Your attacker doesn’t work from 9 to 5. Your SOC does.

Imagine your production facility was left unattended exactly when the burglars decided to strike. That is effectively the state of IT security in 90% of German mid-sized companies. The biggest unresolved structural weakness in SMB cybersecurity is not technical – it is temporal. We defend our environments for roughly 40 hours a week, while attackers operate 24/7. This asymmetry is no coincidence; it is part of the attackers‘ business model.

The Arctic Wolf Security Operations Report 2025 analyzed more than 330 trillion security observations. The findings are striking: 51% of all security alerts occurred outside regular business hours, and another 15% during weekends. Darktrace reports an even clearer pattern: in 76% of ransomware incidents, the encryption process begins either after business hours or over the weekend.

The attackers‘ playbook is more subtle than many organizations realize. Threat actors typically gain initial access while employees are actively working, allowing them to blend into normal business activity. The actual attack, however, is executed after hours. Initial access may occur between 10:00 a.m. and 4:00 p.m., lateral movement during the evening, and ransomware encryption at 3:00 a.m. on Saturday night. By the time the first employee returns to the office on Monday morning, the incident may already have been unfolding for 60 hours.

An EDR platform that nobody checks at 2:47 a.m. on a Sunday is nothing more than an extremely expensive voicemail system. Under the NIS2 Directive, organizations are required to report significant cybersecurity incidents within 24 hours. If an incident is only discovered on Monday at 9:30 a.m., the organization may already have missed that deadline by more than a day.

The real question is not, „Do we have a SIEM?“ It is, „Who is looking at it at 4:00 a.m. on a Sunday?“

The honest answer usually comes down to three options:

  • Invest in a 24/7 Managed Detection and Response (MDR) or Security Operations Center (SOC) service.
  • Enable automated containment capabilities – not just detection.
  • Cover nights, weekends, and public holidays with an on-call incident response process, regular tabletop exercises, and decision-makers (including executive management) who can be reached when needed.

Everything else is wishful thinking. Do you have a documented escalation process for 3:00 a.m. on a Sunday – including deputies, emergency mobile numbers, and pre-approved containment authority? Or does your incident response plan simply say: „Notify the IT Manager“?

Expected objections – and the reality

  • „We can’t afford our own SOC.“

That’s true. Running an in-house Security Operations Center around the clock typically requires at least eight analysts to cover shifts, weekends, vacations, public holidays, and sick leave. Add one or two team leads, XDR technology, and threat intelligence platforms, and annual costs can easily exceed €1 million. This is exactly why Managed Detection and Response (MDR/MXDR) services exist and are available for a fraction of that investment. The real question is not „Should we build our own SOC?“ but „Who provides our 24/7 security coverage?“

  • „We already have antivirus and a firewall.“

Both operate automatically. Modern attackers know this and increasingly rely on legitimate administrative tools, remote management software (RMM), and cloud storage services such as OneDrive or Dropbox to deliver ransomware without deploying traditional malware binaries. These so-called Living-off-the-Land attacks often evade automated detection. Ultimately, security alerts still require experienced human analysts who can distinguish real threats from background noise.

  • „Nobody uses our systems at night, so anything unusual would immediately stand out.“

Unfortunately, that’s a common misconception. Backup jobs, software updates, replication processes, cloud synchronization, and other scheduled activities routinely run overnight. Attackers deliberately hide their activity within this legitimate background traffic. Without behavioral baselines and continuous 24/7 triage, „unusual“ quickly becomes indistinguishable from normal operational noise.

  • „We have cyber insurance.“

Cyber insurance providers are increasingly verifying whether organizations actually maintain the 24/7 monitoring capabilities promised in their applications and policies. Many newer policies define response times as contractual obligations. Delayed detection or response may therefore result in reduced coverage or denied claims.

  • „We’ll simply shut down critical systems over the weekend.“

It’s an attractive idea, but rarely practical for organizations that depend on logistics, manufacturing, cloud services, or field operations. More importantly, an attacker who has already established a foothold inside your environment will simply wait. Air-gapping systems may reduce exposure to initial compromise, but it does not stop lateral movement by an adversary who is already inside your network.

More insights can be found in the video below.

Nach oben scrollen