Listen to the Article
How long does it take for a threat actor to move from initial compromise to lateral movement within a corporate network?
Just 18 minutes in mid-2025, down from 48 minutes the year prior, according to recent industry reporting. This phenomenon, usually referred to as ‘breakout time’ in the cybersecurity sector, represents the time between the moment an attacker gains a foothold in your ecosystem and the moment they begin expanding control across systems, accounts, and data.
Such a level of velocity leaves virtually no room for your traditional detection-and-response cycles, which depend on human triage, ticketing workflows, or post-event investigation. The central challenge you’re facing as a modern enterprise is not about identifying intrusions. It has grown to determining whether your security architecture can react at machine speed before an adversary achieves irreversible operational dominance.
This acceleration is not an accidental one. It is the natural consequence of a threat ecosystem that has already embraced automation, reimagined attack frameworks, and unlocked deep reconnaissance of enterprise environments.
How Do Attackers Exploit Modern Environments?
Today’s threat actors enter networks with pre-mapped playbooks tailored to specific industries, cloud providers, and identity platforms. In some cases, they even turn legitimate workflow automation tools into points of vulnerability.
Once access is achieved, scripts immediately start to extract credentials, query directory services, and test lateral pathways.
Their intent is clear: compress the timeline so dramatically that defenders are forced to respond only after the damage has been done by betting that velocity alone will overwhelm human-centered security operations.
At the same time, the concept of a well-established network perimeter has been eroded. Enterprises are a complex hybrid of on-premise infrastructure, cloud workloads, SaaS platforms, contractor endpoints, and automated services. All of them are interconnected by identity rather than physical location. Threat actors have adapted accordingly. They’ve blended external exploitation with internal manipulation in ways that blur the distinction between outsider and insider.
One of the most popular and successful initial access methods remains the drive-by compromise. In these attacks, adversaries use search engine optimization poisoning and malvertising campaigns to push trojanized websites to the top of search results. Employees searching for routine IT tools, software updates, or documentation are redirected to convincingly branded portals that deliver malicious payloads. The payloads themselves are often executed using trusted system binaries, allowing malicious actors to bypass basic application controls and evade signature-based defenses during the critical early moments of compromise.
Even more alarming. The growing sophistication of insider-style intrusions that exploit organizational trust rather than technical flaws.
Threat actors are increasingly targeting the human processes that govern hiring and onboarding, particularly for remote technical roles. By constructing elaborate fake personas complete with fabricated employment histories, stolen professional profiles, and deepfake-enhanced video interviews, attackers are securing legitimate positions within IT and cybersecurity teams.
Once hired, these risky individuals operate under the protection of authorized access, often for months at a time, while quietly exfiltrating sensitive data, facilitating financial fraud, or enabling broader espionage campaigns. In these cases, the organization’s own identity verification and access provisioning workflows become the attack vector, transforming routine administrative processes into conduits for compromise.
Beyond the human deception element, an even more complex and less visible point of vulnerability comes to light: the growth of autonomous artificial intelligence identities embedded within enterprise operations, which are no longer limited to scripts that perform narrowly defined tasks. They are increasingly capable of reasoning, adapting, and acting independently in pursuit of abstract goals such as efficiency, optimization, or user satisfaction.
While these qualities make them valuable business tools, they also introduce a profound security challenge by undermining the principle of accountability that underpins most governance models. An autonomous agent doesn’t merely execute instructions. It interprets intent, learns from the outcomes, and could alter its behavior in ways that were never explicitly approved, unless robustly monitored.
How Do They Move Once Inside?
Once an adversary establishes a presence inside your network, the mechanisms of lateral movement will evolve to prioritize speed and invisibility. Remote Desktop Protocol remains a favored technique, particularly when attackers obtain valid credentials that allow them to blend in with legitimate administrative activity. However, there has also been a significant increase in the abuse of Server Message Block for lateral expansion, especially among ransomware groups.
This approach allows them to bypass endpoint detection and response tools entirely, as the malicious activity occurs over legitimate network protocols and never executes on the victim workstation.
Devices like keyboard, video, and mouse over IP units aren’t spared from risk either, as they can be physically connected to servers to provide remote console access that operates independently of the host operating system. They enable attackers to reboot systems, alter firmware settings, install backdoors, and extract data even from environments that are otherwise tightly monitored or segmented.
Because such devices appear as legitimate peripherals and generate minimal network noise, they often remain undetected until a physical inspection is conducted. Their use underscores a broader trend in which attackers deliberately step outside the boundaries of conventional monitoring, exploiting blind spots created by assumptions about what constitutes legitimate infrastructure.
How Can Organizations Respond at Machine Speed?
Confronting adversaries who operate at this level of speed and sophistication isn’t easy. It’s a task that relies on a fundamental rethinking of your defensive strategies. Reactive incident response models that rely on alerts, manual investigation, and slow decision-making are becoming misaligned with the realities of modern attacks. Instead, organizations must prioritize proactive containment and governance mechanisms that assume compromise is not a possibility but an inevitability.
That’s where comprehensive visibility comes in, extending beyond network traffic and endpoint activity to include a complete inventory of identities, particularly the autonomous agents and service accounts that may have been deployed without centralized oversight.
Re-establishing accountability is just as critical. Every non-human identity, whether an automation script or an AI-driven agent, must be explicitly owned by a human responsible for its behavior, permissions, and lifecycle. This ownership model creates a clear line of responsibility and ensures that deviations from expected behavior can be addressed decisively. On the technical front, enforcing multi-factor authentication remains essential, but it is no longer sufficient on its own. Organizations must implement granular monitoring to detect anomalies like access patterns, abnormal data transfer volumes, or remote encryption activity that deviates from their established baselines.
It’s just as important to consider user activity monitoring. A powerful tool in this context, but not as a means of surveillance. Instead, it can be used as a way to identify subtle shifts in behavior that could indicate credential compromise or misuse. Hardware governance must be elevated to the same level of rigor as software security. Network access controls, port-level monitoring, and routine physical audits are necessary to detect unauthorized devices before they can be leveraged as persistent attack vectors. Together, these measures shrink the window of opportunity available to attackers, forcing them to contend with automated defenses that operate at comparable speed.
Conclusion
The shrinking breakout time is a cause of concern. It is also a signal that the balance of power inside enterprise networks has changed. When adversaries can move laterally in under 20 minutes, security programs built around delayed detection and human-led response are outpaced. Attackers might get in, but is your organization built to interrupt their momentum before access turns into control? Modern threats succeed by exploiting trust, identity, and operational complexity. And each layer of abstraction added to the enterprise through cloud, automation, remote work, or AI creates new seams that hinder accountability.
Defending against this new reality demands security leaders to understand how malicious actors approach their targets and attempt to breach them. Gaining an insider look into their techniques presents a clear perspective on building future-proof safeguards: visibility, ownership, behavioral monitoring, and hardeware governance are no longer optional enhancements; they are the foundation of resilience.
