How fast does a contained breach become an enterprise-wide loss event?
In 2026, the answer is: faster than your operating model can respond.
The 2026 CrowdStrike Global Threat Report, indicates average adversary breakout time has dropped to 29 minutes. Five years ago, it was 98. The Unit 42 2025 Global Incident Response Report shows the fastest quartile of attacks achieving data exfiltration in ~72 minutes.
Attackers are getting in faster, and they're converting access into impact faster than most organizations can decide what to do next.
The industry narrative still centres on detection:
But this assumes detection is a single capability.
It isn't.
Detection only exists when three things happen together:
Break any one of those, and detection doesn't happen.
Now put that into a 29-minute window:
So what looks like a detection gap is something more fundamental:
Detection is happening too late to matter... or not at all.
And if detection doesn't happen:
Response doesn't happen. And the loss trajectory continues uninterrupted.
Vendors still sell:
But that's not the decision buyers are making, whether they realize it or not.
The real question is:
What is the probability we can stop attacker movement before it becomes a high-loss event?
That is not a detection question.
It's a time-to-containment question.
And it's a very different buying decision:
Illustrative loss exposure curve derived from FAIR-CAM stage behavior. As attackers progress through stages (initial access → lateral movement → exfiltration), the associated loss magnitude increases non-linearly. Detection and containment timing determine which loss distribution the organization experiences.”
Attacks don't unfold as a smooth curve. They progress through stages:
Each stage is a fork in the road:
What the 29-minute breakout time tells us is simple:
The gap between "manageable incident" and "material business event" is collapsing.
By the time many organisations detect an attacker, the attacker has already:
Containment still matters; but it's often happening after the damage profile is already set.
This is where vendor narratives stop.
But this is where the buyer's real problem begins.
If:
Then the question shifts from:
"How do we stop attacks?"
to: "How much loss do we incur when we don't?"
This is the conversation missing from most boardrooms and most sales cycles.
Stopping attacks is no longer enough. What matters now is controlling how bad the outcome is when they get through.
This is a fundamental shift:
And that comes down to three things:
1. Containment (when it works) How quickly can you stop further spread?
2. Resilience (when it doesn't) How quickly can you restore operations?
3. Loss Minimization (always) How much financial and operational damage can you reduce?
These are not secondary capabilities. They are the primary drivers of loss once an attacker is inside.
Between minute 5 and minute 60, something critical happens:
This creates a non-linear effect:
Small delays in response create disproportionately large increases in loss.
Which means:
They are financial decisions with exponential impact.
What buyers need to understand, and what vendors rarely articulate, is:
You are not buying tools. You are buying a distribution of possible outcomes.
Very few organisations, and even fewer vendors, frame decisions this way.
But if you want to align with how risk actually behaves, the key questions are:
1. What is the probability of early detection?
The real question: how often does detection happen before lateral movement begins?
2. What is the distribution of time to containment?
Average SLA misses the point. The question is how often containment happens fast enough to change the outcome.
3. How long does recovery take?
Because downtime is often the largest driver of loss.
4. What does loss look like across scenarios?
These are business outcome metrics.
This is where many vendors are stuck.
The industry still operates on a supply-side model:
Meanwhile, buyers are facing:
And they're asking:
"Where do we spend to reduce the most risk?"
Vendors don't answer that question. Because they're not framing the problem in terms of loss reduction.
The first vendor to shift the conversation from:
to: "Here's how we change your loss profile"
... wins upstream.
Because they're no longer competing on features, alerts, or dashboards.
They're competing on:
Detection tells you something is wrong.
Containment determines how wrong it gets.
That's the decision.
FAIR-CAM is a trademark of the FAIR Institute. It is freely available for non-commercial use; a license is required for commercial use. Contact the FAIR Institute for licensing information.