IN 2025, CrowdStrike found that attackers took on average 29 minutes to pivot to other systems after gaining an initial foothold, marking a 65% acceleration from the year before. The report notes the fastest breakout occurred in just 27 seconds, with another instance seeing data exfiltration begin four minutes after breaking in. CrowdStrike stresses that speed is now the defining characteristic of intrusion, shrinking defenders’ detection and response windows to a fraction of what they were a few years ago.
The analysis attributes much of the acceleration to credential misuse, AI tools, and a rising prevalence of malware-free detections, where intrusions move through authorised pathways and trusted systems. The 2026 Global Threat Report quotes Adam Meyers describing how attackers leverage identity to move swiftly across cloud, SaaS, on‑premises and virtual environments.