Cybercriminals are getting faster at conducting cyber-attacks. In the past, unauthorized intruders would spend weeks or months inside a compromised network to lay the groundwork needed to steal data or plant malware.
Today, an attacker can move from initial entry into a network to accessing data and exfiltrating it in a matter of minutes.
According to the CrowdStrike Global Threat Report 2026, the average breakout time for an intrusion during 2025, that is the window between when the attacker initially enters the network to when they leave having stolen or destroyed data, was 29 minutes.
It’s a timescale which is rapidly declining. In 2024, the average breakout time was 48 minutes. In 2023, it was over an hour at 62 minutes, while in 2022 it was 84 minutes.
Cybercriminals are getting faster and this trend is set to continue, especially as AI is being used by both defenders and cybercriminals to accelerate tasks.
This creates a significant cybersecurity challenge for organizations. Not just regarding keeping attackers out of the network, but also being able to quickly identify and disrupt malicious behavior by unauthorized intruders before they cause significant damage.
The World Economic Forum (WEF) Global Cyber Outlook Report 2026 warned, “The speed and scale of attacks are testing the limits of traditional defenses.”
Cybercriminals Logging in, not Hacking in
A significant challenge organizations face is how cybercriminals simply login using legitimate corporate usernames and passwords to gain access to networks; this especially affects organizations which rely on cloud services.
“Really over the last 18 months, it’s been logging in rather than hacking in. They are increasingly using compromised credentials,” Adam Meyers, head of counter adversary operations at CrowdStrike told Infosecurity.
“Rather than using phishing emails with exploits and malware, criminals are using compromised identities, logging in and going across into SaaS and cloud.”
These incidents see cyber-attackers gain access by using stolen credentials which they either source for themselves through phishing attacks, buy from other cybercriminals on underground forums or use brute force attacks to breach simple, re-used or previously compromised passwords.
No matter how they get hold of the credentials, because the activity looks like that of a legitimate employee, the attacker has the same access that employee has and can swiftly take advantage of this to move across cloud applications and to exfiltrate data.
“These are lightweight attacks and they are fast to implement. Because once you are logged in, there is very little stopping you as a legitimate user,” said Meyers.
Rather than having to stealthily deploy malware then slowly escalate privileges over time, they can take advantage of the access legitimate accounts already have, reducing the amount of time they need within the network to fulfil their goals.
Why Context Matters More Than Credentials
The rise of attackers compromising legitimate accounts to access networks has made it harder for defenders to detect potential malicious activity with traditional security and identity management tools. Yes, the user may look as if they are legitimate, but is the action they are taking within the boundaries of what would be classed as normal?
To counter identity-based threats and the impact these have had on reducing the window to detect and counter intrusions, organizations must examine not if user accounts are legitimate, but if the activity the account is engaging in is potentially abnormal.
“I think we're going to start seeing more emphasis again on behavioral analytics. The one advantage that we have as the defenders that the attackers don't necessarily have is the use of context in defense,” Gabrielle Hempel, security operations strategist at Exabeam told Infosecurity.
“We have business context, we have user behavior history, we have knowledge of the environment we can tie it all together for the context of what's happening.”
With that additional context, even with a reduced window for detecting attacks, defenders can give themselves a better chance of identifying and cutting off suspicious activity.
The AI Effect on Attack Speed
The rise of artificial intelligence is having a significant impact on how quickly cybercriminals can exploit weaknesses within organizations.
Today information security teams are turning to agentic AI to bolster their defensive efforts and using frontier LLMs like Mythos and GPT-Cyber to identify cybersecurity vulnerabilities at an unprecedented speed and scale.
While this brings advantages in identifying potential exploits, information security teams must now rapidly patch a seemingly never-ending string of security bugs. It has become difficult to manage, and malicious hackers are already exploiting this.
Cybercriminal hacking operations have also taken advantage of AI to make their attacks more efficient and more effective.
“AI makes mundane tasks a lot quicker and it's doing the same for attackers. So, when there's a new zero-day released, instead of it taking months to be exploited, that timeline has shrunk,” said Exabeam's Hempel.
“Defenders, we went from having maybe six months to effectively patch or mitigate certain things to suddenly ‘oh, have to do this within days.’ AI has really shrunk the timeline,” she added.
For defenders, this has created two problems. The first is that in the AI era they need a strategy around rapid patching to avoid falling victim to the steam of security vulnerabilities being uncovered.
The second is that if the vulnerabilities are not patched, it is difficult to identify and prevent malicious behavior designed around them, especially if attackers continue to shorten the window of time they need within the network to fulfil their goals.
Cybercriminals have rapidly adopted AI to automate the exploit new zero-days, scanning for and identifying exposed networks and services they can use for compromise.
In May 2026, Google Threat Intelligence Group (GTIG) warned that cybercriminals have been using AI to identify and exploit a zero-day vulnerability successfully.
Therefore, in addition to the time attackers spend within networks being reduced, the window organizations have to prevent attackers getting inside or detect if this has happened has also been reduced.
Rapid Response Starts with Preparation
Key to overcoming the speed in which cyber-attacks occur is having a plan in place for response to suspicious activity.
According to James Ellison OBE, director of national resilience at the UK National Cyber Security Centre (NCSC), knowing how your organization will respond to a suspected cyber incident forms a core proponent of reducing or outright stopping the damage it could cause.
“The biggest discriminator between an organization that copes well with an attack and one that doesn’t is exercise. If you are going through this for the first time, you will have a much bumpier road than organizations who have exercised for this in the past,” he told Infosecurity.
Cybersecurity fundamentals such as understanding the assets on your network and what the current threat landscape looks like remain vital to ensure the organization is as resilient as possible against cyber threats.
“This should be a board-level conversation across every organization. You need to understand the risks you are exposed to, you have got to invest appropriately in defenses, and you have got to be able to respond and recover when the worst happens,” said Ellison.
The nature of cybercriminals and malicious hackers means they will continue to investigate new methods of making attacks more effective, with a focus on making them faster to reduce the window they can be disrupted.
For organizations, preventing attackers from being able to enter the network in the first place is the best defense. But it is also vital that strategies and plans are adopted to ensure that if – or when – a malicious intruder gains access to the network, this activity can be identified and shut down as quickly as possible. Because in the race for cybersecurity, speed is of the essence.
