The Progress We Thought We Were Making Against Hackers? It Just Went Backward.

John Z Black Mar 30, 2026 Threat Intelligence #m-trends #dwell-time #mandiant #espionage #ransomware #north-korea #threat-intelligence

For a few years, the industry had a number it liked to point to. Dwell time was falling. Defenders were getting faster. Progress was being made.

That story just reversed.

Median dwell time jumped from 11 days in 2024 to 14 in 2025. Three days sounds like noise. It isn’t. The direction matters. After years of heading the right way, it went backward – and why it reversed is uncomfortable reading for most security teams.

Here’s the twist: internal detection actually got better. When organizations caught breaches themselves, dwell time dropped from 10 days to 9. That’s real improvement. But externally-notified cases jumped from 11 days median to 25. More than double.

What’s dragging the average up? Long-running espionage operations and North Korean IT workers sitting inside companies for a median of 122 days before anyone noticed. Four months. Some went undetected for more than a year.

NK IT workers aren’t phishing their way in. They’re applying for jobs, passing interviews (sometimes with AI help), and getting hired. No custom malware. No suspicious lateral movement at 3 AM. Just someone using the tools they’re supposed to be using. Standard EDR doesn’t catch that. Most behavioral baselines don’t either.

On the other end of the spectrum, ransomware operators are getting access handed off to them in under 30 seconds. By the time a tier-one analyst pulls up the alert, it may already be over.

Two completely different threats. Two completely different defensive postures required. Most programs are built for one of them.

The honest question every security team should be sitting with: would you even know if someone you hired was the threat?

Read the full breakdown of M-Trends 2026 dwell time data and what it means for your threat model