Average breakout time now just 29 minutes, fastest observed 27 seconds

GenAI accelerates intrusions, enabling rapid credential theft, evasion, and data exfiltration

Adversaries also target AI systems with malicious prompts, exploit zero-days, and expand cloud attacks

Hackers have never moved as fast through corporate networks as they do today, new research has claimed, urging businesses to up their game when it comes to online protection.

The latest CrowdStrike 2026 Global Threat Report found the average breakout time is now just 29 minutes, a 65% increase in speed compared to just a year ago. Hackers are able to do this by employing Generative Artificial Intelligence (GenAI), CrowdStrike said.

Based on internal analysis, the researchers found that the fastest observed breakout ever happened in just 27 seconds. In one intrusion, the process of data exfiltration began four minutes after initial access.

AI arms race

“AI-enabled adversaries increased operations by 89% year-over-year, weaponizing AI across reconnaissance, credential theft, and evasion,” CrowdStrike said.

“Intrusions now move through trusted identities, SaaS applications, and cloud infrastructure, blending into normal activity while compressing defenders’ time to respond. AI is both the accelerant and the target.”

Speaking of AIs being a target themselves, CrowdStrike found that crooks are injecting malicious prompts into GenAI tools at more than 90 organizations, while at the same time also abusing AI dev platforms.

The prompts generate commands that steal login credentials and send out cryptocurrencies, while AI dev platforms are used to establish persistence and deploy ransomware.

Finally, it was said that they published malicious AI servers to impersonate trusted services and intercept sensitive data.

It was also stressed AI now plays a pivotal role in zero-day and cloud exploitation. Almost half (42%) of vulnerabilities were exploited before they were publicly disclosed, while cloud-based incursions rose by more than a third (37%).

State-sponsored threat actors are particularly active in that regard - Russia-affiliated Fancy Bear, Punk Spider, North Koreans Famous Chollima and Pressure Chollima, are among those singled out as being particularly active.

Activity among Chinese and North Korean hackers increased 38% last year, CrowdStrike added, saying that they targeted primarily the logistics vertical.

“This is an AI arms race,” said Adam Meyers, head of counter adversary operations at CrowdStrike. “Breakout time is the clearest signal of how intrusion has changed. Adversaries are moving from initial access to lateral movement in minutes. AI is compressing the time between intent and execution while turning enterprise AI systems into targets. Security teams must operate faster than the adversary to win.”

