The Column – Cyber Security Week
There is a moment, in every intrusion, when the issue stops being “did they get in” and becomes “how far away do they get before I know it.” Crowdstrike’s 2026 Global Threat Report calls this the breakout time, and it’s my favorite number. In other words, it is the time that passes from initial access to the adversary’s ability to “escape” the entry point and move laterally towards valuable assets. It is not a metric for professionals: it is the thermometer of our most widespread illusion, the one according to which “we have time”.
The news, in the document, is simple and unpleasant: the breakout time is continuously decreasing over the last five years. The report summarizes the phenomenon as a reduction of approximately 70% from 2021 to 2025. Translated: the operational time that a defender can afford to waste is not being “optimized”, it is actually reducing like a snowball in the sun. The numbers are almost didactic: 98 minutes (2021), 84 (2022), 62 (2023), 48 (2024), 29 (2025) on average. It’s a countdown that doesn’t make any noise, but shifts the balance: if before you could get a step wrong, today you get a step wrong and you’ve already lost an entire room.
Here it is worth using an argumentative lens, not just a descriptive one. When time gets shorter, it’s not enough to “do the same things better”, you have to change your approach. In a 98 minute world, you can afford a decision chain with friction, slow escalations, a security system that has to “get it right” before acting. In a 29 minute world, the questions become different. What actions can I automate without hurting myself? What signals should I consider sufficient to intervene? Which tools should I treat as potentially hostile even when they appear legitimate? It’s the shift from security that thinks to security that reacts, and the line between the two is a gray area full of business politics, not just technology.
The case reported on CHATTY SPIDER, which is found in the report, serves precisely this purpose: not to scare us, but to make us understand the mechanism. In 2025 the group “continued to target mainly law firms” and did so with an ingredient that will never go out of fashion: the human voice, voice phishing (vishing) to convince employees to install software for remote management of their device. Once inside, no science fiction: they use another very common software (WinSCP) to then attempt data exfiltration. And above all a tactical choice that reveals maturity: few movements, targeted, fast.
The most instructive detail is the vector: access is granted via a free application integrated into Windows 10/11 that allows you to give or receive technical support remotely (Microsoft Quick Assist) or a channel that, in many organizations, enjoys implicit trust. And then the record: four minutes from access to the exfiltration attempt. Four minutes are the unit of measurement of a new truth: the defense can no longer rely on the idea that the opponent must “build” something complex before doing damage. Finally, there is also another lesson, more subtle and more annoying: when you block a method, the opponent doesn’t stop, he changes platform. In the case described, the initial attempt is “blocked by firewall controls”, but the actor quickly finds an alternative: Google Drive as an exfiltration channel and once again trust becomes an attack surface. Legitimate tools, legitimate credentials, “normal” procedures. The report says it without rhetoric: the risk lies in the abuse of normality. If I were to transform these data into a comment I would tell you that cybersecurity is entering the era of minutes, no longer of hours and when time contracts, our rhetoric must also change: it is not enough to promise “prevention”, we must plan an answer even before having a question. Because the adversary runs, and he doesn’t run because he is smarter: he runs because he has learned that, in most organizations, slowness is an unwritten policy. In the end, the report isn’t just about faster attackers: it’s about defenders having to decide who they want to be. Because when the clock drops to 29 minutes, it’s not the attack that accelerates: it’s reality that stops waiting for you. So security, when it works, becomes the ability to not come second to your own home.
