CrowdStrike 2026 Global Threat Report finds that the average attacker breakout time has dropped to just 29 minutes for financially motivated attackers in 2025. That’s a whopping 65% acceleration year-over-year with the fastest observed breakout time clocking in at 27 seconds. Breakout time is the elapsed time between an attacker gaining initial foothold and moving laterally to another system inside your environment. It’s the window your team has to detect and contain before a bad day becomes a catastrophic one.
What does this mean and why does it matter? 82% of all attacks are now malware-free so traditional AV signature-based detection is not fully protecting organizations. Attackers are using legitimate tools operated by the business to conduct attacks. These include legitimate credentials, remote management software, cloud admin consoles, internal APIs and compromised devices. Cloud attacks are up 37% year-over-year with nation state cloud activity up 266%! Perimeter security and compliance checklists were built for threat models that no longer exist. And then there is the fact that most businesses don’t have a clearly defined Mean Time to Detection (MTTD) and if they do, in most cases it’s certainly not less than 29 minutes. And simply detecting malicious activity doesn’t imply your teams have the tools or controls needed to stop the attack, adding to the delay and giving the advantage to the intruder.
Unfortunately, most organizations are focused on completing compliance checklists. SOC 2 and ISO 27001 simply serve as baselines. Does the organization have the correct controls? And often the scope of these compliance frameworks purposefully excludes the most vulnerable systems. Compliance audits also don’t confirm that controls work when under attack. Additionally, most companies manage 30-80 security tools with no unified visibility across them. IT and security are separate teams in many organizations making the implementation and execution of security controls that much more difficult.
The data tells us how fast attackers move. Here’s what’s giving them the opening.
Risk 1 (Identify) – Incomplete asset management. Businesses track employees very well but usually fail to account for other assets properly. These assets include endpoints (laptops, servers, virtual machines, containers, etc.) as well as infrastructure assets like switches, Wi-Fi access points, displays (TVs, smart TV connected devices, monitors), printers and any other device that runs any kind of firmware and touches a corporate network, software, third-party services, data stores, cloud infrastructure, APIs, and more. It’s a complex task that requires diligence and clearly defined acquisition / onboarding and decommission / offboarding policies and procedures.
Risk 2 (Protect) – First, failure to enforce phishing resistant MFA for every application or login. Second, lax device configuration, hardening and patching policies. Both are configuration weaknesses that leave users and devices exposed. Leveraging best practice device configuration and hardening reduces risk dramatically. These problems are solvable and should be addressed immediately.
Risk 3 (Detect) – Incorrect assumptions regarding response times. Most organizations don’t understand the full incident lifecycle. They don’t quantify the response times for critical activities across all crucial systems. One size does not fit all. Understanding the asset landscape and tuning detections based on the highest risks within those landscapes is critical.
Risk 4 (Respond) – Companies assume that just because they can detect and attack, they can stop it without significant disruption to the business. What is the process after a detection is triggered? What distinguishes an incident from an event? Does your incident response team know what steps to take immediately? Does your team train for these responses? Simply detecting malicious activity without the ability to respond means your teams are spectators watching things go from bad to worse.
Here are four action items that will change the game, reduce organizational risk and lower stress level for your SOC and incident response teams framed around the NIST CSF.
- Identify – know what you are protecting in detail. Hone your asset management processes for everything both physical and virtual across the entire organization. Prioritize by risk and get it right.
- Protect – Implement the proper controls including phishing resistant MFA across the entire organization. Tune your identity and access management controls like your corporate life depends on it – because it does. Nothing should be considered insignificant – remember the Target breach?
- Detect – Now that you better understand your assets and the attack surface associated with them, tune your detection mechanisms to cover your highest risks. Make sure you implement an iterative cycle that continuously re-evaluates your monitoring. This should be monthly if not weekly depending upon your risk profile.
- Respond – Tie your monitoring to specific response playbooks that your teams can refer to so they can immediately take steps to limit the blast radius of detected attacks. Detection without a response plan is useless.
Finally, you can create metrics that tie your detection times (MTTD) to the response times and playbook execution. This correlation will give you an honest picture of your real response capabilities and the degree to which your business is protected. For critical alerts and detections, remove the human element by automating the response and flagging the anomaly for immediate review.
Here’s an example: Your SIEM monitors your Defender for Endpoint alerts via an API pull every 2 minutes. If a device alerts for a certain class of alert – say malware execution – your SIEM should immediately do the following:
- Use the Defender for Endpoint API to proactively isolate the device cutting it off from all network connectivity.
- Create an alert notifying the SOC manager and the IT manager of the issue.
- Notify the user via Slack or Teams that a suspected compromise has occurred with specific instructions.
- Create a ticket for tracking.
It’s far better to disconnect a user for a short time as opposed to doing nothing and waiting for an overworked SOC analyst to maybe catch the alert and act. This approach reduces the MTTD and MTTA (Mean Time To Action) to the 2-minute windows, far below the 29-minute breakout time.
If your security program is built around passing the next audit and you can’t quantify your MTTD across your critical services, you’re optimizing for the wrong thing. The question isn’t whether your controls are documented. It’s whether they work at 2am on a Tuesday when someone is already inside.
Need help assessing your security program’s ability to deal with this threat model? Feel free to hit me up to discuss.
