The average dwell time — the period between a breach and its detection — is 77 days. That number comes from the Mandiant M-Trends report, and it has been stubbornly consistent for years.
77 days. Eleven weeks. Nearly a quarter of the year. In that time, an attacker has mapped your network, identified your high-value assets, and — in most cases — either exfiltrated data or planted persistence mechanisms they'll use later.
This post is about what 77 days actually looks like, why most organizations don't catch it, and what changes when you do.
What an attacker does in 77 days
The popular image of a cyberattack is a dramatic intrusion — someone crashing through your defenses, alarms going off, a race against time. The reality is much quieter and much worse.
Here's what a typical 77-day timeline looks like:
- Days 1–3: Initial access — usually a phishing email, a stolen credential, or an unpatched vulnerability. No alarms. The attacker is in, and they're quiet.
- Days 3–14: Reconnaissance — the attacker maps the environment. Which systems are connected to what. Where the backups live. Who the domain admins are. What data exists and where it's stored.
- Days 14–30: Privilege escalation — the attacker moves from a low-privilege account to a high-privilege one. This is where lateral movement tools like Mimikatz enter the picture.
- Days 30–60: Persistence — the attacker installs backdoors, creates new admin accounts, modifies scheduled tasks. Even if you find and remove them, they can get back in.
- Days 60–77: Exfiltration or staging — data moves out, or ransomware is staged for deployment. The attacker chooses their moment.
None of this looks like a movie. It looks like normal network traffic, because the attacker is using legitimate tools and valid credentials. That's why you don't see it.
Why most organizations don't catch it
The honest answer is that most organizations are running reactive security. They have a firewall. They have antivirus. They have a SIEM that generates 10,000 alerts a day, and a team that has learned to ignore most of them because 99% are false positives.
The detection gap isn't a technology problem — it's a signal-to-noise problem. Attacker behavior is deliberately designed to look like normal behavior. Catching it requires behavioral baselines, correlation across multiple data sources, and the analytical capacity to investigate anomalies before they escalate.
That's expensive and operationally difficult to do in-house. Most mid-market IT teams are fully occupied with keeping the lights on. Security operations — real security operations — is a different discipline.
What changes with AI-powered detection
The promise of AI in cybersecurity is not that it replaces analysts. It's that it compresses the detection timeline by doing at machine speed what analysts do at human speed.
An AI-native SOC correlates behavior across endpoints, identity systems, network traffic, and cloud logs simultaneously — and surfaces the patterns that indicate threat actor behavior, not just signature matches. The result is a mean time to detect measured in minutes, not weeks.
At Tech CRG, our TOTAL tier includes 24/7 AI-powered SOC monitoring with human analyst escalation. The AI does the correlation. The analyst does the judgment. The client gets an alert when something real is happening — not 10,000 alerts about things that aren't.
The question worth asking
If an attacker got into your network today, when would you know? If the honest answer is "days" or "I'm not sure," that's the gap worth closing.
Juan M. Delgado is CEO of Tech CRG, an AI-native technology company headquartered in the US with operations across the Americas. Tech CRG's cybersecurity practice includes CORE, PLUS, and TOTAL managed security tiers — all powered by AI and delivered by CCIE Security-certified engineers.