Blog

29 Minutes: The shrinking window between initial access and full compromise

Attackers can pivot from initial access to lateral movement in around 29 minutes. Learn what’s driving the speed‑up—and how identity controls, segmentation and smart automation help defenders keep pace.

When ReliaQuest published its 2025 Annual Cyber-Threat Report, one number stood out above everything else: 29 minutes. That’s the median time it now takes for an attacker to move from initial access to lateral movement within a compromised network. For context, CrowdStrike’s 2024 Global Threat Report measured the fastest eCrime breakout time at 2 minutes and 7 seconds, with an average hovering around 62 minutes. The trend is unmistakable — adversaries are getting faster, and they’re doing it by working smarter, not harder.

What’s driving the acceleration?

The answer isn’t a single breakthrough exploit or some novel zero-day. It’s far more mundane — and arguably more dangerous because of it.

Infostealers have industrialised credential theft. Commodity malware families like Lumma, Raccoon, and RedLine continue to harvest credentials at scale, feeding a thriving underground economy where valid session tokens and VPN credentials sell for a few dollars each. When you can buy working credentials to a corporate environment on a Telegram channel before your morning coffee, there’s no need to spend days crafting a spear-phishing campaign or chaining together vulnerabilities. The initial access problem has essentially been outsourced to an automated supply chain.

Unmanaged devices are the soft underbelly of corporate access. There’s a crucial detail in how these credentials end up on the market in the first place. Infostealers don’t need to compromise a hardened corporate endpoint — they just need to land on the personal laptop a developer uses to check Slack on a Saturday, or the family desktop where someone logs into the corporate VPN “just to grab one file.” These home devices sit outside the reach of corporate EDR, endpoint hardening policies, and patching cadences. They run consumer antivirus (if any), share browsers with family members installing dubious extensions, and accumulate months of unpatched vulnerabilities. When an infostealer like Lumma executes on one of these machines, it doesn’t just grab one credential — it vacuums up every saved password, session cookie, and browser token on the system, including the ones that unlock corporate SaaS platforms, cloud consoles, and VPN gateways. The result is that a $200 infostealer deployment on an unmanaged home device can yield the same access as a sophisticated targeted intrusion — and the organisation’s security stack never sees a thing until those credentials surface in a breach. This is the blind spot that makes the 29-minute timeline possible: by the time the attacker logs in with stolen credentials, the initial compromise already happened weeks ago on a device the SOC doesn’t even know exists.

Legitimate tooling is the new attacker toolkit. The ReliaQuest findings align with a broader industry observation: adversaries are increasingly “living off the land.” Rather than dropping custom malware that might trip an EDR alert, attackers are leveraging tools already present in the environment — PowerShell, WMI, RDP, and remote management software like AnyDesk and ConnectWise ScreenConnect. CrowdStrike’s data corroborated this shift, reporting a 70% year-over-year increase in hands-on-keyboard intrusions that relied heavily on native operating system utilities. The irony is palpable: the very tools deployed to manage infrastructure are the same ones enabling its compromise.

Identity has become the perimeter. Both reports emphasise that phishing and social engineering remain the dominant initial access vectors, but the target has shifted. Attackers aren’t just after passwords — they’re after identity. MFA bypass techniques, SIM swapping, session token theft, and adversary-in-the-middle (AiTM) frameworks like EvilProxy have turned authentication from a barrier into a speed bump. Once an attacker controls a valid identity, they inherit every permission and trust relationship that identity carries.

Why 29 minutes matter more than you think

The significance of this number goes beyond a headline. Most security operations centres measure their mean time to detect (MTTD) in hours, not minutes. Industry benchmarks from SANS and Mandiant consistently place median dwell times anywhere from days to weeks — figures that already represent substantial improvement over the months-long dwell times reported a decade ago. But when the attacker’s breakout window is 29 minutes and the defender’s detection window is measured in hours, the math simply doesn’t work.

This gap has practical consequences. A 29-minute breakout time means that by the time a SOC analyst triages an alert, the attacker may have already escalated privileges, established persistence, and begun exfiltrating data or staging ransomware. The traditional alert → triage → investigate → contain workflow was designed for a world where defenders had more time. That world is disappearing.

In Conscia SOC, we are proud to state that we currently average our MTTD at 15 minutes, and keep reducing it as we evolve. We achieved this by leveraging high quality Threat Intelligence sources, precise detection engineering (not just relying on vendor logic) and smart automation.

The uncomfortable implications

There are a few uncomfortable truths embedded in this data which deserve honest discussion.

Prevention is not a solved problem, but detection alone isn’t the answer either. The speed of modern intrusions demands that organisations invest equally in reducing attack surface as they do in monitoring it. Credential hygiene, aggressive MFA enforcement (preferably phishing-resistant like FIDO2), ruthless segmentation, and minimising the blast radius of any single compromised identity are no longer best practices — they’re survival basics. And the attack surface doesn’t end at the corporate network boundary. If unmanaged personal devices are accessing corporate resources, they are part of the attack surface — whether they appear on an asset inventory or not. Conditional access policies, device compliance checks, and dark web credential monitoring aren’t luxuries; they’re the only way to address compromises that happen entirely outside your visibility.

Automation isn’t optional. When the adversary operates on a 29-minute clock, expecting a human analyst to detect, investigate, and contain in that window is unrealistic for most organisations. Automated containment actions — isolating a host, revoking a session, disabling an account — triggered by high-fidelity detections need to be part of the playbook. The risk of a false positive disruption pales in comparison to the cost of a 29-minute-to-ransomware scenario.

Threat intelligence needs to be operationalised, not just consumed. Knowing that infostealers are the primary credential supply chain for initial access brokers is only valuable if that knowledge drives action: monitoring for credential exposure on dark web marketplaces, hunting for infostealer indicators in endpoint telemetry, and proactively resetting compromised credentials before they’re weaponised.

A shifting baseline

Perhaps the most important takeaway from the 29-minute figure is what it represents about the evolving baseline of attacker capability. This isn’t a measurement of elite nation-state operators — this is the median across a broad spectrum of threat actors, including financially motivated eCrime groups. The tools, tactics, and infrastructure enabling this speed are widely accessible. If the median is 29 minutes today, the question worth asking is: what will it be in twelve months?

The window between compromise and damage is closing. The organisations that will weather this shift are the ones treating speed as a design principle — in their architecture, their detection logic, and their response workflows — rather than something to be addressed after the next audit.

About the author