What is dwell time, and how long do attackers typically remain undetected in compromised networks?
Dwell time = how long an attacker is inside a system before being noticed. The industry average dropped from ~416 days (2011) to ~56 days (2019), but real-world cases can be much longer.
The numbers from M-Trends 2020 (median global dwell time):
| Year | Median Dwell Time |
|---|---|
| 2011 | 416 days |
| 2015 | 146 days |
| 2016 | 99 days |
| 2019 | 56 days |
| Recent | ~10-21 days (continuing improvement, but ransomware now shortens artificially) |
A real Swiss example: the Ruag breach (defence contractor) was discovered in January 2016 by Swiss intelligence — but the attack actually started in December 2014, ~13 months earlier. ~20 GB of data was exfiltrated during that time.
Why dwell time matters:
- The longer an attacker is in, the more reconnaissance they do, the more lateral movement, the more data exfiltrated.
- Detection capability is more about logging + monitoring + correlation than about preventive controls — a sophisticated attacker will get in; what matters is how fast they get caught.
- Modern statistics (2023+) show ransomware-driven dwell time drops to days because ransomware is loud and self-announcing — but stealthy espionage attacks (the dangerous kind) still run for many months.
Tip: The MITRE ATT&CK framework + behavioural-detection EDR/XDR is the modern response — assume attackers will get in, focus on detecting their internal movement.