The 2025 ExtraHop Global Threat Landscape Report: The Alarming Reality of Threat Actor Dwell Time and Deeper Network Access

A sobering reality is emerging and security leaders can’t afford to ignore it. Despite record-level investments in cybersecurity, attackers are still winning. They’re compromising organizations from inside their own networks, operating with chilling levels of impunity and driving financial losses to record highs.

This reality is starkly proven by the just-released 2025 Global Threat Landscape Report. The comprehensive analysis from ExtraHop explores how adversaries are outsmarting defenses, detailing the evolving tactics they’re leveraging to exploit complexity and blind spots.

As attackers increasingly move stealthily through organizations' networks completely undetected, the report highlights the trends that are enabling them to bypass traditional defenses and compromise systems from the inside, confirming the industry's most alarming trends.

The Attacker’s Advantage

Threat actors are capitalizing on today's expanded and more complex attack surfaces. With the rise of cloud, Kubernetes, remote work, and other technologies, organizations are exposed to more vulnerabilities than ever before. This gives attackers an advantage, allowing them to easily bypass defenses, remain undetected, and have devastating impacts.

According to the 2025 Global Threat Landscape Report, security leaders said public cloud environments, third-party services and integrations, and GenAI applications represented the biggest risk to their organizations.

The accelerated adoption of these technologies introduces complexity at scale, fundamentally challenging established security practices. In these expansive environments, gaining visibility often seems impossible - leaving critical assets exposed. These unmonitored gaps represent reliable targets that threat actors actively exploit to establish a foothold and achieve persistent access.

The Dwell Time Factor

Lack of visibility on the defenders’ side gives attackers the one thing that they need the most: time.

The research found that the average organization takes two full weeks to respond to and contain a security alert, from the initial detection to resolution.

Respondents also reported ransomware actors likely had access to their systems for two weeks prior to a ransomware incident. 

When you combine these two data points, this gives attackers plenty of time to conduct reconnaissance, move laterally throughout the network to find higher-value assets, and establish a persistent presence, ultimately enabling more damaging data exfiltration and extortion.

The longer an attacker is in the network, the greater the potential for devastating and costly consequences.

The High Price of Undetected Threats

Bad actors' ability to move freely and go undiscovered within networks is directly reflected in the rising cost of ransomware payments.

Over the past year, the average ransom payment has grown by more than a million dollars to $3.6 million — a number that far outpaces the rate of inflation.

Higher ransom demands effectively put a price tag on the value of the assets that attackers are finding. The longer that they remain undetected, the more time they have to identify and target, and organizations’ premium assets. Higher ransom payments likely indicate that ransomware threat actors are leveraging their access to conduct thorough reconnaissance, prioritizing the data that will command the highest price.

The Gaps Holding Organizations Back

The real question is, “how are attackers pulling this off?”

According to the 2025 Global Threat Landscape Report, visibility is the top challenge hindering organizations’ ability to respond to security threats in a timely manner. 

When lacking complete visibility into the network, organizations are missing the opportunity to detect attackers’ most dangerous weapon — lateral movement.

After gaining access to the network, attackers navigate throughout the network’s east-west corridor to locate, identify, and exfiltrate high-value assets or deploy malware for widespread damage. This lateral movement allows them to escalate privileges, map the network's internal topology, compromise additional user accounts and systems, and ultimately achieve their primary objective, often remaining undetected.

One popular vector enabling lateral movement is compromised credentials, which serves as the primary gateway for attackers in more than 10% of cases, according to the report. Once armed with legitimate user credentials, threat actors can blend in with legitimate network traffic, moving through the infrastructure while appearing as trusted users to security systems.

Empower Your Team with Strategic Insights

We’ve said it once, and we’ll say it again. It’s no longer a matter of if your organization will be breached, but when.

This reality is taking a heavy toll. With organizations reporting 37 hours of downtime per cybersecurity incident, the data confirms a critical failure point. The issue isn't attackers getting in; it's the lack of visibility and the ability to quickly detect and remediate them once they're inside.

Instead of focusing on the perimeter, organizations need the power to see and immediately stop adversaries who are moving laterally inside the network. This ability to spot in-progress infiltration is the only way to shorten dwell time, limit an attacker's reach, and finally put security teams in a position of control.

For a deeper dive into these findings and other key trends, explore the 2025 ExtraHop Global Threat Landscape Report.