LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is dwell time, and how long do attackers typically remain undetected in compromised networks?

Dwell time = how long an attacker is inside a system before being noticed. The industry average dropped from ~416 days (2011) to ~56 days (2019), but real-world cases can be much longer.

The numbers from M-Trends 2020 (median global dwell time):

Year Median Dwell Time
2011 416 days
2015 146 days
2016 99 days
2019 56 days
Recent ~10-21 days (continuing improvement, but ransomware now shortens artificially)

A real Swiss example: the Ruag breach (defence contractor) was discovered in January 2016 by Swiss intelligence — but the attack actually started in December 2014, ~13 months earlier. ~20 GB of data was exfiltrated during that time.

Why dwell time matters:

  • The longer an attacker is in, the more reconnaissance they do, the more lateral movement, the more data exfiltrated.
  • Detection capability is more about logging + monitoring + correlation than about preventive controls — a sophisticated attacker will get in; what matters is how fast they get caught.
  • Modern statistics (2023+) show ransomware-driven dwell time drops to days because ransomware is loud and self-announcing — but stealthy espionage attacks (the dangerous kind) still run for many months.

Tip: The MITRE ATT&CK framework + behavioural-detection EDR/XDR is the modern response — assume attackers will get in, focus on detecting their internal movement.

From Quiz: ISF / Access Control | Updated: Jul 14, 2026