Published
1 hour ago
on
March 3, 2026
| 2,481 views
-->
By
Ryan Bellefontaine
Graphics & Design
- Abha Patil
The following content is sponsored by Palo Alto
The Increasing Speed of Cyberattacks
Key Takeaways
- The speed of cyberattacks is rising as first-quartile time to exfiltration dropped from 276 minutes (2024) to 72 minutes (2025).
- With about one in five incidents reaching exfiltration in under an hour, response must begin immediately.
- Teams need rapid containment playbooks and longer-horizon hunting to cover both “minutes” and “days” long intrusions.
Cyber intrusions rarely follow a single path once attackers get a foothold. Instead, they pivot across systems to widen impact and deepen damage.
This graphic, in partnership with Unit 42 by Palo Alto Networks, shows how the fastest incidents are accelerating, based on data from Unit 42’s Global Incident Response Report.
What “Time to Exfiltration” Captures
Here is a table that shows first-quartile time to exfiltration in 2024 vs. 2025.
| Year | First-Quartile Time to Exfiltration (Minutes) |
|---|---|
| 2024 | 276 |
| 2025 | 72 |
Unit 42 tracks “time to exfiltration,” which spans initial compromise to confirmed data theft. Because attackers move quickly, that clock often decides whether defenders can interrupt the mission.
A Fourfold Drop at the Fastest End
Across Unit 42’s dataset, the median time to exfiltration measured about two days. However, the fastest cases compress that timeline dramatically, which raises the cost of any delay.In the first quartile, time to exfiltration fell from 276 minutes in 2024 to 72 minutes in 2025. As a result, teams lose hours of investigation time in the intrusions that move fastest.
Unit 42 also reports that roughly one in five cases can reach exfiltration in under an hour. Consequently, detection, triage, and containment must begin immediately, not after escalation.
Preparing for Minutes, Not Days
Meanwhile, some intrusions still unfold over days, with deeper reconnaissance and persistence. Therefore, teams need both rapid playbooks and sustained hunting.
They can start by tightening identity controls, instrumenting endpoints and browsers, and automating containment steps.
Finally, measure the mean time to detect and respond, then rehearse decisions before an incident hits. When the speed of cyberattacks defines outcomes, readiness becomes a core control.
See why cyberattacks are getting 4x faster
Related Topics: #technology #cyberattacks #phishing #cyber intrusions #social engineering
You may also like
-
Privacy1 week ago
Visualized: Where Attacks Happen in Cyber Intrusions
See where attackers pivot after initial access, and why stopping cyber intrusions takes more than a single layer of defense.
-
Privacy2 weeks ago
Visualized: How Cyberattackers Gain Access
See how cyberattackers gain access by abusing identity, credentials, sessions, and permissions—and what to fix first.
Subscribe
Please enable JavaScript in your browser to complete this form.Join 375,000+ email subscribers: *Sign Up