear particularly vulnerable. Their outdated infrastructure, valuable data, and low tolerance for downtime make them prime targets for cybercriminals. These findings align with other research noting the acceleration of cyber threats and the necessity for 24/7 vigilance in cybersecurity operations. For instance, Arctic Wolf’s earlier 2024 report observed that nearly half of security incidents also occurred after hours, with identity and access management tools emerging as a primary source of alerts.

Security experts highlight the deliberate timing of attacks as a tactic to exploit diminished organisational attention. James Maude, Field CTO at BeyondTrust, explained that threat actors’ operations outside typical 9-to-5 schedules are often intentional, aiming to capitalise on reduced human scrutiny. Maude emphasised the vulnerabilities posed by standing privileges often granted to users, which threat actors can exploit indefinitely if identities are compromised. He advocated for zero-trust approaches and just-in-time privilege allocation to limit potential damage regardless of when breaches occur.

The cybersecurity workforce is under mounting pressure. Tim Bazalgette, Chief AI Officer at Darktrace, noted the overwhelming surge in alerts and increasingly sophisticated adversaries strain security teams, leading to uninvestigated incidents and growing alert fatigue. He added that a vast majority of security professionals—88% according to the 2025 State of AI Cybersecurity report—view AI as essential in freeing them to adopt a more proactive defense posture. This reflects an industry-wide embrace of AI tools to enhance efficiency within the SOC while managing the growing complexity of threats.

However, AI’s rapid adoption does come with risks. Casey Ellis, founder of Bugcrowd, warned that AI-driven vulnerability discovery and exploitation tools are expanding attack surfaces at an unprecedented rate. This dynamic translates into even greater throughput of alerts, demanding new economic models for SOC operations and underscoring the continued importance of human expertise. Ellis stressed that while AI can automate routine triage tasks, the creativity and contextual judgment provided by trained analysts remain vital. The evolving role of SOC professionals will focus on AI system management, nuanced interpretation of outputs, and addressing complex challenges beyond machine capabilities.

Looking forward, risk-based prioritisation is expected to become central to defensive strategies, supported by AI’s scalability. The 2025 report aligns with broader trends reflected in high-profile data: the FBI reported internet crime losses surged to $16 billion in 2024, a 28% increase from the year prior. Despite record-breaking organisational budgets for cybersecurity, outcomes are worsening, highlighting a persistent security gap that investment alone cannot resolve. Cybercriminals have adapted their hours and tactics; the critical question remains whether defenders can evolve their strategies swiftly enough to keep pace.

📌 Reference Map:

• Paragraph 1 – ^[1], ^[2], ^[7]
• Paragraph 2 – ^[1], ^[2]
• Paragraph 3 – ^[1], ^[2]
• Paragraph 4 – ^[1], ^[7]
• Paragraph 5 – ^[1], ^[4], ^[5]
• Paragraph 6 – ^[1]
• Paragraph 7 – ^[1]
• Paragraph 8 – ^[1], ^[3]
• Paragraph 9 – ^[1]
• Paragraph 10 – ^[1], ^[3], ^[7]
• Paragraph 11 – ^[1], ^[6]

Source: Noah Wire Services