Lateral movement at AI speed: what your perimeter monitoring missed last quarter

Twenty-two seconds. That is the median time, in 2026, between an attacker landing initial access on your network and handing the access off to a specialist for follow-on activity. Four minutes is the fastest observed lateral movement. The numbers come from Mandiant's M-Trends 2026 report, the largest public dataset of incident-response engagements in the industry. Your SOC's hourly batch-correlation pipeline, your weekly threat-hunting cadence, your quarterly red-team exercise — all of them are calibrated for an attacker speed that does not exist anymore. This piece is about what changed, why, and what your perimeter monitoring needs to look like next quarter to be relevant.

This is the fourth piece in our attack-research series. Where the first three walked specific attack patterns (SSRF, JWT, OAuth), this one walks an industry-wide shift: the operational tempo of attackers has stepped up by two to three orders of magnitude in the past four years, while most defensive infrastructure has not. The implications for SOC architecture, for detection-engineering priorities, and for how your team measures its own performance are substantial.

The numbers that should change your roadmap

Three data points from M-Trends 2026 that we believe should be on the wall of every SOC manager's office.

22 sec

Median time, 2026, between initial access and handoff to follow-on activity. In 2022, the same metric was over eight hours.

4 min

Fastest observed lateral movement from initial endpoint to next system — an 85% drop year-over-year. Average is 34 minutes.

−7 days

Mean time-to-exploit. Negative. Attackers routinely weaponise vulnerabilities before vendors issue patches, using AI-assisted binary analysis and patch-diffing.

The third number is the one most people stumble on. Mean time-to-exploit going negative means that, on aggregate across the data Mandiant analysed, the time between a vulnerability being disclosed and the first observed in-the-wild exploitation is shorter than the time between disclosure and the patch being available. Threat actors are reverse-engineering pre-release patches via patch-diffing tooling, fed through AI that synthesises exploit code in hours rather than weeks. The traditional defender model — "the vendor patches first, we patch second, attackers exploit third" — has the order wrong for the high-value vulnerabilities of 2026.

The second number means that the time you have to detect-and-respond, from the moment an attacker enters your environment to the moment they are inside your crown-jewel systems, is now best measured in minutes, not hours. The fastest observed move was four minutes — from initial-access endpoint to lateral target. The 34-minute average is the steady state. Your hourly batch correlation pipeline, your detection-engineering review-cycle, your "we look at the dashboard every morning" model — all of these were built for an attacker who took eight to twenty hours to do what now takes thirty-four minutes.

The first number means that the same person who got initial access is rarely the person who exploits it. Initial-access brokers (IABs) capture credentials, sessions, or footholds and hand them off to specialist operators within seconds. The handoff is automated, often via Telegram bots and API-driven access marketplaces. Our Q1 2026 IAB pricing breakdown walks the economics in detail.

Why the speed jumped

The collapse from eight hours to twenty-two seconds is not gradual. It is the consequence of three specific industrialisations that hit the threat ecosystem in 2024–2026:

AI-assisted reconnaissance and exploitation. Large language models trained or fine-tuned on offensive-security content, plus tooling that wraps them, have collapsed the time between "I have a foothold" and "I have a working privilege-escalation chain on this specific stack." A task that took a mid-level operator forty-five minutes in 2022 takes the same operator under ten in 2026, because the LLM produces working exploit-code suggestions for the local environment in seconds. The 80% of ransomware operations that Mandiant attributes to AI-tool-using actors are not using LLMs as gimmicks; they are using them as throughput-multipliers on the boring middle of every attack chain.
Marketplace specialisation. The model where one operator does recon, exploitation, lateral movement, and exfiltration is dead. The 2026 model has a recon team selling target lists, an IAB selling footholds, an exploitation team selling chains, a ransomware-as-a-service operator running the encryption, and an extortion team running the negotiation. Each team is best-in-class at their slice. Each handoff is automated. The twenty-two-second metric is the marketplace functioning as designed.
Living-off-the-land tooling at scale. Sophisticated attackers no longer drop bespoke malware that triggers EDR signatures. They use the tools that already exist on the host — PowerShell, WMI, scheduled tasks, Active Directory queries via standard APIs, BloodHound for graph traversal, mimikatz variants that get patched faster than they get deployed, and increasingly, the customer's own deployed monitoring and remote-management agents. Our Storm-2603 Velociraptor write-up documents the canonical case — turning the customer's own DFIR fleet into the ransomware delivery mechanism.

The decision tree at AI speed

THE 2026 ATTACK TIMELINE T+0 Initial access lands (phishing click, exploit, IAB handoff) T+22s Handoff to specialist; foothold confirmed in marketplace T+90s Specialist runs LLM-assisted enumeration on foothold T+3-5m First lateral move attempted; fastest observed: 4 minutes T+15m Privileged credential capture (mimikatz / DCSync / kerberoast) T+34m Average lateral target reached T+1h Domain-wide visibility established T+2-4h Backup-system tampering / shadow-copy deletion T+4-12h Exfil staging (cloud bucket pre-staged via MFA-bypass app password) T+24h Ransomware deployment begins, on-clock for negotiator handoff Defender clock (typical mid-market SOC, 2026): T+0 (no signal) T+1h EDR alert hits queue (avg backlog: 3-6h) T+8h Alert triaged, Tier-2 engaged T+24h Lateral activity correlated, IR retainer engaged T+48-72h Containment begins

A composite view of attacker tempo vs defender tempo in 2026. The gap is structural, not procedural.

The gap is the news. It is not that defenders are doing the wrong things. They are doing the right things at the wrong cadence. An EDR alert that hits a queue with a six-hour backlog is functionally useless against an attacker who completed lateral movement in thirty-four minutes. A weekly threat-hunting cadence catches things three to seven days late. A quarterly red-team exercise tests the perimeter against an attacker who has not existed since 2022.

What changed for defenders — the implications

If the attacker tempo is now in minutes, the defender response model has to change in ways that are uncomfortable for most SOCs we engage with. We will list the four implications we believe matter most, then walk what to do about each.

1. Initial-access detection has to be automated end-to-end, with no human in the critical path.

The window between "phishing click" and "lateral move attempt" is now four to thirty-four minutes. That is shorter than the time it takes for a Tier-1 analyst to look at an alert, decide it is real, escalate to Tier-2, and have Tier-2 begin investigation. The implication is that initial-access containment has to be automated — not "alert and escalate," but "alert and act." Endpoint isolation triggered by high-confidence detections, without human approval. Token revocation triggered by high-confidence credential-theft signatures. The "false positive" cost of these automations is a re-enable, which the user can self-serve. The "false negative" cost is what M-Trends 2026 documents.

2. Identity is the new perimeter, and identity telemetry has to feed detection in real time.

The four-minute lateral move is almost always identity-driven. The attacker uses Kerberos tickets, OAuth tokens, session cookies, API keys, or service-account credentials they captured during initial access. The traditional perimeter telemetry — netflow, firewall logs, DNS queries — sees the lateral move as legitimate authenticated traffic. Identity telemetry (sign-in events, MFA-prompt rates, impossible-travel signals, token-issuance anomalies) sees it as the credential being used from an unusual context. Most mid-market SOCs we audit are still ingesting netflow and firewall logs as their primary telemetry. Identity telemetry is on the backlog, behind the next dashboard refresh.

3. The "find the IOC, block the IOC" model is dead because the attacker is using your tools.

Living-off-the-land attacks do not have IOCs in the traditional sense. The tool is PowerShell, which you cannot block; the technique is WMI subscription, which you cannot block; the credential is the user's own session token. Detection has to shift from "match the bad-string" to "model the good behaviour and alert on deviation." Behavioural analytics — this user typically logs in from this geo, this service-account typically queries this AD, this admin typically uses RDP and not WinRM — produces signal where IOC matching produces silence. The deployment cost of behavioural analytics is real. The cost of not having them in 2026 is bigger.

4. Continuous validation has to replace point-in-time pentesting.

If the attacker tempo is in minutes and time-to-exploit is negative, a quarterly pentest tells you what your security posture looked like fourteen weeks ago, against an attacker who used techniques that are no longer current. By the time the report is written and the findings are remediated, the threat landscape has moved. The model that works against the 2026 attacker is continuous — weekly, daily, ideally on-deploy — validation that the controls that should stop the current generation of attacks actually do stop them. This is the thesis we built CelvexGroup on, and we walk it in detail in our companion piece on the thirty-second exploit-and-fix cycle.

What we observe in customer environments

We are honest about what we see and what we do not. CelvexGroup runs continuous external validation against customer-flagged assets; we do not have post-deployment SOC telemetry for most customers unless they connect it. What we do have visibility into is the external attack surface and the response time when we surface a finding. The relevant data points from our last six months of engagements:

Median time from "we publish a Proof Capsule for a verified finding" to "the customer's engineering team applies the fix" is 8.4 days. The fastest customer is at 14 minutes. The slowest customer is at 41 days. The bimodal distribution is striking; the customers who fix in hours have the right tooling and the right authority, the customers who fix in weeks have neither.
Roughly one in three customers have a documented runbook for "an attacker is mid-lateral-move" that includes automated containment. The other two thirds have a runbook that begins with "page the on-call analyst," which by 2026 attacker tempo is too slow.
Roughly one in five customers have identity telemetry in their primary detection pipeline. The rest have it in a separate dashboard, queryable on demand, but not feeding correlations.
Less than one in twenty customers run continuous validation against their own controls at a cadence shorter than monthly. The rest are at quarterly or annually, which means their understanding of "is this control working" is stale before they are halfway through the next cycle.

The pattern is consistent. The customers who survive contact with the 2026 attacker have automation in the response loop, identity in the telemetry stack, and validation on a cadence shorter than the attacker's. The customers who do not are running the 2018 playbook against a 2026 adversary.

What to do about it — the SOC re-architecting checklist

SOC re-architecting for 2026 attacker tempo

Automated containment for high-confidence initial-access detections. Endpoint isolation, session revocation, MFA re-prompt — without human approval in the critical path. The "false positive cost" is a self-service re-enable; the "false negative cost" is the M-Trends 2026 timeline.
Identity telemetry into your primary correlation pipeline. Sign-in events, MFA-prompt anomalies, impossible-travel, service-account behaviour drift. Not a separate dashboard. The same correlation engine that ingests netflow.
Behavioural baselining on privileged accounts and service accounts. User Behaviour Analytics is not new, but the deployment depth is what matters. Every domain admin, every service account with cross-system access, every break-glass account.
Pre-approved auto-response playbooks for the top ten incident classes. "Phishing click + EDR alert + sign-in from new device" should not require a Tier-2 to read three dashboards before action. Pre-decide; automate; review the audit log weekly.
Continuous validation against your own controls at weekly cadence or shorter. If your understanding of "is the SSO bypass blocked" is the report from last quarter's pentest, that understanding is wrong. Run it weekly. Use signed Proof Capsules so engineering trusts the result.
Lateral-movement detection rules that fire on fast moves, not just unusual destinations. A user who logged into three new machines in three minutes is suspicious regardless of which machines they were. Time-of-flight is the signal.
Detection coverage measured against the current MITRE ATT&CK matrix, not the 2022 vendor coverage claim. See our piece on the measured-vs-claimed MITRE coverage gap; the gap is usually 2x to 5x.
Quarterly tabletop exercises calibrated for 2026 attacker tempo. If your tabletop assumes the SOC has six hours to detect lateral movement, your tabletop is rehearsing for an attacker who does not exist. The new tabletop assumes thirty-four minutes.

If your tabletop assumes the SOC has six hours to detect lateral movement, your tabletop is rehearsing for an attacker who does not exist. The new tabletop assumes thirty-four minutes.

How Celvex catches what the SOC misses

Find. Prove. Fix. Verify.

Find

Continuous external validation runs the attacker decision tree against every flagged asset on a sub-weekly cadence. We surface initial-access vectors before the IAB marketplace prices them.

Prove

Each finding ships as a Proof Capsule with a working PoC. The customer's engineer reproduces the exploit in their own environment, in seconds, with their own eyes.

Fix

Capsule remediation is scoped to the affected control and the affected asset. The fix-list is engineering-grade, not policy-grade.

Verify

After the fix lands, the same Capsule's replay primitive runs again. Pass = control held. Fail = re-engage. The cycle is sub-hour.

We are honest that CelvexGroup does not solve the SOC's behavioural-analytics problem, the identity-telemetry problem, or the automated-containment problem. We solve the validation problem — do the controls you think are working actually stop the current generation of attacks — and we solve it at a cadence that matches 2026 attacker tempo. L1.5 today is continuous external validation with signed Proof Capsules; L2 in 90 days extends to chain-validation across multiple connected findings; L3 in twelve months autonomously synthesises new probes against unfamiliar customer infrastructure. The thesis is the cycle: Find. Prove. Fix. Verify. Run it weekly. Run it on every deploy. Run it the way the attacker runs it — continuously, at machine speed, with no human in the critical path.

Bottom line

The Mandiant data is not a forecast. It is a measurement. Twenty-two-second handoffs, four-minute lateral moves, negative time-to-exploit — these are what the threat ecosystem is doing right now, in the customers' environments. Defenders whose architectural assumptions are calibrated for the 2022 attacker are not protecting their organisation; they are documenting the breach for the post-mortem. The rebuild is uncomfortable, expensive, and necessary. The continuous-validation piece is the smallest, fastest, highest-leverage component of it. We can ship that piece this week. The rest of the rebuild is a six-to-twelve-month programme that someone in your organisation has to own.

Verifiable security. That is what we ship. The rest is up to your team.

Sources

How fast does your perimeter actually break?

Free Exposure Check — sixty seconds, no signup. We probe your external attack surface the way an IAB does, and ship a signed Proof Capsule for the highest-confidence finding so your team can verify the timeline themselves.

Run a Free Scan →