Threat Actors Don’t Punch in 9 to 5: Most Alerts Occur After Hours and on Weekends
If you want to deflect threats, you might consider changing your security team’s working hours now that Arctic Wolf has discovered that most cybersecurity alerts are triggered outside of the traditional 9-to-5 workday — Is that even a thing anymore?
Admittedly, I’m not sure how much of an advantage that is for bad actors, considering how the lines between work and home have blurred post-pandemic. But Arctic Wolf brought the goods in its 2025 Security Operations Report, which turned more than 330 trillion security observations from its Aurora platform and its global Security Operations Center (SOC) inside out. Just a tick over half of the security alerts globally go out outside the realm of normal working hours—17 percent are issued on the weekend.
That means would-be attackers are working “pandemic hours,” causing alerts to pile on and complicating the landscape for defenders who already struggle to filter alerts, especially as identity-based attacks proliferate. Those attacks play on trusted infrastructure. Arctic Wolf found that of the 38 percent of their customers’ investigations that required direct intervention to spurn a cyberthreat, 72% centered on identity management.
“It bears repeating that identity has become the new perimeter and organizations, as well as individuals, are starting to realize this and better understand and protect their identity attack surface,” says BeyondTrust Field CTO James Maude.
Maude says he isn’t surprised that the bulk of alerts occur outside of business hours and on weekends. “In many cases, this is not simply a time zone difference but a deliberate ploy to strike when you are away from the keyboard,” he says.
The news isn’t all bad — AI and automation are helping reduce the total number of alerts, which should come as a relief for those suffering alert fatigue and who want to train their resources on the alerts that count. “The clearing of noise, the enhancement of signals and the triaging of high-fidelity alerts…highlights the true value of AI,” the report says. “Not in its unrealized promise of replacing traditional analysts, but in its support of security experts to make informed decisions that require human expertise.”
“Security teams are progressively becoming overwhelmed — facing not just an unyielding surge in security alerts, but adversaries that are quicker, stealthier, and more sophisticated,” says Tim Bazalgette, chief AI officer at Darktrace. “This is leaving incidents uninvestigated, increasing alert fatigue, and heightening the risk of missed threats. With the shortage of skilled cyber professionals continuing to grow, organizations are increasingly turning to AI-powered tools to improve efficiency in the SOC.”
Bazalgette points out that “88% of security professionals believe that the use of AI is vital to freeing up time for security teams to become more proactive,” according to Darktrace’s 2025 State of AI Cybersecurity report. “Empowering defenders with AI has never been more critical than it is today and we must remain committed to driving innovation that helps organizations proactively decrease risk, reinforce their security posture, and elevate their teams,” he says.
But as the number of AI-powered vulnerability discovery tools increases and AI-assisted code generation grows, “a fresh, vulnerable attack surface is being created at an increasing rate, and the tooling to find and exploit this attack surface is doing so more effectively,” says Bugcrowd cofounder and Founder Casey Ellis. “All of this nets out to higher throughput into the SOC, which necessitates a shift in thinking around the economics of processing SOC alerts.”
Ellis doesn’t expect AI to replace the prowess of experts. “Human incentives are still the primary driver here, and traditional SOC training, understanding threat landscapes, attacker behavior, and incident response, remains critical,” he says, while AI can “handle repetitive, low-order tasks like triaging alerts or identifying patterns.” AI simply doesn’t have the “creativity and contextual understanding that humans bring to the table.”
While SOC training will evolve to include AI literacy, Ellis says “foundational skills will remain essential.”
