Get the Full Report

2022 SANS Survey Report

Inside the Minds & Methods of Modern Adversaries

To stay ahead of a hacker, you need to think like one. In groundbreaking new research, SANS and Bishop Fox surveyed more than 300 ethical hackers to gain insight into how attackers think, the tools they use, their speed, specialization, and favorite targets.

Unlike other surveys, which take a defender’s point of view and leverage past trends to predict the future, our report flips the script to explore how adversaries view environments and to uncover insights into where they find the most success. By better understanding the minds and methods of attackers, defenders can improve their security posture and refine offensive and defensive strategies.

Get The Complete Report

By submitting this form, you indicate that you have read and agree to the terms of our Privacy Policy


Defend Forward with New Insights Into How Attackers Operate

Icon of a target.

57% can complete an end-to-end attack in less than a day.

Icon Code Risk

64% can exfiltrate data in less than 5 hours once they gain access.

Icon of a Shield Integration

36% can escalate or move laterally in 3 to 5 hours.

Most common exploitable perimeter exposures

The Greatest Risks You Face

Which Exploitable Exposures Are Most Often Found on the Perimeter?

Attackers take the path of least resistance to exploit their targets. Our research indicates they frequently have lots of options to choose from. Respondents reported all of the exposure types we surveyed on were quite common, except for abandoned domains/subdomains. Vulnerable configurations topped the list, with exposed web services and vulnerable software right behind.

Average hours to collect and exfiltrate data

Racing To The Finish Line

How Quickly Can Your Data Be Exfiltrated?

Nearly 64% of ethical hackers reported being able to collect and potentially exfiltrate data in five hours or less once they had gained access to an environment, and an astonishing 41% were successful in two hours or less. As adversaries get “further along” in their attacks, they often either gain speed advantages (due to lack of detection), or become so familiar with the environment that exfiltration is radically simplified.

How many organizations have adequate detection and response capabilities

The Struggle Continues

How Do Detection & Response Capabilities Stack Up?

Shockingly, 74% of survey respondents indicated that only few or some organizations have sufficient detection and response capabilities to effectively stop an attack. Adversaries realize that the ability to detect and respond is still significantly inadequate and use it to their advantage. Get the complete report to see if defenders did any better when it comes to preventing, detecting, and responding to cloud- and application-specific attacks.
Join us for a live Bishop Fox Webcast titled Hacker Insights Revealed featuring security experts, Tom Eston and Matt Bromiley

On-Demand Webcast

Dive Deep Into the Survey Results with the Experts

Join Matt Bromiley of SANS and Tom Eston of Bishop Fox as they dive deep into the findings of our recent research, discuss what they found most surprising, and provide tips for leveraging the data to refine your offensive and defensive security strategies. 

Security team montage with our Bishop Fox polyfox and a security team member inthe shadow.


Know Your Enemy, Know Yourself

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
- Sun Tzu, The Art of War

It’s no secret that attackers are evolving faster than defenses can keep up. By the time detection measures are in place, attackers have a new way to circumvent them. It’s a game of cat and mouse that attackers are poised to win. We hope that this inaugural report developed in collaboration with SANS can start to shift these dynamics. By mining insights from ethical hackers armed with the same tools, tactics, techniques, and procedures as modern attackers, we can better understand what we're up against and, in doing so, better empower the defenders. We hope you find the report useful!

-- The Bishop Fox Team

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.