Why "Dwell Time" is the Most Dangerous Metric in Your Network
Imagine someone has been living in your house for the last three months undetected…
They haven’t stolen the TV yet, and they haven’t changed the locks. Instead, they’ve been quietly mapping out your floor plan, finding where you keep your most prized possessions, and noting all of your security habits, passwords and behaviours.
In cybersecurity terms, this quiet and undetected invasion is known as “dwell time.”
What is "dwell time"?
Dwell time refers to the amount of time a cyber attacker remains undetected inside a network or system and as we are experiencing first-hand in 2026, the gap between an initial breach and its discovery has become a major headache for Australian businesses.
The longer an attacker lingers, the higher the cost and reputational damage of the breach. In the 2024–2025 financial year alone, the average self-reported cost of cybercrime for Australian businesses jumped by 50%. For large organisations, costs spiked by 219%, bringing the average incident cost to roughly $202,700!
Dwell times differ based on intent and (im)patience
Some reports indicate that the average dwell time for cybersecurity intrusions in Australia sits at approximately 82 days. However, this figure can fluctuate wildly based on the attacker's intended goal.
According to research from the Australian Cyber Security Centre (ACSC) and backed by private sector intelligence, different threats move at different speeds:
Spoofing & Ransomware | “The Sprinters”.
These attackers tend to have the shortest dwell time, averaging 31 days - just shy of the average log report length. Because ransomware is inherently designed to be noticeably loud and disruptive, attackers want to be found so they can demand payment quickly.General Malware | “The Squatters.”
Commonly, these infiltrators sit undetected for an average of 146 days before making themselves known. These Squatters frequently initiate direct extortion attempts, or in some cases they sell their access to higher-level threat actors to create damage.Cyber Espionage | “The Phantoms.”
The true “ghosts in the machine”, these malicious entities have been known to maintain access for an average of 404 days, prioritising stealth and “data exfiltration e.g. transferring, amending or removing information. With long-term goals in mind, they intend to remain undetected for as long as possible.
The varying length of time between the point of infiltration and an incident being detected is creating a massive detection gap for businesses. Coupled with the speed in which the damage can occur, if your team relies on manual log reviews or weekly audits, chances are, the attacker has already caused some damage before you’ve even received an alert.
Do you recognise the 7 Signs that you’ve been compromised? Read more.
Why are these cyber threats staying undetected?
Industry research indicates that there are three primary reasons why Australian businesses struggle to pick up and evict these insidious threats until its too late.
Short Log Retention: Many SMEs only keep 30 days of network logs. If, for example, a threat is detected on day 40, the evidence of how they got in is already gone. Without a historical record it makes it much more difficult to identify the initial point of entry, determine the full extent of the lateral movement that occurred before the logs were overwritten and leaves businesses unable to perform effective root-cause analysis.
Alert Fatigue: Many Australian security teams are drowning in notifications, receiving an average of hundreds to thousands of alerts per day. These critical signals of a breach are often buried under a mountain of "low-priority" noise and often, an innocuous alert can hide a much bigger, underlying threat.
Living-off-the-Land (LOTL): Attackers who have gained access are often using legitimate administrative tools already in your system, making their movements look like normal employee activity.
In cybersecurity, time equals money. The 2024–2025 financial year saw the average self-reported cost of cybercrime for Australian businesses jump by 50%. For large organisations, costs spiked by 219%, bringing the average incident cost to roughly $202,700 (ACSC, 2025).
So, what can we do about these invisible intruders?
To reduce the threat of dwell time, we’re urging all Australian organisations to pivot to multi-pronged defence packages instead of single subscription antivirus or EDR such as our Triple Threat Defence Stack. The goal is not only to equip your workforce to prevent against these threats, but also to ensure that if a threat actor gets in, their stay is identified and neutralised in minutes, not months.
24/7 Managed Detection & Remediation (MDR): Continuous monitoring and advanced endpoint detection technology (EDR) ensures that a threat detected, even in the early hours of the morning, is caught, treated and remediated before the breakout window closes.
Managed Identity Threat Detection Response (ITDR): ITDR moves beyond traditional phishing and antivirus tools that monitor behaviour, catching the "stealth" hackers who don't use traditional malware, monitoring and isolating compromised accounts before they can create any more damage.
Cyber Security Awareness Training (CSAT): Equips employees to recognise and respond to threats like phishing, scams and social engineering, helping reduce human error and strengthen your organisation’s overall security posture.