Times are tough for cyber pros, quite literally. Two common malware time scale metrics — dwell time and time to exploit — are rapidly shortening, making it harder for defenders to find and neutralize threats.
What is malware dwell time and time to exploit
The two metrics are somewhat related. Malware’s dwell time refers to the amount of time malware remains undetected after it has entered a network. While the shorter times indicate improved detection and defensive posture, that also forces attackers to get better at hiding their incursions and using various “living off the land” methods to disguise their code. Tony Burgess of Barracuda blogged about the three reasons for the recent drop in dwell times: The victim finds and blocks the intrusion, the attacker steals the targeted data, or the attacker detonates a payload, such as a ransomware attack, that announces their presence.
The other metric, time to exploit (TTE), is the period between the discovery of a vulnerability and when an attacker actively launches an attack, showing how quickly an attacker can take advantage of a known vulnerability once they find it. This means enterprises need to improve their patching game and respond quickly and comprehensively to any vulnerability alerts. Two analysts from Google’s Mandiant group found the average TTE in 2018 was around 63 days. In 2023 they saw this drop to five days.
“As long as patch cycles remain lengthy for vulnerabilities that provide access to either code execution or privilege escalation, threat actors will continue to identify and exploit these vulnerabilities,” they wrote.
Time frame changes to time to exploit
The time frames are quickly shortening as the focus by a variety of attackers’ ransomware efforts shift to data stealing first, rather than trying to collect ransoms.
A recent Huntress Cyber Report shows that that TTE — which the researchers refer to as “time-to-ransom” or TTR — has dropped to a few hours for some ransomware groups. Times for many attacker groups are less than 44 hours, with some groups exploiting their code within four hours; overall, the average TTE is around 17 hours across all ransomware activities studied.
The researchers attribute the different times to different methods: “some groups prefer smash-and-grab techniques versus others who prefer slow-and-low methodologies.” The latter form was also recognized by Radware in its 2025 threat report, which found a 38% increase in this method of operation over the past year for DDoS attacks. These attacks “involve sending a small stream of very slow traffic, making them difficult to detect and mitigate,” Radware’s researchers wrote.
Palo Alto Networks’ most recent Unit42 incident report also sees the threat time frame shrinking, having found that a quarter of data thefts happen in less than five hours from when a piece of malware first enters a network. This rate is three times faster than what the company’s researchers saw in 2021. They predict that attackers use of various AI tools will make things worse by cutting down these times even further, even to minutes. One problem is that because many enterprises use a variety of detection tools, there is a lack of information sharing, resulting in siloed reporting, which makes it more difficult to catch malware quickly.
Time frame changes to dwell time
Dwell times are also dropping. According to a Secureworks report from last year, some ransomware group’s dwell times shrunk to as short as seven hours, and a tenth of all intrusions studied happen within five hours of gaining initial access.
Moreover, CrowdStrike says that breakout time — how long it takes for an adversary to start moving laterally across your network — reached an all-time low in the past year, down to an average of 48 minutes, with the fastest breakout time they observed being 51 seconds. This means cyber teams need better real-time threat detection and more solid identity and access controls to identify and halt intrusions before they spread. CrowdStrike researchers noted one malware group, dubbed Curly Spider, takes less than 4 minutes from initial phishing interaction to establishing a persistent network backdoor. “The malware compromises the network in seconds by securing long-term access before the victim even realizes what’s happening,” they wrote.
Barracuda’s Burgess reasons that attackers now have a more rushed agenda and grab data as quickly as they can. This also means defenders must be able to quickly react once malware is detected, which again reinforces the notion of breaking down security silos and having more cross-team cooperation and cross-tool integration to be able to respond and eliminate a potential threat.
What cybersecurity teams can do
Veracode recommended in its State of Software Security 2025 report that defenders try to gather all risks in one place and focus on what matters most to an organization. “You need a way to see what’s exploitable, reachable, and urgent to help you prioritize further,” its researchers remarked.
That is easy to stay but a lot harder to implement. Other analysts have seen complicating factors making any cross-team cooperation difficult. Tamnoon, a cloud security vendor, has found that CNAPP tools classify the severity of threats differently and often are at odds with one another, citing one example in which one tool called a potential issue “informational” while another tool flagged the same issue a critical threat. “We saw organizations attempting to manage hundreds and thousands of critical alerts simultaneously. With such volume, prioritizing what to do next becomes challenging, causing many critical alerts to remain in the backlog for months at a time,” its report authors wrote.
Also contributing to these longer resolution times is that software is getting more complex, and analysts are having a harder time to scan their code, and find and fix flaws. Veracode’s report shows time-to-fix software flaws has increased 47% since 2020 and the proportion of apps with high severity flaws has almost tripled in that time. “Finding flaws is easy these days; fixing them is where the challenge lies,” the authors wrote.
One solution, not surprisingly coming from a vendor that sells code scanning tools, is to perform more frequent application testing and scanning, along with better and more thorough security training. Another is to seek out and eliminate overall security debt, so that developers are continuously improving their code and finding these flaws.
Overall, defenders have to up their game, and act quickly. Time is of the essence.