Arctic Wolf’s 2025 Security Operations Report analyzed more than 330 trillion security observations sourced from the company's Aurora platform and its global Security Operations Center (SOC). According to the report, 51 percent of security alerts globally are now issued outside normal working hours. This includes 17 percent occurring specifically on weekends.
Effectively filtering alerts has only become more urgent as hackers shift to identity-based attacks, which exploit trusted infrastructure like legitimate user accounts and common phenomena like alert fatigue. In some 38 percent of Arctic Wolf customers’ security investigations that required “direct intervention” to block a cyber threat, nearly three-quarters of those interventions involved identity management, such as disabling hacked accounts or resetting passwords.
Additionally, artificial intelligence and automation are highlighted as a key part of the process of reducing the total number of security alerts. Alpha AI, Arctic Wolf's automated triaging system, handled 10 percent of alerts, removing the need for more than 860,000 manual reviews.
A number of industry stakeholders shared their thoughts on the findings.
James Maude, Field CTO at BeyondTrust
"Threat actors rarely work 9 to 5, so it comes as no surprise that 51 percent of alerts occur outside business hours and 15 percent happen on the weekend. In many cases this is not simply a time zone difference. It is a deliberate ploy to strike when you are away from the keyboard. This is especially effective for identity-based attacks as a user logging in on a weekend might not seem as suspicious an alert that malware is running.
"One of the key reasons that user’s identities are easily exploited out of hours is that they have standing privileges and more often than not are over privileged. When that is the case if a threat actor is able to compromise an identity, they acquire 24/7 access with all the privileges the user has during the working day. This is why it is essential to reduce and ideally eliminate standing privileges using modern just-in-time approaches that only grant privilege when needed and take a zero-trust approach to validating the user’s identity.
"Credentials are stolen, weaker forms of multi-factor authentication (MFA) can be bypassed, help desks might even help a threat actor reset the credentials, so the best line of defense is to reduce the blast radius in the event of an identity compromise. Making sure that no matter what time of day or night it is exploited, the privileges, access and risk are limited in scope.
"It bears repeating that identity has become the new perimeter and organizations, as well as individuals, are starting to realize this and better understand and protect their identity attack surface. At a basic level having robust MFA controls on all high value personal accounts is absolutely essential. At the organization level, being able to understand all the paths an identity has in your environment and proactively reduce those risks is key to success."
Tim Bazalgette, Chief AI Officer at Darktrace
"Security teams are progressively becoming overwhelmed — facing not just an unyielding surge in security alerts, but adversaries that are quicker, stealthier, and more sophisticated. This is leaving incidents uninvestigated, increasing alert fatigue, and heightening the risk of missed threats.
"With the shortage of skilled cyber professionals continuing to grow, organizations are increasingly turning to AI-powered tools to improve efficiency in the SOC. In fact, 88 percent of security professionals believe that the use of AI is vital to freeing up time for security teams to become more proactive, according to the 2025 State of AI Cybersecurity report. Empowering defenders with AI has never been more critical than it is today and we must remain committed to driving innovation that helps organizations proactively decrease risk, reinforce their security posture, and elevate their teams."
Casey Ellis, Founder at Bugcrowd
"The proliferation of AI-powered vulnerability discovery tools, as well as the growth of AI-assisted code generation, means that a fresh, vulnerable attack surface is being created at an increasing rate, and the tooling to find and exploit this attack surface is doing so more effectively. All of this nets out to higher throughput into the SOC, which necessitates a shift in thinking around the economics of processing SOC alerts.
"Human incentives are still the primary driver here, and traditional SOC training, understanding threat landscapes, attacker behavior, and incident response, remains critical. AI can handle repetitive, low-order tasks like triaging alerts or identifying patterns, but it lacks the creativity and contextual understanding that humans bring to the table. SOC training will evolve to include AI literacy, but foundational skills will remain essential.
"AI will automate mundane tasks, allowing analysts to focus on complex, high-value work like threat hunting and strategic defense. The role of SOC analysts will shift toward managing AI systems, interpreting their outputs, and addressing the nuanced, creative challenges that machines can’t handle.
"Jobs won’t disappear, they’ll adapt. The key is ensuring that SOC professionals are prepared for this shift through ongoing education, training, and tooling.
"AI is already accelerating the creation of attack surface and the ease of discovery and exploitation of certain classes of vulnerability. It's reasonable to assume that these two things will net of to an increase in SOC alerts and the need for a shift in strategy to deal with it. I expect to see risk-based prioritization take center stage on the defender side, and there are a lot of ways that AI can help to scale this approach."
