Two reports landed in the past month that deserve more analytical attention than they have received from the security community.
CrowdStrike's 2026 Global Threat Report documents that the average eCrime breakout time, the interval between an attacker's initial access and their first lateral movement, fell to 29 minutes in 2025, a 65% increase in speed over the prior year. The fastest observed breakout occurred in 27 seconds. In one documented intrusion, data exfiltration began within four minutes of initial access (CrowdStrike 2026 Global Threat Report, p. 2).
Mandiant's M-Trends 2026, drawn from more than 500,000 hours of incident response work conducted in 2025, adds a second measurement that is equally significant. In 2022, the median time between an initial access event and the moment a secondary threat group gained access to the same environment was more than eight hours. In 2025, that figure fell to 22 seconds. In many cases this reflects an automated process in which initial access partners deliver the secondary group's preferred malware directly on their behalf, meaning the ransomware operator or espionage cluster is fully equipped to begin operations the moment they first touch the network (Mandiant M-Trends 2026, p. 55).
The industry response to these numbers has been predictable. More detection tooling. Faster SOC triage. Automated response. These are not wrong responses. They are incomplete ones.
What the numbers actually measure
Breakout time and hand-off time are measurements of lateral movement velocity. That distinction matters more than most of the coverage has acknowledged.
Lateral movement is not a single-asset problem. It requires identifying and exploiting adjacent systems, services, credentials, and vulnerabilities beyond the initial foothold. The attacker pivots from the entry point to whatever is reachable, and then from there to whatever is reachable from there. They are conducting real-time offensive security work inside your environment, against your actual attack surface, with no scope constraints and no rules of engagement.
That is where the scope conversation enters, and where it has been absent from the analysis.
Your testing program has a defined scope. The attacker does not. When CrowdStrike documents a 29-minute breakout, they are measuring how long it takes an adversary to traverse an environment they have never seen before, finding exploitable paths through assets that may never have appeared on a findings report, exploiting weaknesses in systems that were never included in an assessment. The fastest recorded breakout took 27 seconds. That attacker did not stumble onto a single unpatched server. They moved through an environment that gave them somewhere to go.
The assets that enable lateral movement are the assets most likely to fall outside a compliance-defined testing scope. The internal services, the development infrastructure, the misconfigured cloud resources, the identity stores, the edge devices, the SaaS integrations. Mandiant notes that exploitation of internet-facing systems has been the leading initial infection vector for six consecutive years, accounting for 32% of cases where an entry point could be identified (Mandiant M-Trends 2026, p. 55). After initial access, the attacker moves inward. That inward path runs through everything a compliance-driven assessment did not cover.
The scope gap is a T-axis problem
ARMOR evaluates offensive security maturity across two independent axes. Technical Practice measures what offensive activities are being executed and how consistently. Governance and Accountability measures how well the organization acts on what testing reveals.
The breakout time data is a direct challenge to where most organizations sit on the Technical axis.
At T2, testing is scheduled, predictable, and compliance-shaped. Scope is defined by regulatory requirements, not by the actual attack surface an adversary would traverse. The program surfaces findings within a predefined boundary. That boundary does not include most of what lateral movement exploits.
An organization at T2 has not tested the assets that enable a 29-minute breakout. Not because of negligence, but because scope has been defined by what auditors require rather than what attackers use. The compliance assessment passed. The environment still has somewhere to go.
T3 is where scope expands meaningfully beyond compliance boundaries. A T3 program covers assets, paths, and scenarios defined by risk rather than regulation. It tests what an attacker would actually reach. That expansion is not cosmetic. It is the structural prerequisite for the breakout time data to be relevant to your defensive posture at all. You cannot remediate exposure you have not assessed. You cannot shorten a breakout window through assets you have never tested.
The remediation SLA is a G-axis problem
Scope determines what you know about. Governance determines what you do about it.
If the average breakout time is 29 minutes and your remediation SLA for critical findings is 30 days, the arithmetic is not favorable. The window an attacker needs to move through your environment is approximately 43,000 times shorter than the window your organization takes to close a finding. Thirty-day SLAs were reasonable when breakout times were measured in days or weeks. The data says the environment has changed.
Shortening a remediation SLA is not a technical decision. It requires an executive sponsor who receives offensive findings on a defined schedule, a prioritization process that distinguishes between findings that matter now and findings that can wait, and organizational authority to mobilize resources when the data demands it. That is a G3 capability. It does not exist at G1 or G2.
At T3/G1, the most operationally dangerous position in this context, the organization has continuous visibility into its attack surface and no organizational infrastructure to act on what it reveals. Findings are real. Exposure is documented. Nobody with authority to act is receiving it on a schedule that reflects the threat velocity the data describes. High signal, zero leverage.
At T3/G2, governance exists but is responsive rather than strategic. Remediation happens without defined SLAs or risk-informed prioritization. Some findings close quickly. Others age. An attacker moving through your environment in 29 minutes does not care which category your open findings fall into.
What T3/G3 actually provides
T3/G3 is not immunity. It is the first coordinate position where both axes are genuinely functional together, and where the organization is structurally equipped to respond at a pace that is at least in the same order of magnitude as the threat.
At T3/G3, scope extends beyond compliance. The program tests what attackers traverse, not just what auditors require. Findings are owned, SLAs are defined and enforced, and an executive sponsor acts on offensive outcomes on a defined schedule. When the breakout time data demands that a specific class of findings be closed faster, there is organizational infrastructure to make that happen.
Mandiant's own operational recommendation from M-Trends 2026 maps directly to this: treat low-impact alerts as critical indicators, because with hand-off times measured in seconds, what appears to be an isolated low-priority event may signal the beginning of a secondary intrusion (Mandiant M-Trends 2026, p. 55). That recommendation presupposes an organization with the governance infrastructure to act on it. It requires someone with authority to reprioritize, resources to deploy, and a program scope that surfaces the relevant signals in the first place. That is a program design problem. It precedes the detection and response conversation entirely.
The question worth asking
CrowdStrike and Mandiant are measuring how fast attackers move. The coverage has focused on how fast defenders need to detect and respond. Both framings are correct and neither is sufficient on its own.
The more productive question for Directors and CISOs is not how fast your SOC can respond. It is whether your offensive security program has tested the assets that would enable a 29-minute breakout in your environment, and whether your governance infrastructure can act on findings at a pace that reflects what the data describes.
If you cannot answer the first question, the problem is on the T axis. If you cannot answer the second, it is on the G axis. Most organizations will find the honest answer involves both.
The ARMOR self-assessment at armormodel.org takes twenty questions and produces a coordinate position that describes where your program actually stands on each axis independently. It is free, vendor-agnostic, and takes about fifteen minutes.