The CrowdStrike 2026 Global Threat Report finds that the average attacker breakout time has dropped to just 29 minutes for financially motivated attackers in 2025. That's a whopping 65% acceleration year-over-year with the fastest observed breakout time clocking in at 27 seconds.
Breakout time is the elapsed time between an attacker gaining initial foothold and moving laterally to another system inside your environment. It's the window you have to detect and contain an intrusion before it becomes a breach.
29 minutes is not a lot of time.
What Is MTTD?
Mean Time to Detect (MTTD) is the average time it takes your security team to identify that an attack or compromise has occurred. It's one of the most important metrics in your security program — and one of the least understood by boards and executives.
If your MTTD is measured in hours or days, and the attacker's breakout time is measured in minutes, you don't have a detection capability. You have a forensics capability. And forensics tells you what happened after the damage is done.
Do You Actually Know Your MTTD?
This is the harder question. Many organizations can tell you what their MTTD should be based on their tools and processes. Far fewer can tell you what it actually is based on observed data.
There's a meaningful difference.
Your MTTD is as good as your worst-performing shift, your noisiest detection rule, and your most alert-fatigued analyst. It's affected by coverage gaps in your logging, delays in log ingestion, and the accuracy of your detection logic.
The number in your metrics report may reflect a small sample of incidents. The attacker doesn't care about your average — they care about whether their intrusion is detected.
The 1-10-60 Benchmark
CrowdStrike's 1-10-60 rule has been an industry benchmark for years:
- 1 minute to detect
- 10 minutes to investigate
- 60 minutes to contain and remediate
In the context of a 29-minute breakout time and a 27-second fastest observed breakout, the 60-minute containment window is already too generous for the fastest threat actors. But the 1-minute detection target is the real challenge for most organizations.
What Drives MTTD Down?
Detection Coverage
You can't detect what you can't see. Log everything that matters. Endpoints, identity, network egress, cloud infrastructure. Coverage gaps are detection gaps.
Detection Quality
More alerts is not better detection. Alert fatigue is a detection killer. Invest in tuning your detection logic to reduce false positives and surface high-fidelity signals.
Identity and Lateral Movement Detection
The 29-minute breakout metric is specifically about lateral movement. Your detection program needs explicit coverage for identity-based attacks: credential abuse, unusual authentication patterns, privilege escalation, and east-west movement between systems.
Automation
Human analysts cannot respond at machine speed. Your detection and response workflows need automation for the highest-confidence, highest-urgency scenarios.
Questions for Your Next Security Review
-
What is your organization's current MTTD, based on actual observed data from the last 90 days?
-
What percentage of your detections result in analyst review within 15 minutes?
-
What is your detection coverage across endpoints, identity, network, and cloud?
-
What are your top three detection gaps, and what is your plan to close them?
-
At what point in an attack chain do you typically first detect attacker activity?
The Bottom Line
29 minutes is not a goal. It's a constraint. Your detection and response program needs to be designed around the reality that financially motivated attackers can move from initial access to lateral movement in under half an hour.
If you don't know your MTTD, finding out is one of the most valuable things your security program can do this quarter.