Dwell time is the real risk, not the breach

In the first part of this series, we asked a simple question:

Who watches the watchmen?

Not as a reference to heroics, but to oversight.
To blind spots.
To what happens when responsibility is assumed rather than actively observed.

In cybersecurity, one of the clearest answers to that question is time.

Specifically, the time between an attacker entering an environment and anyone truly understanding what is happening.

That gap is known as dwell time.

And it is where most real damage occurs.

This second article focuses on why dwell time continues to grow, why it often goes unnoticed, and how attackers take advantage of the moments when the watchmen are present, but clarity has not yet arrived.

This is what it means to watch the watchmen in practice.
Not checking effort, but reducing the time spent operating without understanding.

Breaches happen quickly. Damage happens quietly.

Initial access is often fast. Automated, opportunistic, sometimes trivial.

What follows is not.

Attackers spend time learning the environment.
They observe patterns.
They wait for moments when activity blends into noise.

During this period, nothing looks dramatic.
Alerts trigger. Logs update. Systems appear operational.

The organisation believes it is secure because nothing obvious is broken.

This is the most dangerous phase of an incident.

Why dwell time keeps increasing

Dwell time is not rising because teams are careless or under skilled.

It is rising because modern security operations rely on workflows that are slow by design.

When an alert fires, investigation rarely happens in one place.

Analysts leave the platform to search for context.
They compare findings across tools.
They correlate activity manually.
They prioritise based on judgement rather than certainty.

Each step is reasonable in isolation.

Collectively, they introduce delay.

Investigation becomes fragmented.
Understanding takes time to form.
Confidence arrives late.

And attackers benefit from every minute.

Alert volume hides the early signals

Most environments generate more alerts than teams can realistically triage in real time.

Noise forces prioritisation.
Prioritisation creates backlog.
Backlog creates dwell time.

Early indicators are often subtle.
Low confidence.
Easy to dismiss.

By the time activity escalates into something undeniable, the attacker has already moved laterally, established persistence, or accessed sensitive data.

The breach did not fail.
Detection did.

Outsourcing does not shorten time to understanding

Many organisations rely on outsourced monitoring to manage alert volume.

This can improve coverage, but it does not automatically reduce dwell time.

Detection and understanding are not the same thing.

Alerts may be seen quickly.
But interpretation, context, and decision making still take time.

When responsibility is shared across organisational boundaries, delays compound.

Clarification requests.
Escalation thresholds.
Communication lag.
Partial visibility.

The clock keeps running.

Measuring the wrong thing gives false confidence

Security metrics often focus on activity rather than awareness.

Number of alerts processed.
Tickets closed.
Reports delivered.

These metrics describe effort, not understanding.

The question that matters is simpler.

How quickly could we explain what is happening, not just that something happened?

If that answer takes hours or days, dwell time is already working against you.

What comes next

If dwell time is the risk, oversight becomes the responsibility.

Not oversight as control.
Not oversight as blame.

But oversight as shared visibility.

In the final part of this series, we explore what that actually looks like in practice.

‍