Call a Specialist Today! 888-785-4405 | Free Shipping!Free Shipping!

The Active Adversary Playbook 2022

Cyberattacker behaviors, tactics and tools seen on the frontline of incident response during 2021


Or unlock all of our downloadable resources.

The Active Adversary Playbook 2022 details the main adversaries, tools, and attack behaviors seen in the wild during 2021 by Sophos’ frontline incident responders. You’ll learn:

  • The anatomy of active attacks including root causes and main attack types
  • The toolsets adversaries have been employing to facilitate attacks
  • The main ransomware adversaries observed

Armed with these insights, you’ll better understand what adversaries do during attacks and how to spot and defend against such activity on your network.


The challenge of defending an organization against rapidly evolving, increasingly complex cyberthreats can be considerable. Adversaries continuously adapt and evolve their behavior and toolsets, leverage new vulnerabilities and misuse everyday IT tools to evade detection and stay one step ahead of security teams.

It can be hard for an organization’s IT and security operations professionals to keep up with the latest approaches used by adversaries. Particularly when it comes to targeted, active attacks that involve more than one perpetrator, such as an initial access broker (IAB) breaching a target and then selling that access on to a ransomware gang for use in their attack.

The aim is to help security teams understand what adversaries do during attacks and how to spot and defend against such activity on their network.

The findings are based on data from incidents investigated by the Sophos Rapid Response team during 2021. Where possible, the data is compared against the incident response findings outlined in the Active Adversary Playbook 2021.

Incident Response Demographics 2021

The report is based on 144 incidents targeting organizations of all sizes, in a wide range of industry sectors, and located in the U.S., Canada, the U.K., Germany, Italy, Spain, France, Switzerland, Belgium, Netherlands, Austria, the United Arab Emirates, Saudi Arabia, the Philippines, the Bahamas, Angola, and Japan.

The most represented sectors are manufacturing (17% of incident response cases were in this sector) followed by retail (14%), healthcare (13%), IT (9%), construction (8%), and education (6%). Additional profile information can be found in the data tables at the end of this report.