
John Shier
John Shier is a Field CTO at Sophos. John is a popular presenter at security events, and is well-known for the clarity of his advice, even on the most complex security topics. John doesn't just talk the talk: he also gives hands-on technical support and product education to Sophos partners and customers.
Content by John Shier

Security Operations
Threat Research
Active Adversary
Active Adversary Report
Nowhere, man: The 2026 Active Adversary Report
February 24, 2026

Security Operations
Threat Research
Active Adversary
Active Adversary Report
Compromised Credentials
detection
dwell time
Featured
impact
incident response
LOLBIN
MFA
Monitoring
RDP
Remote Ransomware
root cause
It takes two: The 2025 Sophos Active Adversary Report
April 2, 2025

Security Operations
Threat Research
Active Adversary
Active Adversary Report
Featured
incident response
IR
LoLBINs
MDR
RDP
the Bite from Inside: The Sophos Active Adversary Report
December 12, 2024

Threat Research
Active Adversary
Active Adversary Report
Case Study
Featured
incident response
RDP
Sophos X-Ops
It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024
April 3, 2024

Threat Research
Active Adversary
Active Adversary Report
dwell time
Featured
incident response
LoLBINs
MDR
practitioners
tools
The song remains the same: The 2023 Active Adversary Report for Security Practitioners
November 14, 2023

Threat Research
Active Adversary
Active Adversary Report
Active Directory
attribution
detection
dwell time
Featured
incident response
MFA
MTR
RDP
Sophos X-Ops
Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders
August 23, 2023

Threat Research
Active Adversary
Active Adversary Report
CoinMiner
Conti
data breach
exfiltration
extortion
Featured
incident response
loader
Lockbit
Ransomware
Sophos X-Ops
Web shells
Everything Everywhere All At Once: The 2023 Active Adversary Report for Business Leaders
April 25, 2023

Threat Research
Active Adversary
Active Adversary Report
cve-2021-31207
cve-2021-34473
cve-2021-34523
Featured
ProxyLogon
ProxyShell
Security Operations
Sophos X-Ops
Web shells
Active Adversary Playbook 2022 Insights: Web Shells
June 22, 2022

Security Operations
Threat Research
Active Adversary
Active Adversary Report
Artifacts
Attack Tools
cobalt strike
Cryptomining
cyberattacks
cyberthreats
dwell time
Exploit
Featured
initial access broker
malware delivery system
MITRE
ProxyLogon
ProxyShell
Ransomware
ransomware as a service
Sophos Rapid Response
vulnerability
The Active Adversary Playbook 2022
June 7, 2022