Attackers can now move from initial access to lateral movement in as little as four minutes, with data exfiltration starting in under 10 minutes in some cases, according to research cited by ReliaQuest and reported by Infosecurity Magazine. The finding points to a sharp reduction in the time defenders have to detect and contain intrusions before attackers spread through an environment or begin stealing data.
The report does not tie the trend to a single malware family or vulnerability. Instead, it describes a broader shift toward AI-assisted and automated workflows that speed up familiar attack steps: phishing, credential theft, reconnaissance, privilege discovery, lateral movement and exfiltration. In practice, that means attackers are not necessarily using new techniques so much as executing old ones faster and at lower cost.
That distinction matters. A four-minute breakout time often suggests attackers already have valid credentials, are abusing identity systems, or are operating in poorly segmented environments. It also reflects the growing use of automation after initial compromise, especially in cloud and SaaS-heavy networks where discovery and data access can happen quickly. Security teams relying on manual triage may simply not have enough time to respond.
The wider industry has been warning about the same pattern. Microsoft’s recent threat reporting has highlighted how AI is improving phishing quality, scaling social engineering and accelerating attacker workflows, especially around identity compromise. ReliaQuest’s figures add urgency to that trend by showing how little time may exist between a successful login and meaningful damage.
For defenders, the takeaway is less about AI hype and more about operational speed. Organizations with exposed remote access, weak MFA, poor visibility, or flat networks face the highest risk when attackers can move in minutes. Faster containment, stronger identity controls, phishing-resistant authentication and tighter segmentation are likely to matter more than any single tool, including a VPN, if attackers are already inside.
ReliaQuest’s claim is based on observed threat activity rather than a named victim case, and the figures may not apply equally across all sectors. Still, the direction is clear: the window between compromise and impact is getting smaller.
