Detection at dusk: Why dwell times collapsed in 2025

If we wanted to be dramatic (and we sort of do), we could say that in 2025 we all started celebrating the wrong metric. Every December there comes a moment of dashboard soul-searching. And this year, one trend looks very positive: several frontline IR datasets show dwell times dropping again.

Palo Alto Networks’ Unit 42 reports that median dwell time fell 46% in 2024, from 13 days to just seven – down from 26.5 days in 2021. And the 2025 Active Adversary Report from Sophos puts median dwell time across its combined IR+MDR cases at two days. In IR-only cases, the medians were 7 days overall, 4 days for ransomware, and 11.5 days for non-ransomware; MDR cases dropped as low as 3 days (ransomware) and 1 day (non-ransomware). 

Globally though, the picture is flatter: Mandiant’s M-Trends 2025 pins the median dwell time at around 11 days, roughly level with the previous year. Dwell time isn’t uniformly collapsing – but where it’s falling fast, there’s a reason. And unfortunately, it’s not because defenders suddenly became clairvoyant.

From Ocean’s Eleven to smash-and-grab

Ten years ago, advanced intrusions felt like Ocean’s Eleven: slow, staged, and surgical. Today’s breaches look more like someone sprinting through a department store five minutes before closing time.

Secureworks offers one of the clearest indicators of this shift. In its 2024 threat data, more than 50% of ransomware deployments occurred within 24 hours of initial access, and 10% within just five hours. Median dwell time in their cases plunged from 4.5 days to under 24 hours in a single year. 

Sophos observed a similar acceleration; attackers now take a median 0.46 days (roughly 11 hours) to make their first attempt against Active Directory once inside an environment – a number that keeps trending downward year after year

And CrowdStrike’s 2024 Global Threat Report adds another data point: average eCrime breakout time is now 62 minutes, with the fastest lateral movement clocked at 2 minutes and 7 seconds. Of all initial access attempts, 75% were malware-free, relying on credentials, social engineering and identity misuse rather than payloads.

All of this shows that attackers are getting fast. 

The identity layer became the pressure point

If 2025 had a unifying theme, it was identity. Verizon DBIR finds that 74% of breaches now involve a human element, with 49% of breaches involving stolen credentials. The Crowdstrike report mentioned earlier adds that 75% of intrusions were malware-free, leaning heavily on credential abuse, social engineering and session hijacking. Microsoft spent much of the year documenting token replay, adversary-in-the-middle attacks and cloud session compromise techniques.

In this world, ‘dwell time’ loses meaning. An attacker doesn’t need to linger if they can mint a token, hijack a session, or escalate a role in minutes. Presence is optional. Impact isn’t.

Meanwhile, defenders still work on calendar time. IBM’s Cost of a Data Breach 2025 study notes the average breach lifecycle sits at 241 days – around 181 days to identify and 60 to contain. That’s the fastest in nine years, but it’s still glacial compared with attacker speed. 

So what should cybersecurity practitioners take into 2026? 

• Stop treating dwell time as a success metric. It’s a lagging indicator in an era where intrusion to impact can be measured in hours. Focus instead on containment time, time-to-credential-abuse, and cloud blast radius.
• Rebuild runbooks for ‘hour-zero’ incidents. The data from Sophos shows exfiltration occurs a median of 72.98 hours after an attack begins, and detection often happens within just 2.7 hours of that. Response processes designed for multi-day windows are no longer fit for purpose.
• Move visibility to the identity plane Shorter dwell times increasingly reflect credential misuse, rather than stealth. Identity is the new battleground; the endpoint is just a doorway.

But let’s end on a positive note – because a faster threat landscape forces clarity. As we head into 2026, the question isn’t whether dwell time can fall further. We’re focused instead on whether defenders can operate on attacker time.