This repository contains copies of data analyzed in Sophos' Active Adversary Reports, starting with the report issued 2 April 2025 ("It Takes Two: The 2025 Sophos Active Adversary Report"). We are providing access to this data in the hope of starting broader conversations in the defender community about the issues raised in the report, and as part of our continuing efforts to encourage greater transparency and collaboration within the infosec community. We welcome your comments.
The data has been collected, normalized, and sanitized for public use as described in the report ("Appendix: Methodology"). The text of that appendix as of the April 2025 release is reproduced in the Methodology below. We've also uploaded a PDF copy of the report for reference / convenience.
The data in this report was captured over the course of individual investigations undertaken by Sophos X-Ops' Incident Response and MDR teams. For this first report of 2025, we gathered case information on all investigations undertaken by the teams throughout 2024 and normalized it across 52 fields, examining each case to ensure that the data available was appropriate in detail and scope for aggregate reporting as defined by the focus of the proposed report. We further worked to normalize the data between our MDR and IR reporting processes.
When data was unclear or unavailable, the authors worked with individual IR and MDR case leads to clear up questions or confusion. Incidents that could not be clarified sufficiently for the purpose of the report, or about which we concluded that inclusion risked exposure or other potential harm to the Sophos-client relationship, were set aside. We then dissected each remaining case’s timeline to gain further clarity on such matters as initial ingress, dwell time, exfiltration, and so forth. We retained 413 cases, and those are the foundation of the report. The data offered in the downloadable dataset has been further redacted to ensure customer confidentiality.