Offcanvas Logo

Menu

  • IT Support
  • Cybersecurity
  • IT Compliance
  • AI Services
  • Blog
  • Why Us

Contact us

  • 1 Executive Dr Suite 100 #123 Marlton NJ 08053
  • 856-282-4100
  • info@xitx.com

Menu

  • IT Support
  • Cybersecurity
  • IT Compliance
  • AI Services
  • Blog
  • Why Us

Contact Us

  • 1 Executive Dr Suite 100 #123 Marlton NJ 08053
  • 856-282-4100
  • info@xitx.com

info@xitx.com
856-282-4100
1 Executive Drive Suite 100 Marlton, NJ 08053
+1 856-282-4100
Facebook-f X-twitter Instagram Linkedin-in Youtube
Xact IT Solutions
Let’s Talk
  • IT Support
  • Cybersecurity
  • IT Compliance
  • AI Services
  • Blog
  • Why Us
Xact IT Solutions
  • IT Support
  • Cybersecurity
  • IT Compliance
  • AI Services
  • Blog
  • Why Us
Let’s Talk

Dwell Time: Attackers Spend an Average of 194 Days Inside Small Business Networks Before Anyone Notices

Dwell Time: Attackers Spend an Average of 194 Days Inside Small Business Networks Before Anyone Notices

The most dangerous moment in a cyberattack is not the break-in. It is the silence that follows. Dwell time — the window between when an attacker first gains access to a network and when that intrusion is discovered — determines how much damage actually gets done. According to Mandiant’s M-Trends 2023 report, the global median dwell time was 16 days when organizations detected the breach themselves. When the victim was notified by an outside party — law enforcement, a customer, or a threat researcher — that median stretched to 19 days. For cases that went completely undetected without internal monitoring capability, historical five-year averages from the same report family track closer to 194 days. For a small business running antivirus as its primary line of defense, that number is not a statistic. It is a sentence.

  1. What Dwell Time Actually Means — and Why the Average Hides the Worst Cases
  2. The Antivirus Gap: Why Signature-Based Tools Were Built for a Different Era
  3. What Attackers Do With 194 Days of Quiet Access
  4. Small Businesses Are Not Off the Radar — They Are the Preferred Target
  5. Real-World Examples: When Dwell Time Became the Story
  6. Building a Detection Posture: What Actually Shortens Dwell Time
  7. Questions Every Business Owner Should Ask Their IT Firm Right Now

What Dwell Time Actually Means — and Why the Average Hides the Worst Cases

Dwell time is measured in days. Its consequences are measured in dollars, legal exposure, and lost client trust. Mandiant has tracked this metric globally for over a decade, and the trend is broadly positive: median dwell time has fallen sharply from the 416-day median reported in 2012. That progress is real, driven by serious investment in detection tooling — at the enterprise level.

The problem is that median numbers are population averages, pulled sharply downward by large enterprises with dedicated security teams and continuous monitoring. Strip those out and look at organizations without those resources — the vast majority of businesses under 500 employees — and the picture changes fast. IBM’s Cost of a Data Breach Report 2023 found that organizations took an average of 204 days to identify a breach and another 73 days to contain it. That is 277 days of exposure from identification through containment, and the clock only starts when someone notices.

For a business where the IT team is a single part-time contractor and the primary security tool is a commercial antivirus subscription, the identification phase may never come from internal monitoring. It comes from a ransomware demand on the screen, a call from the bank about fraudulent wire transfers, or a notice from the FBI. Understanding dwell time — and taking it seriously — is the first step toward closing that gap.

The Antivirus Gap: Why Signature-Based Tools Were Built for a Different Era

dwell time — Wide shot of a dimly lit server room with rack-mounted equipment and blinking lights, photographed from a low angle to convey the unseen activity happening within network infrastructure while defenders remain unaware.

Antivirus software was designed to identify known malicious files by comparing them against a database of previously catalogued threats. That model worked reasonably well in the 1990s and early 2000s, when attackers largely distributed the same malicious programs at scale. Signature databases grew, defenses caught up, and the approach held.

Then the offense adapted. Modern attackers — whether nation-state groups, organized criminal enterprises, or ransomware affiliates — use techniques specifically engineered to bypass signature detection. These include:

  • Living-off-the-land techniques, where attackers use legitimate built-in operating system tools (like Windows PowerShell or Windows Management Instrumentation) rather than importing malicious files that might trigger a scan.
  • Fileless malware that runs entirely in memory and never writes a detectable file to disk.
  • Custom or modified malware that has never appeared in any signature database — sometimes called zero-day payloads.
  • Credential theft followed by legitimate remote access using the victim’s own usernames and passwords — activity antivirus has no mechanism to flag as suspicious.

CISA has documented living-off-the-land techniques extensively, including in their joint advisory on People’s Republic of China state-sponsored cyber actors using exactly these methods against U.S. critical infrastructure. These are not exotic nation-state-only techniques. The same methods get packaged into tools that ransomware affiliates rent for a few hundred dollars a month and deploy against dental offices, law firms, and manufacturing shops.

Antivirus sees none of it. The attacker logs in with a valid username and password, moves laterally using tools that ship with Windows, and quietly copies data or stages a ransomware payload over days or weeks. The antivirus dashboard stays green the entire time — and dwell time keeps climbing.

What Attackers Do With 194 Days of Quiet Access

Extended dwell time is not idle time. Professional threat actors use their access methodically, following a recognizable sequence that security researchers call the attack lifecycle.

  • Initial access and persistence: The attacker establishes a foothold and immediately works to make it durable — creating new user accounts, installing remote access tools disguised as legitimate software, and modifying system settings to survive reboots and password changes.
  • Reconnaissance: From inside the network, the attacker maps the environment — identifying file shares, backup systems, cloud credentials, financial accounts, email archives, and anything else with value.
  • Privilege escalation: The attacker moves from a low-level access point to administrator or domain-level control. With the right techniques, this typically happens within days of initial access.
  • Lateral movement: The attacker spreads to additional machines, hunting higher-value targets — the accounting server, the file share with client contracts, the executive’s workstation.
  • Data staging and exfiltration: Sensitive files are quietly copied out over days or weeks in small batches designed to avoid triggering data transfer alerts — assuming any such alerts exist.
  • The final action: Whether it is deploying ransomware, committing financial fraud, or selling stolen data, the attacker acts only after extracting maximum value and establishing maximum leverage.

By the time the business owner sees a ransom demand or notices missing funds, the attacker may have been present for months. Backups have often been compromised. Breach notification obligations under state law and federal regulations may have already been triggered. The damage is done long before discovery — and it compounds with every additional day of dwell time that goes undetected.

Small Businesses Are Not Off the Radar — They Are the Preferred Target

A persistent myth holds that attackers focus on large companies with big payouts, and that a 30-person firm is beneath notice. The data says otherwise.

The FBI’s Internet Crime Complaint Center 2023 Internet Crime Report recorded over 880,000 complaints with losses exceeding $12.5 billion — the highest in the report’s history. Small and medium-sized businesses represented a disproportionate share of ransomware victims. Verizon’s 2024 Data Breach Investigations Report found that small businesses faced a comparable breach rate to large enterprises, but with a fraction of the detection and response capability.

The reason is straightforward: small businesses are softer targets. Fewer controls, less monitoring, no dedicated security staff, and a lower likelihood of fast detection and response. Attackers use automated tools to scan the internet for exposed systems, compromise them in hours, then sort the results by potential value. A 20-person professional services firm holding client financial data or health records is an attractive target — not because of its size, but because of what it holds and how unlikely it is to be well-defended.

The supply chain dimension amplifies this further. Many small businesses hold credentials, data, or access belonging to larger clients. Attackers have learned that compromising a small accounting firm or IT vendor can yield access to dozens of that vendor’s clients. That amplified value makes small businesses worth real effort — and it makes extended dwell time especially damaging, since every additional day means deeper intelligence gathering across a wider blast radius.

Real-World Examples: When Dwell Time Became the Story

The breach disclosures that made headlines over the past several years share a recurring pattern: extended, undetected access. While most involve larger organizations where disclosure is legally required, the underlying techniques are identical to what gets deployed against small businesses every day.

  • The SolarWinds supply chain attack, disclosed in December 2020, involved attackers who had been present inside victim networks for up to 14 months before discovery. The initial intrusion occurred as early as October 2019. Attackers used living-off-the-land techniques and moved slowly and deliberately to avoid triggering alerts.
  • The Okta breach disclosed in 2023 revealed that a threat actor had accessed a support system for roughly five days before Okta’s own investigation identified the activity — and only after a downstream customer noticed anomalies first.
  • Multiple healthcare ransomware incidents disclosed through federal breach notifications describe attackers who were present for 60 to 90 days before encrypting systems, spending that time locating and deleting backup copies to maximize leverage at the moment of the attack.

These are not stories of careless organizations. Some had significant security investments. What made the difference was not whether attackers got in — it was how long they had before anyone noticed. Dwell time was the weapon. Detection speed was the variable that determined outcomes.

Building a Detection Posture: What Actually Shortens Dwell Time

Reducing dwell time requires a mindset shift: from prevention-only to assuming prevention will occasionally fail, and asking — how fast will we know? The tools and practices that accomplish this work fundamentally differently from antivirus.

  • Behavioral monitoring: Instead of matching files against known signatures, behavioral monitoring watches for anomalous actions — a user account that has never accessed a specific server suddenly pulling thousands of files, a process launching in an unusual sequence, a device communicating with an external address at 3 a.m. These are the fingerprints of attacker activity even when the tools they use are entirely legitimate.
  • Log aggregation and analysis: Every device, application, and network component generates logs. Those logs contain the evidence of attacker movement — but only if someone is collecting and reviewing them. Centralizing and analyzing log data is one of the foundational practices recommended in the NIST Cybersecurity Framework under its Detect function.
  • Identity and access monitoring: Since credential theft is the most common attacker entry point, monitoring for impossible login patterns (a user appearing in two geographically distant locations within the same hour), off-hours access, and new privileged account creation is a high-signal detection method.
  • Network traffic analysis: Exfiltration has a signature in network traffic — unusual volumes, connections to unfamiliar destinations, protocols used in unexpected contexts. Watching for these patterns at the network level catches what endpoint tools miss.
  • Regular threat hunting: The most proactive posture involves periodic manual review of the environment by someone specifically looking for indicators of compromise — not waiting for an automated alert, but actively asking whether any known attacker patterns are present right now.

None of these capabilities exist in a standard antivirus subscription. They require a combination of tooling, configuration expertise, and ongoing human attention. For a small business, that does not mean hiring an internal security team — it means choosing an IT firm that provides this capability as part of how they manage your environment. Learn more about how a fully managed approach addresses these gaps on our managed IT services page.

The attacker lifecycle shows how dwell time accumulates silently across reconnaissance, lateral movement, and exfiltration — long before any visible damage occurs.

Questions Every Business Owner Should Ask Their IT Firm Right Now

The gap between “we have antivirus” and “we have detection capability” is exactly where the 194-day dwell time lives. Whether you are evaluating your current IT arrangement or interviewing new providers, these questions will tell you quickly whether they are built for prevention only — or for detection and response.

  • “If an attacker gained access to our network using stolen credentials today, how would you know?” A provider that points to antivirus has answered your question — just not the way you want it answered.
  • “What logs do you collect from our environment, where are they stored, and how often are they reviewed?” If the answer is vague or amounts to “we look when there’s a problem,” that is a detection gap.
  • “What is your average time from attacker entry to detection for clients you manage?” This is a hard question, and not every provider will have a clean answer. Asking it signals that you understand the right metric.
  • “Can you walk me through the last time you detected a threat in a client environment before the client noticed it themselves?” A provider with real detection capability has stories. A prevention-only provider does not.
  • “How do you monitor for credential misuse and account compromise?” Stolen credentials are the leading initial access vector in breach data year after year. If there is no specific answer, there is no specific capability.
  • “What is your incident response process if we discover an active intrusion?” You want to know whether your IT firm has a documented, practiced response — or whether they will be improvising under pressure when it counts most.

The cybersecurity conversation in small business has been dominated too long by the product pitch — antivirus, firewall, a backup drive. Those tools are necessary but not sufficient. The question that determines outcomes is not “are we protected?” but “how fast would we know if protection failed?” That is the dwell time question, and it is the right one to be asking.

Businesses that understand this distinction — and choose their IT firms accordingly — are the ones that stay out of breach headlines. Not because attackers did not try, but because there was not enough quiet time for the damage to compound. If you want to understand your current exposure, our cybersecurity services team can walk you through a detection gap review. Book a Free Cybersecurity Strategy Call to get started.

Get a Second Opinion

Sometimes the best thing you can do for your business is have someone outside your current vendor relationship take a fresh look. That’s what a strategy call gives you — 20 focused minutes with our team and a no-strings-attached read on what we’d recommend.

Talk to an IT Strategist

Recent Posts

  • IT Services Subcontractor Clauses: Who Is Actually Inside Your Systems?
  • AI Proposal Writing for Small Business: Build a Send-Ready Client Proposal in Under 30 Minutes
  • IT Escalation Path: How to Tell a Real Process From a Verbal Promise
  • Session Token Theft: How Attackers Are Walking Past MFA in 2025
  • AI Account Summary: Stop Losing Client Context Between Meetings

Categories

  • AI for Business
  • Backup & Recovery
  • Blog
  • Business
  • Buyer Guides
  • CMMC
  • Compliance
  • Cybersecurity
  • Healthcare
  • Managed IT
  • News & Analysis
  • Threat Intelligence

Share

FRUSTRATED WITH YOUR CURRENT IT PROVIDER? LET’S TALK.

Get a Free IT Consultation
Xact IT Solutions
  • info@xitx.com
  • +1 856-282-4100
  • 1 Executive Drive Suite 100 Marlton NJ 08053

Follow Us

Quick Links
  • Home
  • Partner Program
  • Why Choose Xact IT Solutions | Xact IT Solutions
  • Contact
Services
  • IT Support
  • Cybersecurity Services for SMBs | Xact IT Solutions
  • IT Compliance
Recent Blogs
  • Supply-Chain Ransomware Attack Impacts 60 Credit Unions
  • Comcast Xfinity Data Breach Exposes 36 Million Customers’ Data
  • Crown Equipment’s Cyberattack: Recovery and Lessons Learned
Copyright © 2026. Website Design by Xact IT Solutions
  • Privacy Policy and Terms & Conditions
  • Home
  • Partner Program
  • Why Choose Xact IT Solutions | Xact IT Solutions
  • Contact