AI Arms Race Accelerates as Cyber Breakout Times Drop to Seconds
New threat data reveals eCrime breakout times have plummeted to 29 minutes as adversaries weaponize AI to automate intrusions and data theft.
- By Jesse Jacobs
- Feb 24, 2026
The gap between an initial security breach and total system compromise is shrinking to nearly nothing. According to a new global threat assessment, the average time it takes for an attacker to move laterally from an initial breach to other systems has plummeted to just 29 minutes for 2025, with the fastest recorded instance occurring in a mere 27 seconds.
The 2026 Global Threat Report reveals that artificial intelligence is no longer a future risk but a present-day accelerant for cybercriminals. AI-enabled attacks surged by 89% over the past year as adversaries weaponized large language models to automate reconnaissance, craft sophisticated lures, and erase forensic evidence.
The Collapse of the Detection Window
For years, the cybersecurity industry has utilized the "1-10-60" benchmark: one minute to detect a threat, 10 minutes to investigate, and 60 minutes to remediate. However, the new data suggesting a 29-minute average breakout time indicates that adversaries are now moving twice as fast as the traditional gold standard for defense.
In some instances, data exfiltration began within four minutes of initial access, leaving manual intervention strategies effectively obsolete.
The Rise of Prompt Injection
Security researchers found that generative AI systems have themselves become a primary attack surface. Threat actors are increasingly using "malicious prompts"—commands designed to bypass AI safety filters—at dozens of organizations. These techniques allow attackers to trick legitimate corporate AI tools into generating code for credential theft or identifying sensitive data repositories.
Beyond manipulating prompts, adversaries are exploiting vulnerabilities within AI development platforms to establish a persistent presence in corporate networks. Some groups have gone as far as deploying fake AI servers that impersonate trusted services to intercept data.
Identity as the New Perimeter
The report highlights a significant shift in how attackers enter networks. Rather than "breaking in" through traditional software exploits, many now "log in" using stolen or compromised credentials. This shift has turned identity management into the primary defensive front.
Global actors are scaling these operations with unprecedented speed:
- Eastern European-linked groups: Analysts identified the use of automated malware designed to accelerate the collection of sensitive documents.
- East Asian-nexus activity: Operations rose by 38%, with a heavy focus on the logistics sector. Nearly 70% of vulnerabilities exploited by these groups provided immediate system access.
- Insider Threats: One specific group successfully used AI-generated personas to infiltrate companies by posing as remote employees, bypassing traditional background and identity verification processes.
Cloud and Zero-Day Pressures
As organizations move more data to the cloud, attackers are following. Cloud-conscious intrusions rose by 37% last year, and state-sponsored actors increased their targeting of cloud environments by 266% for intelligence gathering.
The speed of exploitation is also outpacing traditional patching cycles. Data shows that 42% of vulnerabilities were weaponized by attackers before they were even publicly disclosed, leaving defenders no window of time to apply security updates before an active threat emerged.
The compression of breakout time represents a fundamental change in the digital landscape. With AI turning enterprise systems into both weapons and targets, security experts suggest that defensive responses must now become as automated as the attacks they aim to stop.