
90-95% of intrusions will avoid persistence entirely Attacks become session-based & ephemeral Al accelerates attacks to minutes/hours.
82% of detections are malware-free – a new record high eCrime breakout time down to 29 minutes Attackers log in with valid credentials.
82% of 2025 detections were malware-free, up from 79%
29 min average eCrime breakout time – 65% faster than 2024
27 sec fastest observed breakout time in 2025
67% of incidents start with identity compromise, not malware
Strongly on track. Persistence-free, identity-driven “log-in not break-in” intrusions are now the norm and detonate in minutes, not days. Defenders must pivot from malware hunting to identity and session telemetry, and assume attackers are already inside using legitimate tools. Speed of containment now matters more than depth of forensic analysis.

APTS will remain undetected for long periods of time

operators exited 48-72 hours after encrypting data


Custom backdoors fuelled 82% of long-duration intrusions.
~75-80% of detections in the past were malware-free


Automated tools will exploit vulnerabilities in minutes

90-95% of intrusions will avoid persistence entirely

Al tools accelerate attacks to hours.
