The Collapse of Dwell Time: Cybersecurity’s Shrinking Detection Window

In his talk at Zero Trust World 2026, cybersecurity researcher Marcus Hutchins explored a major change in how cyberattacks are unfolding: the collapse of “dwell time.” Dwell time is the period between an attacker gaining access to a system and launching a major attack like ransomware. For years, defenders relied on this delay to detect and remove malware before attackers could escalate privileges or spread across a network.

Hutchins, known online as MalwareTech and widely recognized for discovering the kill switch that halted the global WannaCry ransomware outbreak in 2017, argues that this defensive window is quickly shrinking.

Attackers use credential-stealing malware and direct access techniques that allow them to move from initial compromise to widespread network control far faster than traditional security workflows can respond.

Why It Matters: Many security operations processes still assume defenders have time to investigate alerts before taking action. But attackers can now move across networks far faster than traditional investigation workflows allow, making speed one of the most critical factors in cyber defense.

• Older ransomware attacks included a long observation phase: In earlier attack models, a system might be infected by malware that quietly communicated with a botnet for days, weeks, or longer. During this period, attackers evaluated whether the organization was a profitable target and sometimes sold access to ransomware groups. This delay gave defenders time to detect suspicious activity and remove the infection.

• That “dwell time” window is disappearing: Attackers increasingly bypass the botnet phase by gaining direct access through exploits, targeted phishing, or supply-chain compromises. Without the waiting period between infection and attack, defenders have far less time to detect suspicious activity before attackers begin moving laterally and escalating privileges.

• Infostealers now play a central role in initial access: Hutchins describes infostealer malware as one of the dominant tools in cybercrime. These programs quickly collect stored credentials from infected systems and send them to attacker infrastructure, often in under a second, making it nearly impossible for defenders to intervene before the data is stolen.

• Security operations workflows often slow down response: Many organizations rely on endpoint detection alerts that must be reviewed by SOC analysts before any action occurs. Because alerts can produce false positives, teams hesitate to automatically isolate systems. This multi-step triage process can take hours, giving attackers time to expand their foothold inside a network.

• Immediate containment may be necessary to keep up with attackers: Hutchins suggests reversing the typical response process: temporarily isolate systems as soon as serious alerts appear, then investigate afterward. If the alert is benign, the restrictions can be removed. Combined with better alert quality and zero-trust architecture, this approach could reduce the time attackers have to move within a network.