Attacker dwell time: what it means for identity teams

TL;DR: Dwell time is the span between first successful credential use and detection, and Unosecur argues it determines how far a breach spreads, how much gets exfiltrated, and how large the legal and reputational bill becomes, using Yahoo and Mandiant data as proof. Shortening that window is now an identity governance problem, not just a SOC metric.

NHIMG editorial — based on content published by Unosecur: Cut your dwell time before it cuts your bottom line

By the numbers:

• Verizon lost $350 million after the Yahoo breach became public.
• Mandiant reported that in 2023, organizations detected intrusions within a median of 10 days, down from 16 days in 2022.

Questions worth separating out

Q: How should security teams reduce attacker dwell time in identity environments?

A: Focus on three levers: high-fidelity logging, real-time alerting, and automated containment.

Q: Why does dwell time matter so much for service accounts and privileged identities?

A: Because privileged identities let attackers do more in less time.

Q: What breaks when organisations rely on periodic log reviews instead of live telemetry?

A: Periodic reviews leave attackers operating unseen between review cycles.

Practitioner guidance

• Centralise identity telemetry Pull cloud, directory, and workload logs into one searchable pipeline so credential misuse can be correlated across systems before an attacker blends in.
• Automate first-response containment Disable suspicious tokens, quarantine workloads, and trigger alert enrichment automatically so analysts are not waiting on manual escalation while access remains live.
• Right-size privileged access Reduce standing admin rights, segment high-value systems, and use just-in-time elevation so a compromised identity cannot move as freely through the environment.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step breakdown of the ten dwell-time levers and how each one affects detection speed
• The Yahoo breach timeline and the specific monitoring mistakes that let attacker activity blend in
• Business impact examples covering acquisition value, litigation, and reputation loss
• Practical logging, alerting, and response tactics for teams that want to reduce dwell time

👉 Read Unosecur's analysis of how dwell time drives breach cost →

Attacker dwell time: what it means for identity teams?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →