Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
RESOURCES TYPES
Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowJUNE 30, 2026
There are two timelines that define how a network intrusion unfolds. The first is dwell time: how long the attacker stays inside before they are detected. The second is breakout time: how long it takes from their first foothold to their first lateral move onto another system. Both numbers have been shrinking for years. Both now sit at levels that expose a fundamental problem with how most security programs are built.
Dwell time, which averaged over 200 days five years ago, has fallen to roughly 5 days in 2025 for ransomware and financially motivated intrusions. That sounds like progress. It is progress. But 5 days is still 5 days of silent access: credential harvesting, network mapping, backup identification, and payload positioning, all before the first alert fires.
Breakout time tells a different story. The average eCrime breakout time fell to 29 minutes in 2025, a 65% acceleration from the prior year. The fastest observed breakout in 2025 was 27 seconds. In one documented intrusion, data exfiltration began within four minutes of initial access. These are not statistical anomalies. They represent how the fastest-moving threat actors operate at scale, and increasingly, how automated and AI-assisted attack chains operate by design.
The gap between these two numbers is where the detection-to-containment paradox lives. The attacker may spend 5 days in your environment before you know they are there. Once you know they are there, you have 29 minutes, on average, before they have spread further than the original entry point. Most security programs are not built to operate in that window.
| 5 days median dwell time for ransomware intrusions, 2025 (Mandiant M-Trends 2026) | 29 min average eCrime breakout time, 2025 (CrowdStrike 2026 Global Threat Report) | 27 sec fastest observed eCrime breakout time on record, 2025 | 4 min time to first data exfiltration in one documented 2025 intrusion |
Dwell time is the period between an attacker’s initial access to a network and the moment that access is detected by the defending organization. It is sometimes called time to detection, and it is one of the most consequential metrics in incident response, because everything that happens during dwell time happens without the defender’s knowledge.
The 5-day median figure comes primarily from ransomware and financially motivated intrusion cases. It represents the time attackers spend inside a network before deploying their payload: the period of reconnaissance, privilege escalation, lateral movement preparation, and backup enumeration that precedes the moment the organization first becomes aware something is wrong.
Five days sounds manageable. In practice, five days of undetected access to a corporate network is enough time to map the entire Active Directory structure, identify and exfiltrate high-value data, locate and disable backup systems, and establish multiple persistence mechanisms that survive the initial detection event. The 5-day figure is a median. For healthcare organizations and critical infrastructure targets, dwell times measured in weeks and months remain common.
| The Dwell Time Trend: Where the Numbers Have Come From Dwell time has fallen significantly over the past decade, from a median of over 200 days in 2018 to roughly 5 days today for the fastest-moving threat actors. This reduction reflects improvements in endpoint detection, security operations maturity, and threat intelligence sharing across the industry. It does not reflect improvements in the attacker’s behavior. Dwell times have shortened because attackers have become faster and more automated, deploying payloads sooner after gaining access, not because defenders are catching intrusions earlier in the timeline. The implication: shorter dwell times compress the window in which a defender can intervene before impact occurs. A shorter median is not necessarily a better outcome if the speed reduction is driven by the attacker accelerating, not the defender improving. |
Breakout time measures something different and more operationally urgent than dwell time. It is the interval between an attacker’s initial compromise of a single endpoint and their first successful lateral movement onto a second system. Once breakout occurs, a single-point detection and containment action is no longer sufficient to stop the intrusion.
The 2026 CrowdStrike Global Threat Report placed the average eCrime breakout time at 29 minutes in 2025, down from 48 minutes in 2024, and from 98 minutes in 2021. The fastest recorded breakout was 27 seconds. These numbers have direct implications for how security teams must be structured and what tooling they must have in place before an intrusion begins.
| The 1-10-60 Benchmark: Where Most Organizations Stand Security operations benchmarks suggest that effective containment requires detecting an intrusion within 1 minute of the first indicator firing, investigating within 10 minutes, and containing within 60 minutes. Against a 29-minute average breakout time, a team that meets the 1-10-60 benchmark has a meaningful window to act before lateral movement is complete. Against a 27-second breakout time, no team operating on human-speed detection and response has any window at all. The fastest observed breakouts are, by definition, faster than any human-in-the-loop process can address. |
The compression of breakout time is not a single-cause phenomenon. It reflects several simultaneous developments in attacker tradecraft, tooling, and automation that have converged to make post-access activity faster, stealthier, and harder to interrupt.
In a traditional intrusion, an attacker who gains initial access must deploy malware, establish a command and control channel, and wait for it to activate before they can begin post-exploitation activity. Each of these steps takes time and creates detectable artifacts.
In 82% of detections in 2025, no traditional malware was present. Attackers used valid credentials, native administrative tools such as PowerShell and WMI, and legitimate remote access software to move through the environment. The slowest step in the old breakout sequence, deploying and activating malware, is simply no longer part of the fastest attacks. The attacker already has valid credentials. They are already in the environment with tools that look identical to legitimate administrative activity.
AI-enabled adversaries increased their attack volume by 89% in 2025. Part of this acceleration is automation of the post-exploitation phase: credential dumping, network enumeration, and lateral movement candidate identification that previously required skilled human operators working through a process now run through automated pipelines that complete in seconds.
In documented cases from 2025, AI-generated scripts were used to accelerate credential dumping and simultaneously erase forensic evidence that would otherwise create detection opportunities. The attacker is not just moving faster. They are systematically removing the signals that would let a defender know they are moving at all.
Valid account abuse accounted for 35% of cloud incidents in 2025. When an attacker enters an environment with stolen legitimate credentials rather than a vulnerability exploit, they begin the breakout phase with access that the environment already trusts. There is no initial detection event from a vulnerability trigger, no unusual process execution, and no malware signature. The clock starts later for the defender, because the first indicator may not fire until lateral movement is already underway.
The detection-to-containment paradox is the gap between when a security program is theoretically capable of detecting an intrusion and when it is practically capable of containing one. It is not a technology problem. It is a structural problem that most security programs have not been designed to solve.
The sequence looks like this: an alert fires. An analyst receives it. The analyst assesses whether it is a true positive. If it is, they begin investigation to understand scope. Based on scope, they initiate containment actions. Each step takes time. In a well-run SOC with good tooling and low alert fatigue, the fastest realistic human-speed cycle through these steps is measured in tens of minutes.
Against a 29-minute average breakout time, a 30-minute response cycle means every containment action arrives after lateral movement has already occurred. The host you are isolating is no longer the only compromised host. The credential you are revoking has already been used to establish persistence elsewhere. Containment has become remediation, and remediation is slower, more expensive, and less complete.
| Breakout Scenario | Defender Has | What Must Happen in That Window |
| Average eCrime (29 min) | 29 minutes from first indicator to lateral movement complete | Alert fires, analyst triages, scope established, containment initiated, isolation executed |
| Fast eCrime (under 10 min) | Less than 10 minutes | Automated detection and pre-authorized containment required; human-speed response cannot complete the cycle |
| Fastest recorded (27 sec) | 27 seconds | No human-in-the-loop process is capable of responding within this window; automated response is the only viable option |
| Nation-state (variable dwell) | Days to weeks before breakout is triggered | The window is longer but the attacker uses it for preparation; by the time breakout occurs, they have already identified the optimal lateral movement path |
Understanding the dwell period in detail is important because it reveals where the detection opportunity actually sits. The 5-day median is not five days of idle presence. It is five days of structured activity, most of which leaves detectable signals if the right monitoring is in place.
| Phase | Typical Timing | Attacker Activity | Detection Opportunity |
| Initial Access | Day 0 | Credential use, vulnerability exploitation, or phishing execution; first foothold established on a single endpoint | Authentication anomaly, initial access broker listing on dark web prior to deployment |
| Reconnaissance | Day 0 to Day 1 | Internal network enumeration, Active Directory queries, identification of privileged accounts and high-value data stores | Unusual internal scanning, LDAP query volume anomalies, lateral movement tool staging |
| Privilege Escalation | Day 1 to Day 2 | Exploitation of misconfigurations, credential theft from memory, abuse of service accounts with excessive permissions | LSASS access events, token manipulation, service account activity outside normal hours |
| Lateral Movement | Day 2 to Day 3 | Breakout to additional systems using harvested credentials; establishment of access to domain controllers and backup infrastructure | Authentication events from unexpected source hosts, remote service creation, unusual admin tool usage |
| Data Staging and Exfil Prep | Day 3 to Day 4 | Identification and compression of target data, staging in temporary locations, evaluation of exfiltration channels | Large internal data transfers, compression tool execution, staging directory creation |
| Payload or Exfil | Day 4 to Day 5 | Ransomware deployment, data exfiltration, or both; backup deletion or encryption prior to payload detonation | Backup deletion events, mass file encryption, outbound data volume anomalies |
| DESIGNER NOTE: Attack Timeline Diagram: 5 Days, 6 Phases Horizontal timeline spanning 5 days. Each day segment contains a phase label and a 1-line description of attacker activity. Above the timeline: a red ‘Detection Opportunity’ marker appears at each phase, getting progressively smaller and more urgent as days pass, reflecting how each missed signal reduces the containment window. Below Day 4-5: a large red ‘Impact’ zone. Color gradient left to right: amber at Day 0 deepening to dark red at Day 5. Brand navy background. Side annotation on Day 0-1: ‘Pre-attack intelligence: dark web and IAB monitoring surfaces indicators here.’ Brandefense positioning. |
The detection-to-containment paradox cannot be solved by adding more analysts. The window is too narrow for human-speed response to cover the fastest breakout scenarios, and the dwell period is too quiet for traditional detection approaches to surface early enough. The changes required are structural.
| Are You Monitoring the Signals That Appear Before Breakout? IAB listings, credential exposure, and targeting intelligence arrive before the intrusion begins. Brandefense surfaces them continuously. Book a Demo |
| Capability | How It Addresses the Breakout and Dwell Problem |
| Initial Access Broker (IAB) surveillance | Monitors dark web forums for listings of network access tied to your organization, surfacing pre-intrusion intelligence before the dwell clock starts |
| Credential exposure monitoring | Detects stolen credentials in infostealer logs and breach dumps before they are used for initial access or lateral movement |
| Ransomware group activity tracking | Tracks threat actor targeting discussions and campaign preparation activity relevant to your sector and technology stack |
| Dark web early warning | Surfaces mentions of your organization’s infrastructure in threat actor communication channels prior to active targeting |
| External attack surface management | Identifies exposed entry points, misconfigured services, and unpatched external assets that represent initial access opportunities before attackers enumerate them |
| Continuous 24/7 monitoring | Ensures that pre-attack and early-dwell signals are detected as they appear, not during the next scheduled assessment cycle |
| RELATED READING Credential Stuffing and IAB Economics: https://brandefense.io/blog/what-is-credential-stuffing/: how initial access brokers supply the credentials that make fast breakouts possible From Disclosure to Exploit: /blog/disclosure-to-exploit-cve-weaponization-speed-ai : the parallel timeline of vulnerability weaponization that feeds the initial access phase Account Takeover CISO Guide: /blog/ato-ciso-guide-detection-response-recovery : the containment and recovery framework that applies once breakout has occurred |
Take control of your digital security with an exclusive demo of our powerful threat management platform.
