Mandiant Says AI-Driven Attack Hand-Offs Fell to 22 Seconds in 2025
Updated
Updated · ZDNet · May 18
Mandiant Says AI-Driven Attack Hand-Offs Fell to 22 Seconds in 2025
2 articles · Updated · ZDNet · May 18
22 seconds — down from more than eight hours in 2022 — is now the average time attackers take to hand off a compromised target, Mandiant said, showing how automation has sharply accelerated enterprise intrusions.
7 days is the mean time to exploit zero-day flaws, often before vendors can patch, while nearly one-third of detected intrusions still begin with exploits and voice-based social engineering is the next most common entry point.
14 days is the average dwell time before detection, but espionage cases last far longer at a 122-day median; high-tech firms accounted for 17% of targets and financial companies 14.6%.
52% of 2025 cases were first detected internally, up from 43% in 2024, yet Mandiant said most successful breaches still stem from human and systemic failures rather than AI acting alone.
5 defenses topped Mandiant's advice: lock down Tier-0 virtualization systems, isolate immutable backups, expand detection and log retention, centralize SaaS identity controls, and use behavior-based monitoring because identity is now the main perimeter.
If hackers can breach a network in 22 seconds, is the era of human-led cyber defense officially over?
As machine identities outnumber humans 45-to-1, are we ignoring the biggest threat inside our own networks?
With AI able to clone a CEO's voice, is human error now an unsolvable security flaw for companies?
From 8 Hours to 22 Seconds: The Acceleration of Cyber Attacks and the Rise of AI-Powered Threats in 2026
Overview
Cyber attacks are now moving at unprecedented speed, with attackers handing off initial access to secondary threat groups in just 22 seconds, compared to over 8 hours in 2022. This rapid acceleration is driven by increased specialization in the cybercrime ecosystem, where initial access groups directly partner with secondary groups and pre-stage their preferred malware and tools. As a result, secondary attackers can launch high-impact operations immediately upon entering a network. This evolution demands that security professionals quickly adapt their strategies, as traditional response times are no longer sufficient to prevent major breaches.