Industry research

2020 RSA Edition of the Attacker Behavior Industry Report

The report examines a wide range of cyberattack detections and trends from a sample of 350 Vectra Cognito® deployments with more than 5 million hosts per month from nine different industries. This report takes a multidisciplinary approach that spans all strategic phases of the attack lifecycle.

This resource is not yet available. It will be published soon so stay tuned!

Publication date:

February 25, 2020



  • Across all industries, in the six-month period from July to December 2019, there was an average of 215 attacker behavior detections per 10,000 hosts with a peak of 252 in July 2019. This is lower than the 282 attacker behaviors per 10,000 hosts experienced in the first half of 2019.
  • Technology (138 detections per 10,000) and education organizations (102 detections per 10,000) remain the most common sectors to exhibit command & control behaviors. Everyone else experienced just 39 detections per 10,000 hosts.
  • It is rare to see large volumes of TOR traffic in any organization as it serves few if any legitimate business purposes. Across all industries TOR averaged 3 detections per 10,000 hosts. In December, it averaged 19 detections per 10,000 hosts driven by a spike in December in technology companies in the Asia-Pacific region.
  • Finance and insurance organizations experienced 29 port scan detections per 10,000 hosts, compared to an industry average of 11.
  • Government agencies detected the lowest rate of reconnaissance behaviors, at 93 per 10,000 hosts, while finance and insurance organizations detected the highest at 32 per 10,000 hosts.
  • File server (SMB) brute force behaviors attempting to crack user passwords were observed a year-high 22 times per 10,000 hosts in July. Over the rest of the year (August-December), SMB brute force was observed 14 times per 10,000 hosts.
  • Small companies (1 to 53,000 employees) are more at risk of lateral movement attacks. Small companies observed 112 lateral movement behaviors per 10,000 hosts while medium and large companies detected 64.
  • Vectra customers achieved a 38X workload reduction for Tier-1 analysts by automating the process of detection, triage, correlation and prioritization of security incidents to hosts, enabling security operations teams to focus on compromised hosts that pose the highest risk.

Yes, yes, we know, filling out forms is painful. But staring at empty boxes is even more painful. Keep in mind the form may not load if you are using an ad blocker. Once the form is filled out, you will receive your resource via email.

Vectra needs the information you provide to us to process your inquiry and to contact you about our products. You may unsubscribe from these communications at anytime. For more information check out our Privacy Policy.