Dwell time is the hidden cost multiplier in identity breaches

At a glance

What this is: This is an analysis of attacker dwell time and how delayed detection turns identity compromise into larger financial, legal, and reputational damage.

Why it matters: It matters because IAM, NHI, and human identity teams all influence how quickly misuse is seen, contained, and reduced to a limited blast radius.

By the numbers:

• the 2013 Yahoo data breach still holds the record for the longest publicly documented dwell time: about three years.
• $350 million after the Yahoo breach became public., ecame public.
• Mandiant reported that in 2023, organizations detected intrusions within a median of 10 days, down from 16 days in 2022.

👉 Read Unosecur's analysis of how dwell time drives breach cost

Context

Attacker dwell time is the period between first successful credential use and detection. In practice, it is the window in which identity controls either contain misuse quickly or allow an intruder to blend into ordinary access patterns. For IAM, NHI, and PAM teams, dwell time is a measurable sign of whether identity telemetry is actually working.

The article frames dwell time as a business cost multiplier because every extra hour increases the chance of privilege escalation, lateral movement, exfiltration, and audit-log tampering. That makes it relevant to identity programmes across human accounts, service accounts, and privileged non-human identities, especially where access is granted faster than it is reviewed.

The Yahoo example is treated as the cautionary extreme: long-lived, poorly observed access turned a breach into a years-long compromise. That starting position is atypical, but the governance lesson is common across modern environments.

Key questions

Q: How should security teams reduce attacker dwell time in identity environments?

A: Focus on three levers: high-fidelity logging, real-time alerting, and automated containment. Centralise identity and cloud telemetry, tune detections for credential misuse, and disable suspicious sessions or tokens without waiting for manual approval. The goal is to shrink the window between first successful access and containment so attackers have less time to escalate or exfiltrate data.

Q: Why does dwell time matter so much for service accounts and privileged identities?

A: Because privileged identities let attackers do more in less time. A compromised service account, admin token, or root credential can reach sensitive systems immediately and often looks legitimate in logs. That makes detection harder and increases blast radius. Short dwell time matters most where access is broad, persistent, or poorly segmented.

Q: What breaks when organisations rely on periodic log reviews instead of live telemetry?

A: Periodic reviews leave attackers operating unseen between review cycles. Forged cookies, stolen secrets, and abnormal admin actions can blend into normal traffic long enough to enable lateral movement and exfiltration. Live telemetry gives defenders a chance to contain abuse while the attacker is still active, rather than after damage has accumulated.

Q: Who is accountable when prolonged identity misuse leads to a breach?

A: Accountability usually sits with the teams that own identity governance, telemetry coverage, and incident response. NIST CSF and similar frameworks expect organisations to monitor access, detect anomalies, and contain incidents quickly. If review cycles, privilege design, or response ownership are unclear, prolonged misuse becomes a governance failure as well as a security one.

Technical breakdown

What dwell time measures in identity security

Dwell time measures the interval between an attacker’s first successful use of stolen or misused credentials and the point at which defenders detect and contain that activity. It is not the same as total breach duration, because the clock starts after access is already working. In identity-centric environments, the attacker often looks like a legitimate user or workload, which is why logging quality, correlation, and response speed matter more than perimeter controls. The shorter the interval, the less time an intruder has to pivot through trusted access paths.

Practical implication: measure dwell time alongside detection latency so identity teams can see where visibility breaks down.

Why telemetry gaps extend attacker stay

Telemetry gaps let intruders hide inside ordinary identity activity. If key services are not logged, or logs are reviewed only periodically, forged cookies, stolen API keys, and over-privileged admin actions can blend into normal traffic for days or longer. Real-time analytics changes the defender’s position by turning raw events into actionable alerts while the attacker is still active. This is especially important for non-human identities, where machine-to-machine access can produce a high volume of legitimate-looking events with little human review.

Practical implication: centralise high-fidelity identity and cloud logs, then alert on misuse as it happens.

How privilege level changes blast radius

Privilege level determines how much damage an intruder can do before detection. A root credential, domain-admin token, or over-scoped service account compresses the attacker’s work because it opens more systems with fewer steps. Lower-privilege access may still be abused, but it usually creates more friction and more observable control points. Least privilege, segmentation, and just-in-time elevation reduce the number of silent paths an attacker can take, which makes abnormal behaviour easier to see and contain.

Practical implication: right-size privileged access and use just-in-time elevation to shrink the attacker’s reach.

Threat narrative

Attacker objective: The attacker aims to stay invisible long enough to extract data, expand access, and convert a single foothold into a costly enterprise breach.

1. Entry occurs when an attacker successfully uses stolen or misused credentials, such as forged cookies or exposed admin access, to operate as a trusted identity.
2. Escalation follows when the intruder abuses privileged utilities, over-privileged roles, or weak telemetry to expand reach without triggering obvious alarms.
3. Impact arrives when the long undetected window enables data siphoning, log tampering, lateral movement, and larger legal or financial losses.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Dwell time is an identity governance failure, not just a detection metric. Once attackers are using valid credentials, the question becomes how quickly identity controls expose the misuse before it compounds. That makes logging depth, review cadence, and containment speed central governance issues rather than backend SOC details. The practitioner conclusion is simple: if identity activity cannot be observed in time, it cannot be governed in time.

Standing privilege is the real accelerant behind long dwell time. The article’s Yahoo example shows that trusted admin access can let adversaries move quietly inside normal traffic for extended periods. This is exactly where the NHI problem becomes visible, because over-privileged service accounts and unmonitored admin utilities give attackers durable reach. Practitioners should treat privilege persistence as a blast-radius amplifier.

Identity blast radius is the named concept this article sharpens. The longer misuse goes undetected, the more systems, logs, and records an attacker can touch before containment. That concept connects human admin access, NHI credentials, and privileged automation under one governance lens. The practitioner takeaway is to manage not only who has access, but how much damage any single identity can do before discovery.

Periodic review models are too slow for machine-speed abuse. The article contrasts periodic log review with live telemetry, and that gap matters because attackers do not wait for review cycles. In NHI-heavy environments, the same delay allows secrets, tokens, and service accounts to remain exploitable while teams think access is under control. The practitioner conclusion is that governance must assume continuous misuse detection, not scheduled inspection.

Shorter dwell time changes valuation, liability, and recovery cost. The Yahoo case shows that the financial impact of identity compromise grows with each undetected hour. That links IAM discipline directly to business resilience, not just technical hygiene. For practitioners, the implication is that identity telemetry and response speed should be measured as enterprise risk controls.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• If dwell time is your control gap, the 52 NHI breaches Report helps you map how compromised identities turn into repeatable breach patterns.

What this signals

Identity blast radius should become a standard programme metric, because the question is no longer whether access can be granted, but how much damage a compromised identity can do before containment. With 72% of organisations having experienced or suspecting a breach of non-human identities, per The 2024 ESG Report: Managing Non-Human Identities, the governance gap is already operational.

Teams should expect board-level scrutiny to shift from preventive controls alone toward detection speed, containment speed, and privilege scope. That is especially true where machine identities and human admin paths intersect, because dwell time exposes whether the environment is governed as a live system or a periodic review exercise.

The next maturity jump is not more logs, but better decisioning on identity events. Pair telemetry with automated response, and use the 52 NHI breaches Report to compare your assumptions against real compromise patterns.

For practitioners

• Centralise identity telemetry Pull cloud, directory, and workload logs into one searchable pipeline so credential misuse can be correlated across systems before an attacker blends in.
• Automate first-response containment Disable suspicious tokens, quarantine workloads, and trigger alert enrichment automatically so analysts are not waiting on manual escalation while access remains live.
• Right-size privileged access Reduce standing admin rights, segment high-value systems, and use just-in-time elevation so a compromised identity cannot move as freely through the environment.
• Shorten session and key lifetimes Use brief token lifetimes, frequent key rotation, and re-authentication checkpoints to force attackers to re-compromise access before they can keep using it.
• Measure detection against real misuse paths Test how quickly your team spots forged cookies, stolen API keys, and over-privileged service accounts so you know whether dwell time is shrinking in practice.

Key takeaways

• Dwell time is the period in which valid access becomes breach impact, so identity governance determines how far attackers can go before containment.
• Yahoo shows how years of undetected access can translate into massive financial and reputational damage, while modern detection still leaves days for abuse.
• Practitioners should reduce standing privilege, improve telemetry, and automate containment so identity misuse is caught before it becomes enterprise-scale loss.

Key terms

• Dwell Time: The length of time an attacker remains active in an environment after first successful access and before detection or containment. In identity-heavy environments, it reflects how well logs, analytics, and response processes can expose misuse before the intruder can expand access.
• Identity Blast Radius: The amount of damage a single compromised identity can cause before defenders stop it. It is shaped by privilege scope, segmentation, session lifetime, and response speed. Smaller blast radius means fewer systems, records, and controls are exposed during a breach.
• Standing Privilege: Persistent access that remains available even when it is not actively needed. For service accounts, admin roles, and other non-human identities, standing privilege creates a wider window for misuse because attackers can reuse access without first forcing a new authorisation event.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step breakdown of the ten dwell-time levers and how each one affects detection speed
• The Yahoo breach timeline and the specific monitoring mistakes that let attacker activity blend in
• Business impact examples covering acquisition value, litigation, and reputation loss
• Practical logging, alerting, and response tactics for teams that want to reduce dwell time

👉 The full Unosecur article covers the Yahoo case, dwell-time levers, and the cost of delayed detection.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.