Cyber threats are increasingly a 24/7 problem, no longer confined to the standard workday. New data from Arctic Wolf's 2025 Security Operations Report reveals that a majority (51%) of global security alerts now occur outside of traditional business hours, with 17% specifically happening on weekends—a time when security teams are often least prepared.

This conclusion is drawn from an immense dataset of over 330 trillion security observations processed by Arctic Wolf’s Aurora platform and global Security Operations Centers (SOCs), representing a 30% increase from the previous year. Despite this volume, the system generated only one alert for every 138 million observations, indicating more refined filtering but also pointing to adversaries' improved stealth tactics.

A predominant theme of the past year was identity compromise. In cases requiring human-led investigation, almost 75% involved actions like disabling accounts, resetting passwords, or revoking access. The scale of the challenge is underscored by the finding that the average company's digital environment now produces nearly 33 billion security observations per year.

“This report offers more than reflection, it is a roadmap,” stated Lisa Tetrault, Arctic Wolf's Senior Vice President of Security Services. “Whether you are a security leader, practitioner, or executive, our goal is to help you better understand the evolving threat landscape, benchmark your operations, and make informed decisions as we work together to end cyber risk.”

To manage this scale, Arctic Wolf is leveraging automation. Its AI-powered triage system, Alpha AI, autonomously handled 10% of all alerts, preventing over 860,000 manual reviews and helping to reduce the Mean Time to Ticket by 37% over two years. Furthermore, its Aurora Defense product blocked an average of 13 threats per customer each week shortly after its release.

Sectors like manufacturing, healthcare, and education were among the most targeted, largely due to their reliance on legacy systems, possession of valuable data, and low tolerance for operational disruption. The report also notes a persistent trend: cyber losses are climbing even as organizations invest record amounts in security.

This picture aligns with broader industry trends. According to James Maude, Field CTO at BeyondTrust, the timing of attacks is a “deliberate ploy.” He explains that threat actors strike when defenses are down, noting that a weekend login attempt appears far less suspicious than a malware alert. Maude identifies "standing privileges" as a core vulnerability, advocating for a "just-in-time" and zero-trust approach to access control to limit the "blast radius" of any identity compromise.

Security teams are struggling under the pressure. “They are progressively becoming overwhelmed, facing not just an unyielding surge in security alerts, but adversaries that are quicker, stealthier, and more sophisticated,” adds Tim Bazalgette, Chief AI Officer at Darktrace. This leads to uninvestigated incidents and alert fatigue. With a growing shortage of skilled professionals, Bazalgette notes that 88% of experts believe AI is vital for freeing up time for more proactive defense, making its adoption critical.

However, AI presents a double-edged sword, warns Bugcrowd founder Casey Ellis. The same technology that powers defense is also accelerating the creation of vulnerable code and improving attackers' ability to find and exploit it. This ultimately funnels more alerts into the SOC. Ellis emphasizes that while AI will automate mundane tasks, human expertise in understanding threat landscapes and incident response remains irreplaceable. He predicts that SOC analysts will evolve into managers of AI systems, focusing on complex threat hunting and strategic defense.

This evolution will necessitate a major shift towards risk-based prioritization. Ellis expects this strategy to take center stage, aided by AI tools that can help scale the approach. The urgent need for change is highlighted by the FBI’s 2024 Internet Crime Report, which documented $16 billion in losses—a 28% annual increase. This growing disconnect between spending and outcomes reveals a security gap that money alone cannot solve. As cybercriminals adapt their schedules, the pressure is on defenders to accelerate their own response.