TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBER RISK THREAT INTELLIGENCE VULNERABILITIES & THREATS CYBERATTACKS & DATA BREACHES NEWS Attackers Now Need Just 29 Minutes to Own a Network Credential misuse, AI tools, and security blind spots help attackers move through breached networks faster than ever, CrowdStrike finds. Jai Vijayan,Contributing Writer February 24, 2026 5 Min Read SOURCE: PLUTUSART VIA SHUTTERSTOCK In 2025, cybercriminals needed less time to move from break-in to lateral movement across a network than it takes to watch a typical sitcom. An analysis by CrowdStrike of threat activity last year found attackers took just 29 minutes on average to pivot to other systems after gaining an initial foothold in a victim environment, marking a 65% acceleration from the year before. The fastest "breakout" as CrowdStrike termed it, happened in a mere 27 seconds, while in another instance an attacker began exfiltrating data four minutes after breaking in. "Speed is now the defining characteristic of intrusion, and it has fundamentally reshaped how adversaries evade detection," CrowdStrike said in the 2026 edition of its Global Threat Report. For defenders, it means the time available to detect and respond to an intrusion has collapsed to a fraction of what it was just a few years ago and is shrinking even more. Related:Spitting Cash: ATM Jackpotting Attacks Surged in 2025 LOADING... The statistic around the breakout time was the "most alarming" finding from the report, says Adam Meyers, senior vice president of counter adversary operations at CrowdStrike. "Just a few years ago the average break out time was 62 minutes. As we see the impact that AI has had during the course of the past year, I think it has created a situation where we are seeing more opportunity for this to get even faster," he says. "Defenders are the ones left really holding the bag." Why Attackers Are Moving So Fast Several converging factors appear to have fueled the dramatic acceleration in attacker speed. Chief among them was the widespread abuse of legitimate credentials, which allowed attackers to blend into normal network traffic and bypass many traditional security controls. In 35% of the cloud-related incidents that CrowdStrike investigated, attackers used valid account credentials to move about freely in victim environments without generating any alerts. LOADING... Instead of trying to smash through enterprise defenses using malware and exploits, attackers often simply waltzed into target environments by impersonating trusted people, systems, SaaS integrations, and software. Somewhat unsurprisingly, a startling 82% of CrowdStrike threat detections in 2025 were malware-free, meaning "intrusions moved through authorized pathways and trusted systems, blending into normal activity," according to the vendor. "Threat actors are leveraging identity more effectively," not just for initial access but to also move across cloud, SaaS, on-premises and virtual environments, says Adam Meyers, senior vice president of counter-adversary operations at CrowdStrike. In cloud environments especially where attacks increased 37%, attackers frequently used single sign-on (SSO) credentials to gain initial access and then pivoted very quickly to virtual environments and network device. "Adversaries are moving at incredible speed across the board," he says. Related:More Than Dashboards: AI Decisions Must Be Provable The Unmanaged Device Problem Unmanaged devices on enterprise networks, most of which lacked typical endpoint detection and response (EDR) controls, is also a boon to attackers. Devices in this category included VPNs and firewall appliances, employees' personal devices, webcams, third-party apps, and virtual machines. These unmanaged devices were a particularly favorite target for China-backed threat actors like Blockade Spider, Punk Spider, and Scattered Spider. "China has been investing in the ability to target unmanaged devices," and has become "extremely effective" at it said Meyers. Much of it is the result of systematic efforts by the Chinese government and military to work with security researchers, academics, and the civil sector to find and collect vulnerabilities in network devices that organizations either can't see or lack proper control over. In addition to finding new vulnerabilities, Chinese actors have also doggedly focused on speeding up time to exploit newly disclosed vulnerabilities, with the goal being to drive the time down to two days, he says. Related:Emerging Chiplet Designs Spark Fresh Cybersecurity Challenges AI as Weapon and Attack Surface Meanwhile, AI became both a weapon and a target for cybercriminals. A growing number of threat actors, including organized crime and nation-state actors used AI to accelerate reconnaissance, generate phishing content, develop exploits, evade defenses and troubleshoot existing attack tools and techniques in real time. CrowdStrike's report identified entities like the Punk Spider ransomware group, North Korea's Famous Chollima, and Russia's Fancy Bear among those that make heavy use of AI in their tradecraft. Overall, attackers who leveraged AI most actively in 2025 increased the number of attacks they carried out by a stunning 89% over the prior year. At least some of the AI use among adversaries appeared to be experimental in nature. Fancy Bear, for instance, released malware dubbed LameHug in mid-2025 that incorporated a large language model (LLM) for reconnaissance and information gathering. While novel, CrowdStrike found the malware to be functionally not very different from traditional attack tools, leading the vendor to believe that Fancy Bear was likely just tinkering with AI techniques rather than fully operationalizing them. "I think we are still in the early innings with AI," Meyers notes. But AI was not just part of the attacker toolchain. "It was also a part of the attack surface," for adversaries, Meyers says. Many threat actors targeted new vulnerabilities resulting from increased integration of AI tools and platforms in enterprise operations, business workflows, and software development pipelines. CVE-2025-3248, a vulnerability in Langflow, a low-code platform for building and deploying AI-powered apps, was one particularly favorite target. Attackers exploited it to steal credentials, establish persistence in compromised environments, and to deploy ransomware and other malware. Threat actors also experimented with LLM prompt injection attacks to try and undermine AI-enabled security workflows and moved to take advantage of the quickly growing — and largely unvetted — use of model context protocol (MCP) servers in enterprise environments. In the first known instance of its kind, a threat actor last year published a spoofed version of a legitimate Postmark MCP server to harvest emails containing API keys, passwords, financial information, and other sensitive data from organizations that downloaded it from the npm registry. In at least 90 organizations, CrowdStrike observed attackers injecting malicious prompts into legitimate generative AI platforms to steal credentials and cryptocurrency. In other instances, adversaries leveraged vulnerabilities in AI-enabled software development platforms to deploy malware, establish persistence, and intercept data by impersonating trusted services. The AI models that CrowdStrike observed threat actors discussing most commonly in underground forums included many of the same platforms that organizations are currently using such as ChatGPT, Claude, Grok, and Gemini. About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBER RISK Remote Access Infra Remains Riskiest Corp. Attack Surface by Robert Lemos, Contributing Writer MAR 14, 2025 CYBER RISK CISA Warns: Old DNS Trick 'Fast Flux' Is Still Thriving by Nate Nelson, Contributing Writer APR 04, 2025 CYBER RISK 'Venom Spider' Targets Hiring Managers in Phishing Scheme by Alexander Culafi, Senior News Writer, Dark Reading MAY 05, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson FEB 12, 2026 5 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and