The clock is ticking faster than ever. A threat actor who once needed hours to move through your network after initial access now needs less than half an hour. In some documented cases, they need less than half a minute. This isn't a theoretical future risk — it's the measurable reality of AI-powered cyberattacks in 2025 and 2026, and it is fundamentally breaking the traditional model of incident response.

If your security strategy was built around the assumption that you'd have hours to detect, escalate, and contain a breach, you're already behind. Here's what the data shows, why it matters, and — most importantly — what you can do about it right now.


The Numbers Don't Lie: Attack Speeds Have Reached a Crisis Point

The most striking evidence of the AI threat acceleration comes from CrowdStrike's 2026 Global Threat Report.

The average breakout time — the window between initial access and lateral movement — fell to just 29 minutes in 2025, 65% faster than in 2024.

To put that in historical context,

in 2024 the average breakout time was 48 minutes; in 2023, it was over an hour at 62 minutes; and in 2022, it was 84 minutes.

The trajectory is unmistakable.

But averages only tell part of the story.

The fastest recorded eCrime breakout time was just 27 seconds.

That's not a typo. Twenty-seven seconds from foothold to full lateral movement.

On the data exfiltration side, things are equally alarming.

The time-to-exfiltration shows a sharp acceleration at the fastest end of the spectrum, with the quickest quartile of intrusions reaching exfiltration in just 72 minutes in 2025, down from nearly five hours (285 minutes) in 2024.

Meanwhile,

the share of incidents reaching exfiltration in under one hour increased from 19% in 2024 to 22% in 2025.

The gap between attacker speed and defender readiness has never been wider.

76% of organizations cannot match AI attack speed, creating a pivotal period where offensive AI may temporarily outpace defenses.


How AI Is Supercharging the Attacker's Toolkit

Understanding why attacks are faster requires understanding exactly what AI brings to the attacker's arsenal.

AI-enabled tools now automate reconnaissance, generate exploits, and scan thousands of systems simultaneously.

What previously required a team of skilled threat actors working in shifts can now be executed by a single operator with access to the right AI model.

In 2025, adversaries revolutionized their attacks by integrating AI across their operations, incorporating the technology into intrusion tradecraft, social engineering activity, and information operations campaigns.

The phishing landscape is unrecognisable compared to just two years ago.

AI-assisted attacks have increased by 72% since 2024, and phishing has surged 1,265% due to the use of generative tools.

A recent report found that 82.6% of phishing emails analysed between September 2024 and February 2025 exhibited some use of AI.

These aren't the misspelled, obviously fraudulent emails of the past —

phishing campaigns are achieving higher conversion rates as AI helps attackers craft credible, error-free lures that bypass traditional filters and engage users more effectively.

Vulnerability exploitation has also been transformed.

In August–September 2025, the threat actor HexStrike exploited a critical CVE across more than 8,000 endpoints in under 10 minutes, effectively replacing the need for human hackers.


The Rise of Deepfake Social Engineering

Beyond automated network attacks, AI has introduced an entirely new category of threat: synthetic identity manipulation.

Deepfake social engineering is the use of AI-generated synthetic media — cloned audio, face-swapped video, and fabricated images — to manipulate individuals into transferring funds, disclosing credentials, or bypassing security controls.

The real-world consequences are already catastrophic.

A finance employee at the global engineering firm Arup transferred $25.6 million after joining a video call in which every participant, including what appeared to be the company's CFO, was an AI-generated deepfake, with the attacker using publicly available footage to reconstruct convincing likenesses of multiple executives.

AI-powered deepfakes were involved in over 30% of high-impact corporate impersonation attacks in 2025.

And

the FBI's 2025 IC3 report logged a 37% rise in AI-assisted business email compromise and hundreds of deepfake-based scams involving cloned voices of executives and officials.

Synthetic voice, deepfake video, and AI-generated writing make it easier to impersonate executives convincingly

— and

humans are remarkably bad at spotting AI-generated content, with only 0.1% able to reliably identify a deepfake.


Why Traditional Incident Response Is Failing

The incident response model that most organisations rely on today was designed for a different threat era.

Analysts review alerts, teams escalate incidents, and leaders weigh operational risk before approving containment actions — a process that can take hours or days, because it was designed for threats that unfold slowly and allow time for investigation.

AI-enabled attackers move in minutes. When attackers move faster than defenders, they control the fight.

Compounding the problem is the volume of noise that security operations centres (SOCs) must process.

Roughly 40% of enterprise alerts never get looked at. SOAR's real-world automation rate lands around 25%, and every novel threat needs a new playbook.

You cannot author your way out of a 48-minute attack with a flowchart somebody wrote six weeks ago.

The use of AI has further added to this trend, with cybercriminals accelerating malware development and creating more realistic synthetic content, enhancing the efficiency of phishing and ransomware attacks.

The average cost of an AI-powered breach is now $5.72 million.


The Case for AI-Powered Defence

The good news is that AI is not exclusively an attacker's weapon. Defenders who deploy AI-driven security tools are seeing measurable, significant improvements in detection and response outcomes.

Organisations using AI and automation extensively save approximately $1.9 million per breach and shorten the breach lifecycle by 80 days, per the Ponemon Institute Cost of a Data Breach study.

Organisations using AI-driven security platforms detect threats 60% faster than those using traditional methods.

Modern AI incident response goes well beyond faster playbooks.

AI reduces alert fatigue by automatically triaging alerts based on context, behaviour, and historical patterns — filtering out noise, deduplicating alerts, and prioritising high-risk incidents.

It can also correlate data from multiple sources, reconstruct attack timelines, and identify relationships between events, providing a clearer understanding of how an incident occurred and what systems were affected.

The next evolution is agentic AI:

automated incident response that lets an AI agent investigate every alert end to end, acting on what it can handle autonomously and paging a human for the rest.


Practical Tips: What to Do Right Now

The threat is real, the timeline is compressed, and waiting is not an option. Here's where to focus immediately:

Implement instant response automation that can isolate compromised systems, block malicious IPs, or revoke credentials in seconds to match AI's speed.

Manual approval chains for containment are now a liability.

Monitor Indicators of Attack (IOAs) — behavioural signals of an ongoing attack — which are critical for early detection in a compressed timeframe,

rather than waiting for known malware signatures to trigger alerts.

Normalise verification procedures for sensitive actions. Verification should not be treated as distrust — it should be treated as a standard control in an environment where identity signals are easier to fake.

Organisations that successfully defend against deepfake attacks combine procedural verification protocols with employee training tailored to the specific channels and psychological tactics these attacks exploit.

Generic security awareness training is no longer sufficient.

Identity is becoming the primary automation surface. With identity weaknesses implicated in nearly 90% of modern intrusions, automated IAM response — session revocation, credential rotation, step-up authentication — is now among the most valuable defensive capabilities.

When your vulnerability scanner detects a CVE that appears in the CISA KEV catalog, auto-escalate to P1, auto-assign a SOAR playbook, and trigger a patch verification workflow within the same business day.


Conclusion: Speed Is Now a Strategic Imperative

The era of slow-moving threats that give defenders time to deliberate is over.

As adversaries move faster than ever, the window for detection and response continues to shrink, demanding real-time visibility and automated response capabilities.

The organisations that survive and thrive in this environment will be those that treat incident response speed as a board-level strategic priority — not merely a technical concern buried in the SOC.

Organisational leaders must treat cybersecurity as a core strategic priority — not just an IT issue — and build resilience into their technology and operations from the ground up.

The data is clear, the trends are accelerating, and the cost of inaction is measured in millions of dollars and irreparable reputational damage.

Is your incident response programme built for 29-minute breaches — or 29-minute deliberations? If you're not sure, now is the time to find out. Conduct an IR speed audit, assess your automation maturity, and identify the gaps before a threat actor does it for you. The incident response window is shrinking. Start closing it today.