What is attacker dwell time in cybersecurity?

Many organizations spend millions of dollars on cybersecurity defenses to prevent perpetrators from entering and wreaking havoc. But even the most sophisticated security operations centers (SOCs) can be tested by determined hackers. For many organizations, the prospect of a data breach is not an if, but a when.

Breaches can be devastating, often resulting in heavy financial losses. The global average cost of a data breach was $4.4 million, according to the Cost of a Data Breach Report 2025 from IBM and Ponemon Institute.

In addition to financial losses, organizations risk regulatory liability and reputational harm from cyberattacks. For many organizations, their credibility with customers and other stakeholders hinges on their ability to protect the sanctity of data. Accordingly, catching and stopping adversaries before they can pilfer corporate assets is essential.

Unfortunately, most breaches aren't discovered the day they happen. They're discovered well after an adversary has already mapped out a corporate network, escalated their privileges, and positioned themselves for maximum impact.

That interval has a name: attacker dwell time.

This article will explore the impact of dwell time in cybersecurity, explain why reducing dwell time is essential, discuss the role of AI for both attackers and defenders, and detail the importance of multilayered network detection and response in combatting adversaries.

Attacker dwell time in cybersecurity, defined 

Attacker dwell time is the length of time a threat actor remains undetected within a compromised network, from initial infiltration to discovery and removal. That clock can span days, weeks, and in some instances, months.

The proliferation of AI tools empowers adversaries to exploit vulnerabilities faster than ever today, leading to longer dwell times if not discovered. How long dwell time runs is arguably the single most consequential variable in determining how bad a breach gets. The damage from such a breach is rarely done at the point of entry.

Rather, it accumulates every single day the adversary remains, gleaning bits of information until they decide to escalate from eavesdropping to action. In some instances, this can mean capturing data and holding it for ransom. In the case of nation-state attacks, it can mean significant operational disruption. In short, an adversary left unattended can inflict significant damage on an organization.

In 2025, the global median attacker dwell time after an initial compromise was 14 days, up from 11 days, which likely reflects growing sophistication in attackers’ ability to evade defenses, according to Mandiant’s new M-Trends 2026 report. Also, the interval between initial compromise and lateral movement fell to 29 minutes in 2025, a 65 percent acceleration from the previous year, according to Crowdstrike’s 2026 Global Threat Report. In at least one case, data exfiltration began within four minutes of entry.

What the cyberattacker can do with dwell time

The attacker times malicious activity, typically moving laterally across IT systems, to coincide with high-traffic windows where anomalous log volume easily obscures their actions, or during off hours when already-resource-strapped SOCs’ staff runs leaner.

Leaning into this behavioral blending practice, the attacker siphons information through tried and tested digital snooping tactics. These include reconnaissance and network enumeration, credential harvesting of authentication tokens, and privilege escalation of prized accounts.

Often these steps are merely staging activities for the insertion of malware such as ransomware or the exfiltration of sensitive documents ranging from strategy plans and board materials to specifications for unreleased products and other proprietary IP. Adversaries do this slowly, staying under data loss prevention alert thresholds.

Why reducing attacker dwell time is critical

Protracted attacker dwell time is dangerous for businesses because it enables adversaries to strengthen their knowledge of the organization’s operations, which in turn helps them plan ways to create significant operational disruptions such as ransomware attacks, data exfiltration, lateral movement, privilege escalation, etc.

This is why mean time to detect (MTTD) is so critical.

If dwell time is the adversary’s metric, MTTD is the organizational statistic describing the average time elapsed between the moment a threat enters an environment and the moment the security team becomes aware of it. Mean time to respond (MTTR) constitutes an organization’s average time between detecting and containing or neutralizing a threat.

The total exposure window measures the organization’s total time from initial infiltration to containment, with MTTD serving as the organizational metric for attacker dwell time.

How EDR-evasive threats prolong attacker dwell time 

The holistic threat landscape remains more challenging than ever, taxing organizations’ ability to reduce attacker dwell time. Moreover, the modern SOC is also dealing with an increasing attack surface due to the proliferation of cloud environments, devices, Internet of Things (IoT), and Operational Technology (OT). As a result, there are more surfaces and environments for SOCs to monitor and defend than ever before.

When compounded with increasingly sophisticated attacker techniques and tactics, this makes the job of a security team even harder.

One strategy that advanced attackers are employing is evading Endpoint Detection and Response (EDR) tools by moving laterally from east to west across the network, and hiding from typical north to south detection in edge devices.

In addition, adversaries can target devices where EDR is not deployed, like ICS/OT, and use tactics like living-off-the-land (LoTL) to evade SOC team defenses.

AI is also enabling attackers to target Integrated Development Environments (IDE). In a recent attack, AI was used to clone over 70 legitimate VS Code and Open VSX extensions, and then unknowingly downloaded by developers onto their workstations. This allowed attackers to distribute malware, specifically the “Glassworm v2 Infostealer” onto the workstations. By targeting developer workstations, this tactic evaded traditional security, allowing attackers to then easily access cloud credentials, API keys, and source code. These supply chain vector assets let attackers move to a broader infrastructure compromise.¹ 

Ultimately, it’s incumbent upon SOCs to fortify their defenses as these EDR-evasive threats grow in popularity and complexity. 

AI adoption grows for offense and defense

As exploits become more complex, many SOC administrators are turning their attention to an emerging threat: generative AI and agentic AI present an opportunity for adversaries to create faster-moving and more adaptive threats.

Threat actors apply generative AI to scale phishing operations, accelerate malicious code development and enhance social engineering through improved language quality, according to IBM’s X-Force Threat Intelligence Index 2026 report. Moreover, if an attacker steals API keys or credentials for an organization’s agentic AI systems, they can then use the organization's own agents to power through the network or exfiltrate data.

Fortunately, SOCs are also learning to leverage AI-fueled machine learning and anomaly detection to process telemetry data, identify anomalous behaviors, and shrink MTTD and MTTR windows.

They also use agentic AI as a critical tool to defend against attacks, automatically flagging threats and correlating signals before recommending or even executing corrective actions. By enabling SOCs to handle hundreds of investigations in parallel, agentic AI can reduce MTTR by as much as 90%.

Why multi-layered detection and NDR reduce attacker dwell time 

Although AI-powered defenses are still evolving, network detection and response (NDR) offers a credible way for SOCs to reduce MTTD and MTTR and combat a variety of attacks.

NDR monitors traffic flowing between hosts, spanning connections, protocols, lateral movement, and data leaving the environment. This network visibility also provides complete asset visibility, including the network traffic attributed to each asset. These assets include IoT, OT, edge devices, network infrastructure, cloud workloads, and third-party systems. By providing visibility into the complete set of assets, NDR ensures broader coverage for detections, enabling SOC teams to reduce dwell time.

Some best-in-class NDR solutions include IDS, AI-powered threat detection, and offer several other approaches to comprehensive detection. Vendors with a holistic or “multi-layered” approach combine a number of detection techniques (such as behavioral analytics, supervised ML detection, anomaly detection, threat intelligence feeds, and signature-based detection) to quickly identify threats that evade EDR and that perimeter tools miss.

The Corelight Open NDR advantage

Corelight’s Open NDR Platform takes a multi-layered approach to detection and is focused on evidence-based security.

Corelight Open NDR uses several multi-layered engines that analyze network data and logs. These range from low-impact detection engines intended to find common and known threats quickly, to highly resource-intensive detection engines that are built to identify more evasive and unknown threats:

• Signature detection: As part of its integrated IDS, Open NDR uses Corelight’s signatures along with Proofpoint ET Pro signatures running on the integrated open-source Suricata detection engine.

• YARA: YARA rules, a standard for static file analysis in the malware analysis community, allow for customizable pattern matching.

• Threat intelligence: Often composed of Indicators of Compromise (IOCs), it looks for known network entities (e.g., IP addresses, domain names, hashes) observed in actual attacks.

• Behavioral detection: Corelight Collections, powered by Zeek scripting offer behavioral detection for Domain generation algorithms (DGAs), command and control (C2), crypto mining, and transferring large amounts of traffic over control protocols like DNS and ICMP.

• Machine learning: Open NDR uses supervised ML models on both sensor-only and SaaS-based deployments to identify specific types of known attacks on which the models have been pre-trained. Open NDR’s anomaly detection engine applies unsupervised ML to a variety of network use cases.

• Search-based threat hunting: Corelight-defined log search queries generate search-based alerts and detections.

Other Corelight Open NDR advantages include faster incident response via agentic AI triage, a major new Corelight capability that moves beyond simple alerts to provide analysts with a prioritized, evidence-based view of the riskiest entities in their environment.  

Corelight also features the ability to automate workflows, reduce false positives, provide comprehensive coverage and visibility, and leverage broad community contributions. Its open architecture ensures data portability, enabling organizations to use their data in the tools that best suit their SOC needs.    

How NDR helps SOCs defend against what they cannot see

Shrinking dwell time is one of the highest-value investments a security team can make. An organization may not always prevent entry. But disrupting the adversary's ability to operate undetected inside an environment limits the damage they can do.

Detection is the first step toward reducing dwell time, but in order for your SOC to truly make a significant impact on this KPI, it needs the right security tooling and network visibility to see adversaries as early as possible. The visibility that comes from the network is what makes NDR the ultimate defense against attacker dwell time. To learn more, read this in-depth primer on NDR. For more about Corelight’s capabilities, check out this overview of the Open NDR Platform.