Key Points
4 minutes – fastest breakout time
6 minutes – fastest exfiltration time
1 in 4 attacks used social engineering for initial access
47% of incidents began with high-privilege access
59% of top malware delivered by ClickFix
Editor's note: This report was authored by Alexa Feminella and Joseph Keyes
The 2026 Annual Cyber-Threat Report is here. Based on thousands of incidents investigated throughout 2025, this report captures how attackers got in, what they did after, and what actually stopped them.
From a zero-day we discovered in SAP NetWeaver (CVSS 10.0) to AI-generated malware that broke every assumption about trusted software to North Korean operatives embedding inside organizations through fake IT worker personas, 2025 showed that targeting trust is far more effective than targeting infrastructure.
By targeting identity, adversaries secure elevated privileges from the very start. This allows them to skip time-consuming stages like privilege escalation and achieve objectives faster than ever, while automation and AI amplifies the threat by generating lures at scale.
The clock is ticking, but this isn’t just a race. Adversaries are splitting their strategy between 4-minute sprints and slow-burn persistence, forcing defenders to fight on two fronts at once.
Cyber Attackers Hit 4-Minute Breakout Times
As attackers increasingly secure valid credentials with elevated privileges, the time to react has drastically dropped. In 2025, the average breakout time (initial access to lateral movement) dropped to 34 minutes. But averages can hide the real danger: the fastest intrusions reached lateral movement in just 4 minutes—an 85% acceleration from last year. Even worse, data exfiltration can now happen in 6 minutes.
This speed is driven by initial access. Attackers have traded noisy “smash-and-grab” tactics for silent, high-privilege entry. In 47% of incidents, they secured high privileges before ever touching the network. This allows them to skip escalation, blend into traffic, and repurpose legitimate tools. Hunting for a single IOC is now a dead end.
However, speed is only half the story. Defenders are trapped between two extremes hiding inside legitimate activity: machine-speed breakouts that sprint to exfiltration in minutes, and slow-burn nation-state operations that persist for months. This reality changes the role of automation. Traditional playbook-based automation relies on constant upkeep and human follow-through. It is simply too slow for a 4-minute breakout and too rigid to catch a months-long anomaly.
Recommendations
To Respond at Top Speed, Automate
With breakout times dropping to 4 minutes, manual triage is a losing battle. To stay ahead, organizations must integrate agentic AI and automated playbooks to handle high-volume signals and contain threats at machine speed.
Use automated playbooks to instantly disable users or isolate hosts when high-confidence threats appear, reducing manual delays.
Automate Tier 1 and Tier 2 investigations for signals like multifactor authentication (MFA) resets and EDR tampering to keep decisions consistent and fast.
Use agentic AI to augment threat hunting and detection engineering, handling work that traditionally requires multiple analysts around the clock.
Secure Trust and Identity to Block Initial Access
Since 47% of attacks begin with high privileges, defenders must harden authentication processes to make valid accounts phishing resistant.
Move high-value users and IT staff to FIDO2/WebAuthn hardware keys to eliminate the risks of credential theft and mobile MFA bypass.
Require out-of-band verification—such as callbacks to pre-registered numbers—for password resets to stop help-desk social engineering.
Restrict where admin credentials can be used and implement Just-in-Time (JIT) access to limit the blast radius if an account is compromised.
Detect Post-Entry Behavior with Visibility and Correlation
When attackers use valid credentials and legitimate tools, they blend into the noise. Defense requires correlating subtle behaviors across different environments to catch intent.
Focus on behavior-based detection that links actions across identity, endpoint, network, and cloud to catch lateral movement and persistence.
Monitor for exploit primitives like impossible travel or concurrent token use to catch session hijacking, even when the specific exploit is unknown.
Immediately inventory and patch inherited internet-facing devices from mergers and acquisitions before expanding connectivity.
GreyMatter: Contain Threats Before They Spread
This report underscores a critical truth for security operations: adversaries are outpacing manual defenses and cloaking their actions within legitimate activity.
ReliaQuest GreyMatter provides the architectural flexibility and agentic intelligence needed to evolve your SOC beyond these limitations. The GreyMatter agentic AI security operations platform seamlessly integrates across your diverse tools and environments, automating detection, investigation, and response. This empowers security teams to achieve average containment times of 4 minutes—fast enough to counter the most rapid breakouts—while freeing your expert analysts from repetitive Tier 1 and Tier 2 tasks.
By unifying telemetry across your complex multi-cloud, multi-SIEM, and on-premises ecosystems with the Universal Translator, GreyMatter not only accelerates response but transforms reactive operations into predictive defense, multiplying your team's expertise to stay ahead of what's next.
