IBM breach detection time chart showing 2025 drop to 241 days across global enterprise dataIBM says breach detection time hit a 9-year low in 2025, dropping to 241 days on average.
Cybersecurity

Breach Detection Time Falls to 241 Days, Still Slow

A Fortune 500 SOC lead pulls up the board slide: average breach detection time, 277 days. It’s the number every vendor deck has used for three years. It’s also wrong. The current figure, straight from IBM’s own 2025 data, is 241 days, and understanding why the two numbers keep getting confused says more about the state of enterprise security reporting than the stat itself.

Breach detection time is the metric that decides how much a breach actually costs you. Every major 2026 threat report agrees on that much. Where they disagree is on the number itself, and on whether the trend is good news or a warning sign. This piece pulls together IBM’s Cost of a Data Breach Report, Mandiant’s M-Trends, CrowdStrike’s Global Threat Report, and Verizon’s DBIR to give security leaders one clean, correctly sourced picture instead of four conflicting headlines.

The Stale Number Everyone Keeps Quoting

Search “average time to detect a data breach” today and a good chunk of the results still say 277 days. That figure comes from IBM’s 2022 Cost of a Data Breach Report: 207 days to identify plus 70 days to contain. It hasn’t been current since 2023.

Fact check: The current, verified figure is 241 days (181 to identify, 60 to contain), from IBM’s 2025 Cost of a Data Breach Report, released July 30, 2025, and covering breaches investigated between March 2024 and February 2025. It’s the lowest the report has recorded in nine years. Any 2026 article still citing 277 days is quoting data that’s four years stale.

This isn’t a trivial correction. Content that repeats an outdated breach detection time figure signals to readers, and increasingly to AI answer engines, that the source hasn’t checked its own numbers. IBM’s report has run for 20 straight years, giving it the longest trend line in the industry, and the actual year-by-year progression looks like this: 287 days (2021), 277 days (2022), 204 days (2023), 258 days (2024), 241 days (2025). It’s a real, if bumpy, decline, and it deserves to be reported accurately rather than frozen at its worst recent point.

What IBM’s 2025 Report Actually Found

IBM and the Ponemon Institute studied 600 organizations across 17 industries and 16 countries for the 2025 edition, the source of the current breach detection time figure. The headline numbers:

Metric2025 FigureChange
Global breach lifecycle (identify + contain)241 days-17 days YoY, 9-year low
Global average breach cost$4.44 million-9% YoY, first decline in 5 years
US average breach cost$10.22 millionAll-time high, 15th consecutive year as costliest country
Healthcare sector cost$7.42 millionCostliest industry for 14th straight year
Healthcare detection lifecycle279 daysWell above the global average

The dollar impact of speed is the part worth sitting with. Breaches contained in under 200 days averaged $3.61 million; breaches that dragged past 200 days averaged $5.49 million, a gap of nearly $1.9 million. Organizations that used AI and automation extensively in their security operations cut their breach lifecycle by roughly 80 days and saved close to $1.9 million compared to those that didn’t, according to IBM’s report. Detection speed isn’t an abstract KPI. It’s a line item.

Three Reports, Three Different Breach Detection Time Pictures

Here’s where it gets genuinely confusing if you’re reading multiple sources: IBM says breach detection time is improving. Mandiant says dwell time is getting worse. Both are right, and both are measuring different things.

ReportHeadline Metric2025/2026 FigureMethodology
IBM / PonemonMean breach lifecycle241 daysInterview-based reconstruction of studied breaches
Mandiant M-TrendsMedian dwell time14 days (up from 11)Forensic incident-response casework, 500,000+ IR hours
CrowdStrikeeCrime breakout time29 minutes (down from 48)Falcon platform telemetry, 280+ tracked adversaries
Verizon DBIRConfirmed breach analysis22,000+ breaches, 145 countriesPartner-contributed breach records

These numbers aren’t directly comparable, and treating them as if they measure the same thing is how you end up with a misleading headline. IBM’s 241 days is a mean across studied breaches with self-reported timelines. Mandiant’s M-Trends 2026 reports a median dwell time of 14 days, up from 11 in 2024, drawn purely from its own incident-response caseload. That rise is largely compositional: more long-duration cyber-espionage and North Korean fraudulent IT-worker cases, where median dwell hit 122 days, pulled the median up. It doesn’t mean the typical breach across the entire industry got slower to catch.

Meanwhile CrowdStrike’s 2026 Global Threat Report found average eCrime breakout time, the gap between initial access and lateral movement, fell to 29 minutes, a 65% speed increase over 2024. The fastest recorded breakout was 27 seconds. One intrusion saw data exfiltration begin within 4 minutes of initial access.

Why Detection Is Getting Faster and Slower at Once

Put the numbers side by side and a pattern emerges that no single report captures on its own: the front end of an attack has collapsed to minutes, while the tail end, for a specific class of stealthy intrusions, has stretched to months. It’s not one trend. It’s two trends running in opposite directions depending on attacker type.

Fast, loud eCrime and ransomware operators move in under half an hour once they’re in. Slow, patient espionage actors and fraud schemes, like the North Korean IT-worker cases Mandiant tracked, are built to stay invisible for as long as possible. A security program tuned only for one will miss the other.

“This is an AI arms race. Breakout time is the clearest signal of how intrusion has changed. Adversaries are moving from initial access to lateral movement in minutes.” Adam Meyers, Head of Counter Adversary Operations, CrowdStrike, 2026 Global Threat Report launch

Jurgen Kutscher, VP of Mandiant Consulting at Google Cloud, has characterized the M-Trends 2026 findings in a similar vein: most successful intrusions still trace back to basic human and systemic failures, even as the speed of what happens after that failure has fundamentally changed. In other words, the entry points haven’t gotten more sophisticated. What attackers do once they’re through the door has.

Only 52% of organizations detected their own intrusions internally in 2025, up from 43% the year before, per Mandiant. The rest found out from an external party (34%) or from the attacker itself (14%). That’s the uncomfortable baseline underneath every improving headline number: even in a good year, roughly half of breached organizations are still learning about it from someone else.

The Attack Surface Shifted: Vulnerabilities Overtake Credentials

The 2026 Verizon DBIR, built from more than 22,000 confirmed breaches across 145 countries, the largest dataset in the report’s 19-year history, found something that hadn’t happened before: vulnerability exploitation overtook stolen credentials as the top initial access vector. Exploitation rose from 20% to 31% of breaches, a 55% jump, while credential-based attacks fell from 22% to 13%.

At the same time, median time-to-patch rose from 32 to 43 days, a 34% increase, even as attackers weaponize newly disclosed CVEs faster than ever. That gap, slower patching against faster exploitation, is arguably the single most actionable finding in this year’s threat-reporting cycle. Teams that built their detection strategy around credential hygiene and MFA are defending the wrong front door.

Two more data points worth flagging for anyone briefing a board: Verizon’s DBIR found the human element present in 62% of breaches (up from 60%), and third-party or supply-chain involvement in 48% of breaches, a 60% year-over-year jump. Vendor risk isn’t a compliance checkbox anymore. It’s nearly half your breach surface.

Ransomware, one piece of better news

Not every 2026 metric is grim. Verizon found the median ransomware payment fell to $139,875 from $150,000, and 69% of victims didn’t pay at all. Detection and containment speed still lag where it counts most, but the leverage attackers hold once they’re caught in the act appears to be eroding.

What Security Leaders Should Actually Do

If you’re a CISO or SOC lead reporting breach detection time upward to a board, a single “days to detect” number no longer tells the real story. Here’s what actually needs to change in how the metric gets used:

  • Split the metric by attack type. Report eCrime breakout time (minutes) separately from espionage-grade dwell time (months). A blended average hides both problems.
  • Re-rank patch management against the CISA KEV catalog. With exploitation now the top initial access vector, a 43-day median patch window is a bigger liability than most credential policies.
  • Build for two response speeds. Near-real-time automated containment for fast eCrime patterns, and longer-horizon threat hunting for low-and-slow, stealthy intrusions.
  • Audit third-party access. With supply-chain involvement in 48% of breaches, vendor access reviews belong in the same conversation as internal detection tooling.
  • Don’t let the healthcare or credential-heavy numbers hide behind the average. Sector-specific figures (healthcare at 279 days) run well above the 241-day mean.

Where the Hype Outruns the Evidence

Worth saying plainly: IBM sells security software. CrowdStrike and Mandiant sell detection and response services. None of that makes their numbers wrong, but it’s a reason to read the most dramatic stats, a 29-minute breakout time, an $1.9 million AI savings figure, with the knowledge that they come from companies whose product categories directly benefit from those numbers looking urgent.

“Organizations aren’t struggling because they lack tools. They’re struggling because they lack clarity, trust in automation, and unified visibility. Security leaders believe they’re responding quickly, but the data shows attackers spend weeks or months inside environments before anyone knows they’re there. That perception gap is costing billions.” Jeff Collins, CEO, WanAware, WanAware survey, November 2025

Industry practitioners have also raised a fair methodological point: IBM’s interview-based reconstruction and Mandiant’s forensic incident-response casework aren’t measuring the same population of breaches, so a decline in one number and a rise in the other isn’t a contradiction. It’s two different lenses on two different datasets. Treating “241 days” and “14-day dwell time” as competing claims about the same reality misreads what each report is actually built to measure.

Our read: the honest 2026 headline isn’t “detection is improving” or “detection is getting worse.” It’s that the picture has split by attack type, and any report, vendor deck, or article that collapses it back into one number is oversimplifying for a cleaner headline.


Frequently Asked Questions

How long does it take to detect a data breach on average?

Breach detection time, per IBM’s 2025 Cost of a Data Breach Report, averages 241 days globally (181 to identify, 60 to contain), the lowest in nine years. Separate Mandiant data shows median attacker dwell time actually rose to 14 days in 2025, reflecting a different measurement approach.

What is the average cost of a data breach in 2026?

IBM’s most recent report (July 2025) puts the global average at $4.44 million, down 9% year-over-year, the first decline in five years. The US average hit a record $10.22 million, the highest of any country IBM tracks.

What is breakout time in cybersecurity?

Breakout time is the interval between an attacker’s initial access and their first lateral movement inside a network. CrowdStrike’s 2026 Global Threat Report puts the 2025 average at 29 minutes, down from 48 minutes in 2024, with the fastest recorded breakout at 27 seconds.

What is dwell time in a cyberattack?

Dwell time is the number of days an attacker remains inside a network undetected before being found. Mandiant’s M-Trends 2026 report found the global median dwell time rose to 14 days in 2025, up from 11 days the year before, driven largely by long-duration espionage cases.


What This Means Going Forward

Breach detection time in 2026 isn’t one story, it’s two, and the security leaders who understand that split will report better metrics and build better response plans than the ones still chasing a single average. IBM’s 241-day figure is real progress and the accurate number to cite. Mandiant’s 14-day median dwell time is also real, and it’s a warning that a specific, dangerous category of intrusion is getting harder to find, not easier.

Watch three things over the next 6 to 18 months: whether patch-management timelines start closing the gap with faster exploitation, whether AI-assisted detection tools keep pushing IBM’s lifecycle number down further, and whether North Korean IT-worker fraud and long-dwell espionage cases keep pulling Mandiant’s median upward even as the broader industry improves. Those three trends, not one blended average, will tell you where breach detection is actually headed.

Want the next threat report broken down like this before your board meeting? Subscribe to The Neural Loop at neuralwired.com/newsletter.

Leave a Reply

Your email address will not be published. Required fields are marked *