Adversaries keep getting faster

According to CrowdStrike’s 2025 Global Threat Report, the average breakout time, the window between an adversary gaining initial access and pivoting to other systems in your network, has shrunk to just 48 minutes. In less time than a typical meeting, a capable adversary can go from compromising a single device to moving laterally through your corporate environment, gaining privileged access, and preparing to exfiltrate data or deploy ransomware. For a security team, this creates a very small response window.

I recently spoke at CrowdStrike’s annual security conference about this problem and what it means for defenders. The focus of that talk was simple. While security teams need to reduce their own detection and response times, they also need to put controls in place that increase breakout time. I walked through how one particular threat steals credentials, performs reconnaissance, and moves laterally, then identified the controls that would slow them down. The talk was aimed at security engineers and system administrators, but the underlying message applies to leadership as well. 

Why Breakout Time Matters

Breakout time is a critical indicator of both attacker capability and defender readiness. Modern threat actors have become faster by refining their methods over years of practice. Ransomware groups maintain playbooks, reuse effective techniques, and train operators to move through each stage of an intrusion with speed and consistency. Conversely, decreasing breakout times show that organizations lack the preventative controls needed to create friction and keep adversaries from making progress toward their objectives.

As breakout times decrease, defenders face more pressure to detect and contain activity before threat actors can gain privileged access or pivot to other systems in the environment. A shorter window leaves less room for triage, investigation, and response, and it is especially concerning for teams that do not have 24/7 monitoring. The faster an attacker advances, the harder it becomes for defenders to interrupt the intrusion before the adversary can exfiltrate or destroy data.

Compliance is Not Enough

Many organizations have invested heavily in security frameworks such as NIST SP 800-171 or ISO 27001. These standards provide an excellent foundation, but they are broad by design because they must apply across different industries, technologies, and operating models. As a result, they address broad security themes, but they do not provide the specific guidance needed to harden particular applications or counter the techniques used by individual threat actors.

For example, Microsoft’s identity system, which most companies use to manage users, computers, and privileges, is one of the primary targets in modern attacks. Because it controls access to systems and data, it is the backbone of security in most corporate environments. However, most compliance frameworks are vendor neutral and offer little prescriptive guidance on how to secure it. This creates a major gap, because attackers rely on specific techniques, not generic weaknesses. Passing an audit may confirm alignment with high-level controls, but it does not mean the environment is secure against the specific methods threat actors will use in a real-world attack.

Closing the Gap

Stopping capable threat actors requires a mix of stronger preventative controls and faster detection and response. These approaches work together and will help to slow breakout time, increase friction for the threat actor, and give defenders more room to act before the adversary causes real harm.

Leverage threat intelligence. Security companies such as CrowdStrike, Microsoft, and Palo Alto Networks collect intelligence on threat actors and document the tools, tactics, and techniques they use in real attacks. Organizations should use this intelligence to help them focus on the tactics and techniques used by the threat actors that are most likely to target them, including prevalent e-crime groups and threat actors who have previously targeted their industry.

• Increase friction for lateral movement. Put stronger internal security controls in place so that even if a threat actor gains access to a system in your environment, it is difficult for them to move beyond their initial point of access. For example, prevent users from installing unapproved remote management tools and limit network access so that a threat actor cannot connect from one user workstation to another.

• Harden identity systems. Strengthen the systems that manage users, access, and privileges. Most organizations do not put enough emphasis on hardening Microsoft Active Directory and other identity platforms to prevent attackers from escalating from user-level access to administrator access.

• Conduct targeted offensive testing. External penetration testing is useful, but it generally focuses on getting past the first line of defense to gain initial access to the network. Organizations should also conduct internal penetration testing to evaluate how well they can defend against an attacker once they get in. Organizations can also use adversary emulation to assess how well they can defend against the tactics and techniques used by specific threat actors.

• Improve detection and response time. Invest in people, processes, and tools that reduce mean time to detect and mean time to respond. This helps defenders act within the shrinking window created by faster adversaries.

By putting stronger controls in place and improving detection and response, organizations can slow adversaries down and give defenders a better chance to contain an incident. This will create a more resilient environment and reduce the likelihood of business disruption.

The Role of the Board and Executive Leadership

Looking at adversary breakout time is more detailed than the way most executives and board members usually think about cybersecurity, but it represents a real strategic concern. A shorter breakout time means attackers are becoming faster and more capable, which puts more pressure on defenders to contain an intrusion before it affects the business. Putting the right controls in place to add friction for adversaries (while minimizing friction for employees) will increase breakout time and improve the organization’s ability to withstand a real attack.

With this in mind, boards and executives should ask questions such as:
• Are we using threat intelligence to identify and focus on the real threats we are most likely to face?
• Are our investments reducing the time it takes us to detect and respond to an attack?
• Are our investments increasing the time it would take a threat actor to move through our network?
• Are we simulating real-world attacks and learning from them?
• Do we understand which improvements will have the greatest impact on breakout time and overall resilience?

Improving resilience requires the ability to prioritize the work that will make the biggest difference. This often means dedicating time and attention to in-depth hardening that does not map to a major project, does not advance compliance on its own, and is easy to dismiss as non-essential maintenance. When leaders make space for this work and ensure that identity, endpoint, and internal network hardening are treated as essential rather than optional, it helps the organization be better prepared to withstand an intrusion before it impacts the business.

Conclusion

Breakout time is shrinking. Adversaries are moving through environments faster, which puts more pressure on defenders to act before an intrusion affects the business. Compliance is not enough. Frameworks are broad by design, and do not provide the specific guidance needed to counter the techniques used by individual threat actors. Increasing friction matters. Internal network controls, hardened identity systems, and stronger endpoint security can slow adversaries down and increase breakout time. Testing should reflect real attacks. Internal penetration testing and, when appropriate, adversary emulation help organizations understand how attackers operate once inside the network. Boards and executives can help. Prioritizing the hardening work that makes the biggest difference, even when it is detailed, unglamorous, or easy to dismiss as non-essential maintenance, is essential for improving resilience.