We stand at an interesting point in the never-ending arms race between attackers and defenders. The former are using AI, automation and a range of techniques to sometimes devastating effect. In fact, one report claims that 80% of ransomware-as-a-service (RaaS) groups now offer AI or automation as features – and, of course, there’s also a thriving market with tools that are specifically intended to evade security tools. Data breaches and associated costs have surged as a result.
But n the other hand, threat actors are just doing what they have done before – supercharging existing tactics, techniques and procedures (TTPs) to accelerate attacks. The time between initial access and lateral movement (breakout time), for example, is now measured in minutes. For defenders used to working in hours or days, things need to change.
A half-hour warning
Breakout time matters, because if network defenders can’t stop their adversaries at this point, then an initial intrusion may very quickly become a major incident. The average time to break out laterally is now around 30 minutes – in the region of 29% faster than a year previously – although some observers have seen it happen in less than a minute after initial access.
There are several reasons why the window for action is rapidly closing. Threat actors are:
- Getting better at stealing/cracking/phishing legitimate credentials from your employees. Weak, reused and infrequently rotated passwords help them here (i.e., by making brute-force attacks easier). As does a lack of multifactor authentication (MFA). They’re also getting better at password-reset vishing attacks, either impersonating the helpdesk, or calling the helpdesk impersonating employees. With legit logins, they can masquerade as users without setting off any internal alarms.
- Using zero-day exploits to target edge devices, such as Ivanti EPMM in order to gain a foothold in networks while remaining hidden from in-house security tools.
- Getting better at reconnaissance, using open source techniques and AI to scour the web for publicly available information on high-value targets (with privileged credentials). They gather information on organizational structure, internal processes and the IT environment, to streamline attacks and design social engineering scripts.
- Automating post-exploitation activity using AI-powered scripts for credential harvesting, living off the land, and even malware generation.
- Exploiting the gaps between siloed teams and point solutions. As a result, activity that looks legitimate to the former might seem unusual to the latter, but without holistic visibility, edge cases may not be investigated. In some cases, threat actors take deliberate steps to disable or evade EDR.
- Using living-off-the-land (LOTL) techniques to stay hidden. That means using valid credentials, legitimate remote access tools and protocols like SMB and RDP which means they blend in with regular activity.
Catching threat actors at this point is essential – especially as exfiltration (when it begins) is also being accelerated by AI. The fastest recorded case last year was just six minutes; down from 4 hours 29 minutes in 2024.
Fighting fire with (AI) fire
If attackers are able to access your network with elevated privileges or stay hidden on unobserved endpoints, and then move laterally without raising any alarms, human-powered response will often be too slow. You need to limit social engineering, update defensive posture to improve detection of suspicious behavior, and accelerate response times.
AI-powered extended detection and response (XDR) and managed detection and response (MDR) can help here by automatically flagging suspicious behavior, using contextual data to improve alert fidelity, and remediating where necessary. Advanced offerings may also help by clustering alerts and generating automated responses for stretched SOC teams, freeing up their time to work on high-value tasks like threat hunting.
A single, unified provider with insight across endpoint, networks, cloud and other layers can also shine a light onto those gaps that exist between point solutions, for full visibility of potential attack paths. Ensure that any such tools also have visibility of edge devices, and work seamlessly with your security information and event management (SIEM) and security orchestration and response (SOAR) tooling.
Threat intelligence and threat hunting are also vital to keep pace with AI-supported adversaries. An approach that harnesses both will help teams focus on what matters – how attackers are targeting them and where they might move next. AI agents might in time be able to take on more of these tasks autonomously to further speed up response times.
Regaining the initiative
There are other ways to accelerate response times, including:
- The continuous monitoring and awareness across endpoints, network, and cloud environments.
- Automated steps – such as session termination, password reset or host isolation – that need to be taken in order to address suspicious activity and, where appropriate, automated analysis combined with human assessment to investigate alerts and inform the steps needed to contain a threat fast.
- Least privilege access policies, micro-segmentation and other hallmarks of Zero Trust to ensure strict access controls and minimize the blast radius of attacks.
- Enhanced identity-centric security based around strong, unique credentials managed in a password manager, and backed by phishing-resistant MFA.
- Anti-vishing steps including updated helpdesk processes (e.g., out-of-band callbacks) and effective awareness training
- Brute-force protection that blocks automated password-guessing attacks at entry.
- Continuous monitoring of social media and dark web for exposed employee and company information that could be weaponized.
- Monitoring of scripts and processes as they "decloak" in memory, to spot and block LOTL behavior.
- Cloud sandbox execution of suspicious files to mitigate zero-day exploit threats.
None of these steps alone is a silver bullet. But when layered up and relying on AI-powered MDR/XDR from a reputable supplier, they can help defenders to regain the initiative. It may be an arms race, but it’s one with fundamentally no end in sight. That means there’s time to catch up.
Facts Only
* 80% of ransomware-as-a-service (RaaS) groups now offer AI or automation as features.
* The average time to break out laterally is now around 30 minutes, representing a 29% increase in speed over the previous year.
* Threat actors utilize stolen/cracked/phished legitimate credentials and lack of multifactor authentication (MFA) to facilitate attacks.
* Actors use zero-day exploits targeting edge devices, such as Ivanti EPMM, to gain network footholds.
* Threat actors use AI and open-source techniques for reconnaissance on high-value targets, gathering organizational structure and IT environment information.
* Post-exploitation activity is automated using AI-powered scripts for credential harvesting, living off the land, and malware generation.
* Threat actors use living-off-the-land (LOTL) techniques, utilizing valid credentials and legitimate remote access protocols (SMB, RDP) to remain hidden.
* Exfiltration time has been drastically reduced; the fastest recorded case last year was six minutes, compared to 4 hours and 29 minutes in 2024.
* Defensive measures recommended include AI-powered XDR/MDR, unified visibility across layers, Least Privilege Access, micro-segmentation, phishing-resistant MFA, and anti-vishing steps.
Executive Summary
Threat actors are utilizing AI and automation to enhance attacks, with reports claiming 80% of ransomware-as-a-service groups now offer these features. The time between initial access and lateral movement, known as breakout time, has significantly decreased, averaging around 30 minutes, which is 29% faster than a year ago, though some instances occur in less than a minute.
This acceleration is driven by several actor tactics, including credential theft, use of zero-day exploits against edge devices, AI-powered reconnaissance, automation of post-exploitation activities, and the use of living-off-the-land (LOTL) techniques to blend in with legitimate activity.
Because the window for action is rapidly closing, human-powered response is often insufficient against rapid lateral movement. The recommended defensive strategy involves deploying AI-powered extended detection and response (XDR) and managed detection and response (MDR) solutions to automate detection and response. Furthermore, comprehensive security requires a unified provider offering visibility across endpoint, network, and cloud layers, integrating SIEM and SOAR tools.
To regain the initiative, defenders must focus on layered strategies, including implementing Zero Trust principles, strengthening identity-centric security with phishing-resistant MFA, continuous monitoring of the dark web, and automating response steps like host isolation and password resets.
Full Take
The narrative effectively leverages the concept of exponential acceleration—the arms race—to create a sense of impending crisis, driving immediate demand for advanced security solutions. The core assumption is that defensive capabilities, even when well-implemented, will always lag behind offensive ingenuity powered by AI. This framing appeals to the human desire for control and predictability in an inherently chaotic environment.
The systemic implication lies in the inherent difficulty of achieving holistic visibility across siloed security tools, which the article identifies as a key vulnerability exploited by actors. By emphasizing the need for unified providers and XDR/MDR, the text promotes a shift from reactive, point-solution security to proactive, context-aware defense, which represents a necessary architectural change.
However, the focus on technological countermeasures risks shifting the responsibility of security from systemic organizational change (like cultural adoption of Zero Trust or improved identity hygiene) to the procurement of expensive technology. The suggested solutions—MDR, XDR, and automation—are presented as the necessary immediate fire-fighting measure, potentially obscuring the slower, more difficult work of embedding fundamental principles of access control, accountability, and trust into the organizational DNA.
The urgency surrounding "breakout time" and the acceleration of attack speed functions as a powerful, legitimate pressure point, yet it risks masking the historical pattern where security investment is prioritized based on perceived immediate threat rather than long-term systemic resilience. The cost of this dynamic is borne by organizations attempting to catch up, potentially leading to a perpetual state of reactive escalation rather than true strategic foresight.
Bridge Questions: If the focus shifts from merely accelerating detection (MDR/XDR) to fundamentally redesigning the environment around identity and access (Zero Trust), how does the perceived urgency of the breakout time metric influence executive willingness to prioritize long-term systemic changes over immediate technological fixes? What structural changes are required to bridge the gap between the technical mandate for automation and the human capacity for strategic, long-term risk tolerance?
Sentinel — Human
This analysis presents a well-structured, expert-level synthesis of current cybersecurity trends, demonstrating high coherence and domain expertise.
