98 mins vs. 5 days: The Speed Gap That's Defining Modern Cybersecurity

The most important number in cybersecurity right now isn't the number of breaches, the size of the average ransom payment, or the latest CVE count.

It's 98 minutes.

That's roughly the current average breakout time, the window between an attacker's initial compromise and their first lateral movement inside the network. A few years ago, that number was measured in hours. A few years before that, in days.

It keeps falling, and the workflows most security teams use to investigate, correlate, and respond to threats are still measured in days.

Why it's getting wider: AI in the attacker's hands

The reason breakout time keeps falling isn't that adversaries are getting smarter. It's that AI has materially changed what a single attacker — or a small operator — can accomplish in a workday.

The accelerants are well-documented at this point.

Hyper-personalized phishing eliminates the grammatical and contextual tells that used to flag bulk phishing as bulk phishing. Templates are individually tuned to the target, in the target's language, against the target's actual job context.

Autonomous vulnerability scanning means public exploit availability is now coupled with AI-assisted scanning that finds vulnerable assets faster than disclosure pipelines can move.

The skill floor has dropped. Operators who would have needed years of tradecraft can now buy or rent capability that produces enterprise-grade results. A single operator can run multiple campaigns concurrently, across more targets, with higher per-campaign success rates.

The net effect is straightforward. Breakout time falls because work-per-attack falls. AI is a force multiplier, and adversaries are using it as one.

Why defense isn't keeping pace

Defenders also have AI. So why isn't the gap closing?

The problem lies in orchestration. When analysts have to manually pull from a threat source, they have to deal with its own query language, its own update cadence, and its own data shape.

And the work of pulling intelligence from one source, correlating it with intelligence from another, and synthesizing the result into something actionable, is still work that is, overwhelmingly, manual.

A typical comprehensive threat investigation looks like this:

• Day 1 — Research the threat actor

• Day 2 — Map the infrastructure

• Day 3 — Cross-reference active campaigns

• Day 4 — Correlate IOCs across feeds

• Day 5 — Write the assessment

Five days, end-to-end, for a single investigation.

By the time the report is finished, the actor has already established new infrastructure, monetized their threats, and moved to the next target.

The team isn't the problem

The instinct, when faced with a workflow gap this large, is to assume the team needs to work harder, hire more analysts, or buy another tool. That instinct misreads the problem.

CTI analysts at most organizations are extraordinarily good at what they do. The work they're producing is high quality. The bottleneck isn't the analysis, it's the data gathering, correlation, and synthesis steps that happen before the analysis can start. Those steps consume the majority of the timeline.

A gap like this can only be fixed by removing the search-and-correlate work from the analyst's plate entirely.

Closing

The 98-minute number will keep falling. AI will keep accelerating attacker capability. None of that is going to slow down because we'd prefer it to.

What can change is the speed at which defenders investigate, correlate, and respond. That's the only variable left in the equation that's still under our control.

The organizations that close that gap first are going to operate on a fundamentally different security posture than the ones that don't.