29 Minutes: The Breach Containment Window Is Already Closed

How fast does a contained breach become an enterprise-wide loss event?

In 2026, the answer is: faster than your operating model can respond.

The 2026 CrowdStrike Global Threat Report, indicates average adversary breakout time has dropped to 29 minutes. Five years ago, it was 98. The Unit 42 2025 Global Incident Response Report shows the fastest quartile of attacks achieving data exfiltration in ~72 minutes.

Attackers are getting in faster, and they're converting access into impact faster than most organizations can decide what to do next.

This Isn't a Detection Problem

The industry narrative still centres on detection:

• More telemetry
• Better alerts
• Faster triage

But this assumes detection is a single capability.

It isn't.

Detection only exists when three things happen together:

• Evidence is captured, AND
• Someone (or something) reviews it, AND
• It's correctly recognized as malicious

Break any one of those, and detection doesn't happen.

Now put that into a 29-minute window:

• Monitoring cadence is too slow
• Analysts are overloaded
• Recognition degrades under volume

So what looks like a detection gap is something more fundamental:

Detection is happening too late to matter... or not at all.

And if detection doesn't happen:

Response doesn't happen. And the loss trajectory continues uninterrupted.

Buyers Think They're Buying Detection. They're Actually Buying Time

Vendors still sell:

• "We detect faster"
• "We improve visibility"

But that's not the decision buyers are making, whether they realize it or not.

The real question is:

What is the probability we can stop attacker movement before it becomes a high-loss event?

That is not a detection question.

It's a time-to-containment question.

And it's a very different buying decision:

• Detection influences whether you act
• Containment determines whether it still matters

Illustrative loss exposure curve derived from FAIR-CAM stage behavior. As attackers progress through stages (initial access → lateral movement → exfiltration), the associated loss magnitude increases non-linearly. Detection and containment timing determine which loss distribution the organization experiences.”

The Real Problem: Containment Is Often Too Late

Attacks don't unfold as a smooth curve. They progress through stages:

• Initial access
• Privilege escalation
• Lateral movement
• Data access
• Exfiltration

Each stage is a fork in the road:

• Detect early: low loss
• Detect late: high loss
• Don't detect: maximum loss

What the 29-minute breakout time tells us is simple:

The gap between "manageable incident" and "material business event" is collapsing.

By the time many organisations detect an attacker, the attacker has already:

• Moved laterally
• Established persistence
• Accessed sensitive systems

Containment still matters; but it's often happening after the damage profile is already set.

The Conversation No One Is Having: Loss Still Happens

This is where vendor narratives stop.

But this is where the buyer's real problem begins.

If:

• Breaches are increasingly inevitable
• Detection is often late
• Containment frequently trails attacker progress

Then the question shifts from:

"How do we stop attacks?"

to: "How much loss do we incur when we don't?"

This is the conversation missing from most boardrooms and most sales cycles.

Risk Is Now About Outcome Shaping, Not Attack Prevention

Stopping attacks is no longer enough. What matters now is controlling how bad the outcome is when they get through.

This is a fundamental shift:

• From reducing Loss Event Frequency
• To actively shaping Loss Magnitude

And that comes down to three things:

1. Containment (when it works) How quickly can you stop further spread?

2. Resilience (when it doesn't) How quickly can you restore operations?

3. Loss Minimization (always) How much financial and operational damage can you reduce?

These are not secondary capabilities. They are the primary drivers of loss once an attacker is inside.

The Metric That Actually Matters: Outcome Distribution

Between minute 5 and minute 60, something critical happens:

• The number of reachable systems expands rapidly
• The data exposure surface grows
• The cost to recover multiplies

This creates a non-linear effect:

Small delays in response create disproportionately large increases in loss.

Which means:

• A 15-minute improvement in containment is not incremental
• A 4-hour improvement in recovery is not operational

They are financial decisions with exponential impact.

What buyers need to understand, and what vendors rarely articulate, is:

You are not buying tools. You are buying a distribution of possible outcomes.

What Buyers Should Actually Measure

Very few organisations, and even fewer vendors, frame decisions this way.

But if you want to align with how risk actually behaves, the key questions are:

1. What is the probability of early detection?

The real question: how often does detection happen before lateral movement begins?

2. What is the distribution of time to containment?

Average SLA misses the point. The question is how often containment happens fast enough to change the outcome.

3. How long does recovery take?

Because downtime is often the largest driver of loss.

4. What does loss look like across scenarios?

• Early detection: low impact
• Late detection: high impact
• No detection: full loss

These are business outcome metrics.

Why This Matters for Cybersecurity Vendors

This is where many vendors are stuck.

The industry still operates on a supply-side model:

• Build features
• Push capabilities
• Compete on detection claims

Meanwhile, buyers are facing:

• Fixed budgets, tool bloat, talent shortages
• Increasing attack speed
• Rising impact when things go wrong

And they're asking:

"Where do we spend to reduce the most risk?"

Vendors don't answer that question. Because they're not framing the problem in terms of loss reduction.

The Vendor Who Reframes the Decision Wins

The first vendor to shift the conversation from:

• "Here's what our product does"

to: "Here's how we change your loss profile"

... wins upstream.

Because they're no longer competing on features, alerts, or dashboards.

They're competing on:

• Outcome distribution
• Financial impact
• Risk reduction per dollar spent

Detection tells you something is wrong.

Containment determines how wrong it gets.

That's the decision.

FAIR-CAM is a trademark of the FAIR Institute. It is freely available for non-commercial use; a license is required for commercial use. Contact the FAIR Institute for licensing information.