← Back to blog

Dwell time in cyber incidents: the 2026 guide

June 29, 2026
Dwell time in cyber incidents: the 2026 guide

TL;DR:

  • Dwell time measures the period between an attacker's initial access and its detection, with the median rising to 14 days in 2026. Longer dwell times increase breach severity and costs, emphasizing the importance of internal detection and stage-specific tracking. Reducing dwell time involves continuous monitoring, automation, and memory forensics to detect advanced threats quickly.

Dwell time in cyber incidents is defined as the interval between an attacker's initial access to a network and the moment that access is detected. The industry standard terms for measuring this window are mean time to detect (MTTD) and mean time to respond (MTTR), and both sit at the core of any mature incident response programme. The global median dwell time has risen to 14 days in 2026, up from 11 days previously, which signals that attackers are becoming more evasive, not less. For espionage and high-intensity intrusions, that median climbs to 122 days. Every day an adversary remains undetected is a day they spend deepening access, harvesting credentials, and preparing for maximum impact.


How is dwell time in cyber incidents measured?

Dwell time, MTTD, and MTTR are related but distinct metrics. Dwell time measures the total window of undetected attacker presence. MTTD measures how long it takes your team to identify a threat after it begins. MTTR measures how long it takes to contain and remediate once detection occurs. Conflating them produces misleading programme assessments.

Professionals discussing dwell time metrics

MetricWhat it measuresWhy it matters
Dwell timeInitial access to detectionTotal exposure window
MTTDThreat start to alertDetection capability speed
MTTRAlert to containmentResponse process efficiency
Stage dwell timeTime per kill-chain phasePinpoints specific control failures

Stage-based dwell time analysis goes further than a single aggregate figure. Tracking dwell time by kill-chain phase allows security teams to identify specific defensive gaps, such as EDR failures or network segmentation blind spots, rather than relying on an overall median. If an attacker spends three days at the foothold stage but 18 days in lateral movement, that tells you exactly where your detection controls are failing.

Measurement itself carries real challenges. Log retention policies, visibility gaps in cloud environments, and encrypted traffic all obscure the true start of an intrusion. Advanced in-memory malware such as BRICKSTORM can achieve persistence on network appliances for up to 400 days while leaving minimal log artefacts. This is precisely why memory forensics in breach investigations has become a non-negotiable capability for accurate dwell time reconstruction.

Pro Tip: When calculating dwell time after an incident, work backwards from the earliest confirmed indicator of compromise in your forensic timeline, not from the date of the first alert. Alerts routinely lag the actual intrusion by days or weeks.

Infographic presenting key dwell time statistics


The headline figure is clear: median dwell time has increased to 14 days in 2026. That increase reflects deliberate attacker behaviour, not a failure of a single tool or team. Adversaries are investing more effort in blending into normal network traffic and avoiding triggering signature-based detections.

The speed of attacker execution once inside a network is the more alarming trend. Lateral movement now begins within 29 minutes of initial compromise, a 65% increase in speed compared to prior periods. Data exfiltration can begin within four minutes. These figures mean that a dwell time of even one day may be sufficient for an attacker to complete their primary objectives.

Detection source has a direct and measurable effect on dwell time length. Organisations detecting intrusions internally achieve a median dwell time of 13 days, compared to 28 days for those relying on external notifications. That 15-day difference represents a significant reduction in attacker opportunity. The implication is direct: external notification is not a detection strategy.

The financial correlation is equally stark. Breaches contained within 200 days average USD 3.93 million in total cost, while those exceeding 200 days average USD 4.95 million. A single million-dollar cost differential is the direct price of slow detection. For incident response leaders building a business case for investment, this figure is the most persuasive number in the room.


Why does dwell time matter for breach impact and response?

Longer dwell times produce worse outcomes across every measurable dimension. The relationship between attacker presence and breach severity is not linear. An attacker who has been present for 30 days has likely moved laterally, established multiple persistence mechanisms, and exfiltrated data. Containment at that point is far more complex than containment at day three.

The financial impact of cyber incidents scales directly with dwell time because remediation scope expands with every system an attacker touches. A breach confined to one endpoint costs a fraction of one that has spread across Active Directory, cloud workloads, and backup systems. Early detection compresses that scope.

Internal monitoring is the single most effective lever for reducing dwell time. Organisations with 24/7 SOC coverage achieve a median dwell time of six days, compared to 24 days for those with business-hours-only coverage. That four-fold difference is attributable entirely to detection availability, not to tool quality.

Reducing dwell time requires focus not just on detection speed, but on coordinated response processes. MTTR is as important as MTTD. A fast alert that triggers a slow response still produces a long exposure window.

Key areas where extended dwell time amplifies breach impact:

  • Credential compromise: Attackers target Active Directory within 11 hours of initial access, meaning credential abuse begins long before most alerts fire.
  • Data exfiltration volume: Longer presence equals more data staged and removed, increasing regulatory exposure under GDPR and NIS2.
  • Persistence depth: Multiple backdoors and scheduled tasks require significantly more effort to eradicate fully.
  • Forensic complexity: Extended intrusions generate more artefacts across more systems, increasing forensic analysis time and cost.

What are the limitations of dwell time as a security metric?

Dwell time is a valuable indicator, but treating it as a primary programme health metric produces blind spots. Dwell time as a uniform metric is becoming less reliable as attackers shift to faster, more ephemeral tactics. An attacker who achieves their objective in 48 hours produces a low dwell time figure that looks like a programme success. It is not.

The rise of "in-and-out" attack patterns is the clearest example of this limitation. Attackers using pre-positioned access or living-off-the-land techniques can complete credential theft, data exfiltration, and ransomware deployment within a single business day. A short aggregate dwell time in these cases masks a catastrophic breach.

Prioritising metrics like time-to-credential-abuse and cloud blast radius provides a more useful perspective on attacker impact than overall dwell time in fast-moving environments. These metrics capture what the attacker actually achieved, not just how long they were present. Incident response teams that track only aggregate dwell time will consistently misread their own programme maturity.

Stage-specific dwell time analysis addresses this gap directly. Monitoring the time an attacker spends at each kill-chain stage, from initial foothold through privilege escalation to exfiltration, reveals exactly which controls are failing and where investment is needed.

Pro Tip: Do not benchmark your programme solely against the global median dwell time of 14 days. A 12-day average looks good on paper but tells you nothing about whether attackers are reaching your crown-jewel systems within the first hour.

Key limitations to account for when interpreting cybersecurity dwell metrics:

  • Aggregate dwell time conceals stage-level control failures.
  • Short dwell times in fast attacks do not indicate low impact.
  • Log retention gaps cause systematic underestimation of true dwell time.
  • External detection skews the median upward, masking internal capability gaps.

How can organisations reduce dwell time effectively?

Reducing cyber attack dwell time requires a combination of technology, process, and measurement discipline. No single tool closes the gap. The organisations with the lowest dwell times combine continuous monitoring, threat hunting, and well-rehearsed response playbooks.

  1. Deploy 24/7 SOC coverage. Organisations with round-the-clock monitoring achieve a median dwell time of six days. Business-hours-only coverage produces a median of 24 days. The gap is not explained by tool differences.

  2. Implement AI-driven detection. AI-driven automation reduces MTTD by 30–40% and MTTR by 45–55%. These are not marginal gains. They represent the difference between catching an attacker before and after lateral movement.

  3. Automate alert triage. Continuous automated monitoring with behavioural analytics reduces alert investigation time from 30–45 minutes to under two minutes. Analysts freed from routine triage focus on high-value investigations instead.

  4. Track stage-specific dwell time. Build playbooks that target each kill-chain stage separately. If your lateral movement detection is slow, that is where investment goes, not into perimeter tools that are already performing well.

  5. Invest in live memory forensics. Traditional log-based detection misses in-memory malware entirely. Live memory capture and analysis is the only reliable method for detecting advanced persistent threats that deliberately avoid writing to disk.

  6. Establish a retainer with a specialist DFIR provider. A cyber incident response retainer eliminates the procurement delay that adds days to incident response time. When an intrusion is confirmed, the clock is already running.

Pro Tip: Run tabletop exercises that simulate an attacker who has been present for 72 hours before detection. Most teams discover their playbooks assume near-instant detection. Closing that assumption gap is where real dwell time reduction happens.


Key takeaways

Reducing dwell time in cyber incidents requires stage-specific measurement, 24/7 detection capability, and coordinated response processes working together, not any single tool in isolation.

PointDetails
Global median dwell timeRose to 14 days in 2026, with espionage cases reaching 122 days.
Internal detection advantageInternal detection produces a 13-day median versus 28 days with external notification.
Financial cost of slow detectionBreaches exceeding 200 days cost USD 1 million more on average than those contained sooner.
Stage-based measurementTracking dwell time per kill-chain stage identifies specific control failures more accurately than aggregate figures.
AI and automation impactAI-driven detection reduces MTTD by 30–40% and MTTR by 45–55%, cutting exposure windows significantly.

Dwell time is more complex than the median suggests

Having worked on breach investigations across the UK and Europe, I have seen incident response teams fixate on the global median dwell time as if it were a pass or fail threshold. It is not. The median is a population statistic. It tells you nothing about whether your specific environment, your specific attacker, and your specific detection controls are aligned.

The cases that concern me most are not the ones with 120-day dwell times. Those are usually discovered through external notification or regulatory pressure, and the scope is already defined. The cases that are genuinely difficult are the ones where an attacker achieved everything they needed in 36 hours and the aggregate dwell time looks unremarkable. The credential abuse happened within the first 11 hours. The exfiltration was complete before the first alert fired. The dwell time figure was short. The damage was severe.

My view is that incident response maturity is better measured by time-to-credential-abuse and time-to-lateral-movement than by aggregate dwell time alone. These metrics force teams to confront the speed of modern attacks rather than taking comfort in a median that is already outdated by the time it is published. Dwell time remains a useful baseline. It should not be the ceiling of your measurement programme.

— Makkari


How Makkarisecurity supports faster detection and response

Makkarisecurity's DFIR and incident response services are built specifically for organisations that cannot afford extended attacker presence. The proprietary forensic engine delivers live memory capture and cross-verified results, addressing the visibility gaps that cause dwell time to be systematically underestimated in log-only investigations.

https://makkarisecurity.com

The Eviction Pledge backs every engagement: once a threat actor is evicted, they will not return for a minimum of 60 days, or the client is not charged. That guarantee is supported by a flawless re-breach record. For security teams in the UK, Gibraltar, and broader Europe who need a DFIR partner with a proven track record, Makkarisecurity's mission is to close the detection gap and keep it closed.


FAQ

What is dwell time in cybersecurity?

Dwell time is the period between an attacker's initial access to a network and the moment that access is detected. The global median in 2026 is 14 days, with high-intensity intrusions averaging 122 days.

How does dwell time differ from MTTD and MTTR?

Dwell time measures total undetected attacker presence. MTTD measures how quickly a threat is identified after it begins. MTTR measures how long containment and remediation take once detection occurs.

Why has dwell time increased in 2026?

The rise from 11 to 14 days reflects increased attacker evasion sophistication, including the use of in-memory malware, living-off-the-land techniques, and deliberate avoidance of signature-based detection tools.

What is the financial impact of long dwell times?

Breaches contained within 200 days average USD 3.93 million in cost. Those exceeding 200 days average USD 4.95 million. The difference of over USD 1 million is directly attributable to extended attacker presence.

How can organisations measure dwell time more accurately?

Tracking dwell time per kill-chain stage, from initial foothold through lateral movement to exfiltration, provides far greater precision than a single aggregate figure. Live memory forensics is also required to detect advanced threats that avoid leaving log artefacts.