Organizations are detecting and containing attacks faster as the global median dwell time, defined as the duration between the start of a cyber intrusion and it being identified, was 56 days. This is 28% lower than the 78-day median observed in the previous year, according to FireEye.

Consultants attribute this trend to organizations improving their detection programs, as well as changes in attacker behaviors such as the continued rise in disruptive attacks (e.g. ransomware and cryptocurrency miners) which often have shorter dwell times than other attack types.