TLDR: Attackers routinely operate inside networks for days or weeks before detection tools fire. According to Mandiant’s M-Trends 2026 report, median dwell time climbed back to 14 days in 2025, and more than half of compromises are still discovered by someone other than the organization’s own security team. The gap between intrusion and awareness is not primarily a technology problem. Understanding where and why detection breaks down is the first step toward closing it.
The Dwell Time Problem Is Worse Than the Headline Number
Most security conversations about detection start with the wrong question. The question is not “do we have the right tools?”. The question is “how long was someone in our environment before we found out?”. Those are different questions, and the second one is harder to answer than most organizations want to admit.
Mandiant’s M-Trends reporting has tracked attacker dwell time for over a decade. In 2025, the global median climbed back to 14 days, reversing modest progress from the prior year. That number deserves unpacking, because it understates the real problem. When an organization discovers a breach on its own, median dwell time is around 10 days. When an external entity does the notifying, such as a government agency, a security researcher, or a partner, that median jumps to 26 days. And when the attacker is the one doing the notifying, as in a ransomware deployment, the number drops to five days, because the attacker chose when to reveal themselves.
The uncomfortable takeaway: shorter dwell times in ransomware cases are not a detection success story. They reflect attackers deciding the job is done.
Perhaps more telling than dwell time is who finds the breach. In 2024, 57% of compromises were discovered by external parties, not the organization’s own security team, according to M-Trends 2025. More than half of the time, someone else found the problem first. Being “detected” and being “detected by your own team” are two very different security outcomes, and they carry very different consequences for how fast you can respond.
Where Detection Actually Breaks Down
There is a persistent assumption in security conversations that detection failures are tool failures. Buy a better SIEM. Add another EDR agent. Update the rules. The problem is that many of the most consequential detection gaps are not gaps in tool coverage. They are structural gaps in how attacks unfold relative to what tools are designed to see.
Credential abuse that looks like normal behavior. According to CrowdStrike’s 2025 Global Threat Report, 75% of intrusions were malware-free, relying instead on credential abuse, social engineering, and session hijacking. An attacker logging in with a valid username and password does not look like an attack. It looks like a user. Signature-based detection has nothing to catch. Even behavioral tools struggle when the attacker is patient enough to operate during business hours, move at a pace that mirrors normal administrative activity, and avoid touching anything the rules are written to flag.
Living-off-the-land techniques that your tools are configured to trust. CISA put it plainly in their 2025 joint guidance: attackers use PowerShell, WMI, certutil, and other tools that IT teams run every day. Your antivirus trusts them. Your allowlists approve them. Your SIEM expects them. CrowdStrike found that 62% of their threat detections in 2025 were malware-free attacks using exactly these methods. There is no suspicious file to quarantine because there is no file. The attack runs in memory, through tools your organization considers legitimate, and leaves artifacts that are indistinguishable from routine administration unless someone is specifically hunting for behavioral anomalies.
Alert fatigue that creates cover in the noise. High-volume security environments generate enormous numbers of alerts. Security teams in mature organizations routinely process thousands of alerts per day, with a significant portion being low-fidelity or false positives. The problem is not that the signal was absent. The problem is that the real signal arrived inside a volume of noise that made it effectively invisible. Attackers who understand how detection tools work can time their activity to blend into the alert baseline, moving when the environment is noisy and pausing when it is quiet.
Coverage gaps at the seams between tools. No single tool sees everything, and the handoff points between EDR, SIEM, network monitoring, and cloud security posture management are where visibility routinely drops. One tool flags an anomaly that falls outside the scope of what feeds into the correlation engine. A cloud-based lateral movement goes undetected because the SIEM is tuned for on-premises activity. An alert fires in a system nobody owns. These seams are not theoretical. They are the gaps that experienced operators actively map and exploit during assessments.
What Volt Typhoon Taught Us About Long-Term Undetected Access
The Volt Typhoon campaign is the most extensively documented illustration of what long-term undetected access looks like in practice, and it is worth examining not as an abstract nation-state threat story but as a case study in detection failure.
CISA, NSA, and FBI confirmed in a joint advisory that Volt Typhoon actors maintained access and footholds within some victim IT environments for at least five years. They did this using exclusively living-off-the-land techniques: no custom malware, no exotic tooling, just the native utilities present in every Windows environment. The tradecraft was not sophisticated in the sense of being technically novel. It was sophisticated in the sense of being patient, disciplined, and calibrated to stay below the detection threshold of the tools monitoring those environments.
The Dragos investigation into a small public utility in Massachusetts, the Littleton Electric Light and Water plant, put a number on what that looks like at the operational level. Volt Typhoon remained undetected in that environment for over 300 days. The intrusion was only discovered through targeted threat hunting operations that surfaced anomalous network behavior from OT systems. The utility’s standard monitoring had not caught it.
This is not a story about a large, complex enterprise with a byzantine environment and a hundred different tool vendors. It is a story about a small municipal utility, exactly the kind of organization that has implemented what it considers a reasonable security posture and has no particular reason to suspect it is hosting a foreign adversary.
CISA’s own red teams add an uncomfortable data point to this picture. Their 2025 guidance notes that red teams frequently use publicly known LOTL techniques for execution, persistence, lateral movement, discovery, and credential access, with network defenders rarely finding the activity. When the federal government’s own offensive operators can use documented, publicly known techniques and still go undetected, the detection gap is structural, not incidental.
The Organizational Dimension
Detection failures are not only about tools and techniques. They are also about process, ownership, and organizational structure.
Many security programs have clear ownership for prevention and compliance, and murky ownership for detection and response. An alert fires. The SIEM logs it. Someone may see it. Whether someone investigates it, escalates it, and acts on it depends on processes that are often underdocumented, undertested, and assumed to work because they have not visibly failed yet.
The seam between IT and security is a reliable source of detection gaps. IT sees operational anomalies through a lens of system health and availability. Security sees the same data through a lens of potential threat indicators. Neither may have authority or context to act on what the other is seeing. In the absence of a clear decision threshold and ownership model, real signals get absorbed into the background noise of “things to look at when we have time.”
Tabletop exercises are one of the most underused tools for surfacing these gaps before an attacker does. A well-constructed tabletop does not just test whether your team knows the incident response playbook. It tests whether the right people are in the room, whether the right notifications happen, and whether the escalation chain actually functions under pressure. Organizations that run tabletops regularly often discover that their detection and response processes work in theory and stall in practice, and they discover this when the stakes are low enough to fix it.
What Actually Helps
The remediation path for detection gaps runs through program posture, not product acquisition. A few areas that consistently make a material difference:
Behavioral analytics over signature detection. The shift from “what files are on this system” to “what is this user doing and why” is the relevant detection upgrade for the current threat environment. Behavioral analytics surfaces credential misuse and LOTL activity that signature-based tools miss by design.
Threat hunting as a scheduled function, not a reactive one. Proactive threat hunting, going into the environment looking for adversary TTPs before an alert fires, is what found the Volt Typhoon intrusion in Massachusetts. It is not a capability most organizations have built into their regular security operations cadence, which is exactly why it is effective when it does happen.
Log coverage and retention audits. Many organizations are generating the right logs and not retaining them long enough to reconstruct a timeline, or retaining them in systems that are not being actively monitored. CISA’s guidance on Volt Typhoon specifically recommends reviewing application, security, and system event logs routinely and notes that application event logs may be particularly valuable because they remain on endpoints longer than security event logs. A log coverage audit costs nothing but time and often surfaces significant gaps.
Purple team exercises. Bringing offensive and defensive operators together in the same environment, with the defenders actively trying to catch what the offensive team is doing, produces detection improvements that neither side achieves working independently. It closes the loop between what your tools are designed to catch and what an actual operator can do inside your environment without tripping them.
Actionable Takeaways for Business Leaders
Security executives and technical teams are not the only people who can move on this. Business leaders who are not deeply technical can take concrete steps this week that create real accountability and surface real gaps.
Ask your security team one question: “How would we know if someone had been in our environment for 30 days?” The quality of that answer tells you a great deal about where your detection program actually stands. A strong answer is specific, measurable, and grounded in what your actual tooling and processes can demonstrate. A weak answer involves general statements about having a SOC or good tools. The gap between those two answers is the gap an attacker will find first.
Trace the path from alert to action. Request a walkthrough of what happens when a detection fires, from the moment the alert is generated to the moment a human makes a decision to investigate or close it. Identify where ownership is unclear, where the escalation chain has gaps, and where the process depends on individuals rather than documented procedures. This does not require technical expertise. It requires asking direct questions about a process your organization assumes is working.
Request a log coverage review. Skip the new tool purchase and start with a review of whether the right events are being logged, retained long enough to matter, and stored in a system that is actively monitored. Many organizations are generating telemetry that no one is looking at, or retaining logs for 30 days in environments where a 300-day intrusion is a documented reality. This conversation should happen between security leadership and business leadership, not just inside the security team.
A security program that looks functional from the inside can look wide open from the outside. Organizations that find out which one is true on their own terms get to respond on their own terms. The ones that do not find out from a ransom note, an examiner, or a phone call from the FBI.
The 300-day intrusion at a small Massachusetts utility was not discovered because the utility’s standard monitoring improved. It was discovered because someone went looking. Most organizations are not going looking. That gap, between what your tools are watching for and what is actually present in your environment, is exactly where patient, disciplined attackers make their home.
Satine Technologies is a veteran-owned offensive cybersecurity firm founded by former U.S. Cyber Command operators. We help organizations understand their security from an attacker’s perspective. Learn more at satinetech.com.
References
- Mandiant. M-Trends 2026: What 450,000 Hours of Incident Response Tells Us. Analysis via Resilient Cyber, March 2026. https://www.resilientcyber.io/p/m-trends-2026-what-450000-hours-of
- Google Cloud / Mandiant. M-Trends 2025. Google Cloud Blog, April 2025. https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025
- CrowdStrike. 2025 Global Threat Report. Referenced via Proofpoint Threat Reference and Black Hat MEA analysis. https://www.proofpoint.com/us/threat-reference/living-off-the-land-attack
- CISA, NSA, FBI. Identifying and Mitigating Living Off the Land Techniques. Joint Cybersecurity Advisory AA23-144A, May 2023. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- CISA, NSA, FBI. PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Joint Advisory AA24-038A, February 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- Dragos / IT Pro. 300 Days Under the Radar: How Volt Typhoon Eluded Detection in the US Electric Grid for Nearly a Year. IT Pro, March 2025. https://www.itpro.com/security/cyber-attacks/volt-typhoon-threat-group-electric-grid