Cybersecurity alerts surge after hours as threats evolve, says report
A new report indicates that a majority of cybersecurity alerts are being triggered outside standard business hours, highlighting an evolving threat landscape that challenges traditional defence strategies.
The 2025 Security Operations Report, published by Arctic Wolf, analyses over 330 trillion security observations sourced from the company's Aurora platform and its global Security Operations Centre. The report provides insight into the tactics of cyber attackers and the corresponding pressures faced by security teams.
Out-of-hours activity
According to the report, 51% of security alerts globally are now issued outside normal working hours. This includes 17% occurring specifically on weekends. The findings underscore the rise of cyber threats during times when organisations may have fewer staff actively monitoring systems. The report further details significant month-to-month variation in attack frequency, with changes as large as 2000% in the Asia-Pacific (APAC) region alone.
Dan Schiappa, President of Technology & Services at Arctic Wolf, said the acceleration and unpredictability of threats were placing greater demands on defenders.
"Today's threat landscape is defined by round-the-clock attacks that target identity, exploit timing, and drive alert fatigue, leaving defenders to navigate increasingly complex tactics," said Schiappa. "Because we operate at global scale, we have unmatched visibility into how attackers adapt and how defenders respond. This report distils those insights into clear guidance organisations can use to strengthen defences and prepare for what comes next."
Data scaling and reduction
The company reported that its Aurora platform distilled 330 trillion raw security observations down to just 8.6 million alerts - a reduction rate of more than 99.99999%. This means that for every 138 million observations, only one alert was generated, helping reduce noise for security teams who are often faced with alert fatigue.
Artificial intelligence and automation are highlighted as a key part of this process. Alpha AI, Arctic Wolf's automated triaging system, handled 10% of alerts, removing the need for more than 860,000 manual reviews. This contributed to a 37% drop in Mean Time to Ticket (MTTT) over a two-year period, further speeding up response times and workload management for security analysts.
Industries and attack trends
The analysis identifies education, healthcare, and manufacturing as the most frequently targeted sectors. According to the report, these industries are at heightened risk due to outdated infrastructure, the high value of their data, and operational environments that have little tolerance for downtime.
The report also draws attention to 'mega events' which showcase how attackers change tactics. Cases such as the Fortinet "Console Chaos" campaign and the SonicWall CVE-2024-40766 incident demonstrated that attackers are exploiting weaknesses in identity management and virtual private networks (VPNs) to rapidly escalate their privileges. Notably, in these instances, systems left unmonitored were encrypted in less than 90 minutes.
Guidance for organisations
The report offers forward-looking insights and benchmarks for chief information security officers (CISOs), IT leaders, and security practitioners. This includes strategies for reducing operational noise, improving identity protection, and accelerating incident response.
Arctic Wolf suggests that organisations assess their current security operations, compare them against the report's findings and prioritise improvements that could enhance their overall resilience. The report was compiled using data from more than 10,000 organisations protected via the Aurora Platform and the company's AI-powered Security Operations Centre.
Arctic Wolf's intention in sharing the findings is to "help organisations everywhere better prepare for the next wave of cyber threats".
