by Tim Leogrande, BSIT, MSCP, Ed.S.
5 MARCH 2026 β’ 6 MIN 20 SEC READ
Cybercriminals now require less time than it takes to watch a TV sitcom to go from initial break-in to moving laterally across a network. A recent CrowdStrike threat analysis found that during 2025 attackers took an average of just 29 minutes to pivot from initial access to other networked systems, a 65% speed increase from 2024.
In one case, an attacker began exfiltrating data β known as a breakout β just 27 seconds after gaining access. For defenders, this means that the amount of time needed to identify and react to an intrusion has drastically decreased and will almost certainly continue to do so. The average breakout time was 62 minutes only a few years ago.
This sharp increase in attack speed appears to have been driven by several factors. The most notable being the pervasive use of stolen authentic credentials, which enabled attackers to slip through several conventional security measures and blend in with regular network traffic. Attackers moved freely within targeted systems using legitimate logins without raising any red flags in 35% of the cloud-related attacks CrowdStrike observed.
<aside> π‘
These threat actors frequently strolled into target environments by posing as trusted individuals, systems, Software-as-a-Service (SaaS) integrations, and software rather than attempting to breach defenses using malware and exploits.
</aside>
Unsurprisingly, a stunning 82% of CrowdStrike threat detections during 2025 were malware-free, indicating these security breaches blended into authorized network activity. Attackers frequently exploited single sign-on (SSO) credentials to obtain initial access in cloud environments.
Attackers also benefitted from unmanaged devices on enterprise networks, the majority of which lacked standard endpoint detection and response (EDR) policies. This category includes virtual machines, webcams, third-party apps, employees' personal devices, VPNs, and firewall appliances. China-backed cybercriminal groups such as Blockade Spider, Punk Spider, and Scattered Spider were especially keen to attack these systems.
Targeting unmanaged devices is something China has been investing in heavily, and has become increasingly adept at. This is largely due to the Chinese military and government attempting to collaborate with academia, security researchers, and the civil sector in order to identify and gather weaknesses in network devices that enterprises are either unable to see or do not have adequate control over. Additionally, Chinese attackers have worked to accelerate the time to exploit known vulnerabilities, with the goal of cutting this period down to two days, in addition to discovering new vulnerabilities.
AI has also been utilized by an increasing number of threat actors, including nation-states and organized crime, to create phishing content, speed up reconnaissance, create exploits, get past defenses, and debug current attack tools and methodologies. According to CrowdStrike, criminal organizations that heavily utilize AI include Russia's Fancy Bear, North Korea's Famous Chollima, and Chinaβs Punk Spider ransomware group.
<aside> π‘
On average, the attackers who used AI the most in 2025 carried out an astounding 89% more attacks than the previous year.
</aside>
The use of AI by some threat actors also appeared to be experimental. For example, in mid-2025 Fancy Bear launched malware called LameHug that used a large language model (LLM) for information collection and reconnaissance. CrowdStrike decided that the group was probably experimenting with AI approaches rather than fully operationalizing them because β despite being an innovative use case β the attack was found to be functionally similar to conventional attack tools.
During 2025, the attacker's toolkit not only included AI, it was also often part of the attack surface. Multiple threat actors targeted new vulnerabilities brought about by the growing integration of AI platforms and tools into software development pipelines, business workflows, and enterprise operations.
One of the most popular targets was CVE-2025-3248, a flaw in Langflow, a platform for creating and implementing AI-powered applications. This flaw was leveraged by attackers to install ransomware and other malware, steal credentials, and establish persistence in infiltrated environments.
CrowdStrike also saw attackers inserting malicious prompts into reputable generative AI platforms in almost 100 different organizations in order to steal Bitcoin and passwords. In other cases, attackers used flaws in AI-powered software development platforms to install malware, create persistence, and intercept data by posing as authorized services.