The fastest cyberattack breakout ever recorded took twenty-seven seconds. The average takes twenty-nine minutes. The average defense takes a hundred and eighty-one days to detect the breach. The gap between offense and defense is now measured in orders of magnitude — and the industry's flagship conference is a four-day gathering built to address thirty-minute threats.
The fastest cyberattack breakout ever recorded took twenty-seven seconds. Not twenty-seven minutes. Seconds. From initial access to lateral movement — the attacker inside the network, moving toward what they came for — in less time than it takes to read this paragraph.
CrowdStrike's 2026 Global Threat Report, released in February, put the average eCrime breakout time at twenty-nine minutes. That number has been falling at a rate that should alarm anyone responsible for defending a network: ninety-eight minutes in 2021, forty-eight minutes in 2024, twenty-nine minutes in 2025. In one documented intrusion, data exfiltration began within four minutes of initial access. The attacker was inside, moving, and extracting before the first alert could have reached a human analyst's screen.
On the other side of the equation, IBM's 2025 Cost of a Data Breach report measured the average time to identify a breach at a hundred and eighty-one days. Add sixty days to contain it. The full lifecycle — from intrusion to resolution — averaged two hundred and forty-one days. Mandiant's M-Trends report put median attacker dwell time at eleven days. Sophos measured seventy-three hours to exfiltration in active adversary cases. Palo Alto's Unit 42 found a seven-day median dwell time, down forty-six percent from thirteen days the year before.
The defense is getting faster. It is not getting fast enough.
The Speed Gap
Put the numbers side by side. Offense: twenty-nine minutes to break out. Defense: a hundred and eighty-one days to detect. The gap is not a percentage. It is a ratio — somewhere between five hundred and fifty to one and nine thousand to one, depending on which defensive metric you use. At the extreme — twenty-seven seconds to break out versus two hundred and forty-one days to resolve — the ratio exceeds seven hundred and seventy thousand to one.
No other domain operates with this asymmetry. In financial markets, the speed gap between high-frequency traders and retail investors is measured in milliseconds versus seconds — a ratio of perhaps a thousand to one, and regulators intervened. In military operations, the sensor-to-shooter loop has compressed from hours to minutes, but the adversary's loop has compressed at a similar rate. In cybersecurity, offense accelerated by sixty-five percent in a single year while defense improved by roughly thirty percent over a decade.
This is not a gap that closes with better tools. This is a gap that reflects a structural difference in how offense and defense operate. Attackers need to succeed once. They choose the time, the target, and the method. Defenders need to succeed continuously. They must monitor everything, all the time, and respond faster than an adversary who has already studied their defenses.
The Conference
RSAC 2026 opened in San Francisco on Monday. It runs through Thursday — four days, roughly forty thousand attendees, hundreds of vendors. The conference is the industry's flagship gathering, where the products that will define the next year of enterprise security are announced, demonstrated, and evaluated.
Day one produced Geordie AI winning the Innovation Sandbox — a governance platform that monitors agent behavior rather than building walls. Cisco open-sourced DefenseClaw, a five-tool security framework for AI agents with two-second enforcement. Dash0 raised a hundred and ten million dollars at a unicorn valuation for autonomous incident response. HiddenLayer reported that one in eight enterprise breaches now trace to agentic AI systems.
Day two brought 1Password shipping agent-native credential management. Booz Allen launched Vellox — five AI-native cybersecurity tools including autonomous malware analysis and remediation. ZeroTier announced quantum-secure networking. Every announcement shares a premise: compress the time between detection and response.
The products are impressive. The premise is correct. And the structural problem remains: a four-day conference operating on quarterly product cycles, annual budget cycles, and multi-year deployment timelines — addressing threats that complete their objectives in twenty-nine minutes.
MIT researchers demonstrated earlier this year that an AI agent could achieve full domain dominance over a target network in under an hour. Not a proof of concept — a measured result. The United Kingdom reported that AI-enabled cyberattack deployment expanded from twenty-two percent to sixty-two percent adoption in twelve months. AI-enabled adversary activity increased eighty-nine percent year over year, according to CrowdStrike's tracking of over two hundred and eighty named threat groups.
The offense is not just faster. It is accelerating faster than the defense can respond to the acceleration.
The Counter-Thesis
IBM's own data contains the strongest rebuttal. Organizations using AI and automation in their security operations reduced the average breach lifecycle by eighty days compared to those without. Mature security operations centers detect intrusions in under thirty days. Mandiant's eleven-day median dwell time is itself an improvement — down from sixteen days the year before.
The gap is closing. For organizations that can afford to close it.
That qualifier does the work. The median dwell time across all organizations is orders of magnitude longer than the median breakout time. The organizations pulling the median down are the ones spending the most on exactly the tools being announced at RSAC. The long tail — the organizations that take months to detect a breach — is where the damage accumulates, and the long tail is long because the tooling required to compress detection time is expensive, complex, and requires specialized talent that is itself scarce.
BeyondTrust flagged shadow AI agents as a growing vector — autonomous systems operating inside enterprise networks without security team visibility. Google proposed the concept of an Agentic SOC — a security operations center where AI agents monitor other AI agents. The defense is becoming as autonomous as the offense. Whether that produces convergence or an arms race that both sides accelerate indefinitely is the open question.
In 2021, a defender had ninety-eight minutes. In 2025, twenty-nine. The trend line does not bend — it steepens. Each year, the attacker's clock runs faster, and the defender's budget cycle stays the same.
The products at RSAC 2026 are better than last year's. They will be outpaced by next year's threats. The temporal asymmetry is not a bug in the security industry's approach. It is the defining feature of a domain where offense is structurally faster than defense, where AI compounds the attacker's advantage at least as much as the defender's, and where the institutional rhythms of budgets, conferences, and compliance cycles were designed for a threat environment that no longer exists.
Twenty-nine minutes. That is the clock. Everything built to defend against it — the products, the frameworks, the governance platforms, the autonomous response engines — must operate within that window or operate after the damage is done. The half-hour is not a benchmark. It is a boundary condition that determines whether defense is proactive or forensic, whether security is prevention or archaeology.
The conference runs four more days. The next breakout has already started.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)