Cyberattacks shift to around-the-clock tactics as security alerts surge outside traditional hours

Arctic Wolf’s 2025 Security Operations Report reveals that over half of global security alerts now occur outside standard office hours, highlighting evolving attacker tactics, increased alert volumes, and the critical role of AI in modern defence strategies.

Cyberattacks no longer respect traditional office hours, with over half of security alerts worldwide being triggered outside the typical 9 to 5 working day. Arctic Wolf’s 2025 Security Operations Report, which analysed more than 330 trillion security observations across its global platforms, reveals that 51% of alerts occur outside standard working hours and 17% specifically on weekends, periods when organisations are particularly vulnerable due to thinner defences. This shift underscores an evolution in attacker tactics, exploiting timing to strike when human attention and response capabilities are reduced.

The extensive data analysis showed a significant tightening in alert filtering, as only one alert was generated for every 138 million observations. Yet, this also reflects the increasing sophistication and stealth of cyber adversaries, who now rely heavily on identity compromise. Nearly three-quarters of investigations necessitating human intervention involved actions such as disabling accounts, resetting passwords, or severing access, illustrating the critical role that identity-based attacks play in the current threat landscape. Arctic Wolf notes that the average customer environment generates almost 33 billion observations annually, highlighting the monumental challenge faced by security operations centres (SOCs) to detect genuine threats amidst overwhelming noise.

Prominent sectors targeted include manufacturing, healthcare, and education, categories highly susceptible due to outdated infrastructure, the value of their data, and their low tolerance for operational interruptions. This alignment with broader industry concerns links to the realities of maintaining robust cybersecurity amid increased reliance on legacy systems in environments where downtime can have serious consequences.

Experts interviewed alongside the report emphasize the tactical reasoning behind the timing of these attacks. James Maude, Field CTO at BeyondTrust, explained that threat actors deliberately exploit out-of-hours periods not simply due to time zone differences but to capitalise on decreased vigilance. He highlighted the danger of standing privileges—where users have continuous elevated access—as a key vulnerability that attackers leverage to maintain persistent, unchecked access. Maude advocates for adopting zero-trust models and just-in-time privilege granting, so that any compromise, regardless of when it happens, is confined in scope and impact.

The growing volume and complexity of alerts are overwhelming security teams globally. Tim Bazalgette, Chief AI Officer at Darktrace, warned that the surge in alerts combined with increasingly sophisticated adversaries contributes to alert fatigue, leaving incidents potentially uninvestigated. The shortage of skilled cybersecurity professionals intensifies this pressure, increasing reliance on AI-powered automation. Bazalgette cites industry research indicating that 88% of security professionals view AI as essential to enable teams to focus on proactive defence rather than reactive firefighting. Automation tools reduce manual workloads, shorten detection and response times, and enhance operational efficiency.

Nevertheless, this increased dependence on AI brings new challenges. Casey Ellis, founder of Bugcrowd, cautioned about the double-edged nature of AI. While automation can efficiently triage alerts and detect patterns, the growing use of AI to discover vulnerabilities and generate exploitable code expands the attack surface and raises the volume of alerts, compelling SOCs to rethink alert management and prioritisation strategies. Ellis stresses that human expertise remains indispensable, particularly for creative analysis, nuanced decision-making, and managing AI systems effectively. He predicts SOC roles will evolve towards overseeing AI tools, emphasising continual training and AI literacy alongside traditional cybersecurity skills.

The Arctic Wolf report reveals AI’s tangible impact on security operations. Their Alpha AI system autonomously triaged 10% of alerts, eliminating over 860,000 manual reviews and contributing to a 37% reduction in Mean Time to Ticket over the past two years. Additionally, their Aurora Defense endpoint product has blocked an average of 13 threats per customer each week shortly after its release, demonstrating effective integration of AI with traditional human oversight.

Despite record security budgets, cyber losses continue to climb, illustrating the persistent and evolving gap between investment and effective defence. The FBI’s 2024 Internet Crime Report recorded $16 billion in losses—a 28% increase year-on-year—highlighting the urgency for strategic changes in defences. The Arctic Wolf report serves as both a stark warning and a practical guide, urging organisations to adapt to a threat landscape where attacks operate around the clock. Enhanced automation, continuous vigilance, and innovative privilege management are essential tools for defenders as cybercriminals redefine when and how they strike.

📌 Reference Map:

• Paragraph 1 – ^[1], ^[3], ^[4]
• Paragraph 2 – ^[1], ^[3], ^[6]
• Paragraph 3 – ^[1], ^[2], ^[4]
• Paragraph 4 – ^[1], ^[3], ^[5]
• Paragraph 5 – ^[1], ^[5], ^[7]
• Paragraph 6 – ^[1], ^[5], ^[7]
• Paragraph 7 – ^[1], ^[5], ^[7]
• Paragraph 8 – ^[1], ^[2], ^[3], ^[5]

Source: Noah Wire Services