The average time it takes a cyber adversary to move laterally within a compromised network has dropped to a startling 48 minutes, with the fastest recorded breakout clocking in at just 51 seconds. Those figures, drawn from CrowdStrike’s newly released 2025 Global Threat Report, paint a picture of an adversary class that is faster, more sophisticated, and increasingly reliant on identity-based attacks rather than traditional malware.
The annual report, which draws on trillions of security events observed across CrowdStrike’s customer base and threat intelligence operations, has become one of the cybersecurity industry’s most closely watched barometers. This year’s edition underscores a fundamental transformation in how threat actors operate — one that should concern every CISO, board director, and IT security professional tasked with defending enterprise networks.
Speed Kills: The Shrinking Window for Defenders
CrowdStrike’s data shows that the average breakout time — the interval between an attacker’s initial compromise and their first lateral movement to another system within the target network — now stands at 48 minutes. That figure represents a continued decline from previous years. But the averages tell only part of the story. The fastest observed breakout time in the reporting period was a mere 51 seconds, meaning that in some engagements, defenders had less than a minute to detect, triage, and respond before the attacker had already expanded their foothold.
This acceleration has profound implications for security operations centers (SOCs) and incident response teams. Traditional detection and response workflows — which often involve alert triage, escalation, and manual investigation — were designed for a threat environment where dwell times were measured in days or weeks, not seconds. As CrowdStrike CEO George Kurtz noted in remarks accompanying the report’s release, “The speed and sophistication of today’s cyberattacks are outpacing legacy security approaches.” Organizations that still rely on periodic threat hunting or overnight log analysis are increasingly finding themselves compromised before they even begin looking.
Identity Is the New Attack Surface
Perhaps the most significant trend highlighted in the 2025 report is the dramatic shift toward identity-based attacks. CrowdStrike found that 79% of initial access attacks in 2024 were malware-free, relying instead on stolen credentials, social engineering, and abuse of legitimate remote access tools. This marks a continuation of a multi-year trend: attackers have learned that it is far easier — and far less likely to trigger endpoint detection — to log in with valid credentials than to drop a malicious payload on disk.
The report details how adversaries are increasingly targeting identity infrastructure itself. Attacks against Active Directory, single sign-on (SSO) providers, and cloud identity platforms have surged. Threat actors are using techniques such as SIM swapping, phishing for MFA tokens, and purchasing credentials from access brokers on dark web marketplaces. CrowdStrike observed a 50% year-over-year increase in access broker advertisements, indicating that the market for pre-compromised credentials and network entry points continues to boom. According to the report, access brokers are now one of the fastest-growing segments of the cybercrime economy, providing turnkey entry to networks for ransomware operators and espionage groups alike.
China’s Cyber Operations Surge by 150%
The geopolitical dimension of the threat environment also received significant attention in the report. CrowdStrike documented a 150% increase in China-nexus cyber espionage activity across the board, with certain targeted industries — particularly financial services, media, manufacturing, and technology — experiencing a 200% to 300% spike in intrusions attributed to Chinese state-sponsored groups. The company tracks these actors under animal-themed naming conventions, and the report highlights sustained campaigns by groups such as Aquatic Panda, Liminal Panda, and others.
These Chinese operations are notable not just for their volume but for their sophistication. CrowdStrike analysts observed Chinese groups increasingly using operational relay box (ORB) networks — compromised routers, IoT devices, and virtual private servers chained together to obscure the true origin of attacks. This infrastructure makes attribution more difficult and allows adversaries to maintain persistent access even when individual nodes are taken down. The targeting patterns suggest a strategic alignment with Beijing’s economic and intelligence priorities, including theft of intellectual property, surveillance of dissidents, and pre-positioning within critical infrastructure networks.
Generative AI: A Force Multiplier for Social Engineering
The 2025 report also addresses the growing role of generative artificial intelligence in the threat actor toolkit. CrowdStrike documented multiple campaigns in which adversaries used AI-generated voice and text content to conduct social engineering attacks at scale. Vishing — voice phishing — saw a 442% increase between the first and second halves of 2024, according to the report’s data. Attackers are using AI-generated voice clones and chatbot-style interactions to impersonate IT help desks, executives, and vendors, tricking employees into handing over credentials or granting remote access.
This trend is particularly concerning because it lowers the barrier to entry for sophisticated social engineering. Previously, convincing phone-based social engineering required native-language fluency and cultural knowledge. Generative AI tools have effectively democratized these capabilities, enabling threat actors operating from anywhere in the world to produce convincing, context-appropriate lures in any language. CrowdStrike’s report highlights campaigns by groups such as Curly Spider and Chatty Spider that have incorporated AI-generated content into their operations with measurable success.
Cloud Intrusions Continue Their Upward March
Cloud environments remain a high-priority target. CrowdStrike reported that new and unattributed cloud intrusions increased by 26% year-over-year. Attackers are exploiting misconfigurations, abusing legitimate cloud management tools, and targeting cloud-native identity systems. The report notes that many organizations still lack adequate visibility into their cloud control planes, creating blind spots that adversaries are eager to exploit.
The convergence of identity attacks and cloud targeting is especially dangerous. Once an attacker obtains valid credentials for a cloud environment — whether through phishing, credential stuffing, or purchasing them from an access broker — they can often move laterally across cloud workloads, exfiltrate data, and establish persistence without ever triggering traditional endpoint security tools. CrowdStrike’s data suggests that cloud-conscious threat actors are becoming more adept at living off the land within cloud provider APIs and management consoles, making detection a significant challenge for security teams that have not invested in cloud-specific monitoring.
Insider Threats and Nation-State Infiltration
One of the more alarming findings in the report concerns the growing use of insider threat tactics by nation-state actors. CrowdStrike highlighted the activities of a North Korea-nexus group it tracks as Famous Chollima, which has been placing operatives in legitimate IT contractor and employee roles at target organizations. These insiders then use their authorized access to conduct espionage, steal data, and install backdoors. The report notes a 304% year-over-year increase in activity attributed to this group, suggesting that the tactic is being scaled up significantly.
This blurring of the line between external and insider threats presents a unique challenge for defenders. Traditional perimeter-based security models assume that authenticated users inside the network are trustworthy. The Famous Chollima campaigns demonstrate that this assumption is increasingly dangerous. Organizations are being forced to adopt zero-trust architectures not just as a technical framework but as a philosophical approach to access management — verifying every user, every device, and every session, regardless of where or how they connect.
What the Data Demands of Defenders
The cumulative picture painted by CrowdStrike’s 2025 Global Threat Report is one of an adversary community that is professionalizing, accelerating, and diversifying its methods. The 48-minute average breakout time means that detection and response must happen in near-real-time. The dominance of identity-based attacks means that endpoint protection alone is insufficient. The rise of AI-powered social engineering means that human-layer defenses — training, awareness, and verification protocols — must evolve as fast as the threats they aim to counter.
For security leaders, the report’s findings reinforce several operational imperatives: investing in identity threat detection and response (ITDR) capabilities, extending monitoring to cloud control planes, automating response workflows to compress reaction times, and conducting regular adversary emulation exercises calibrated to the speed and tactics documented in reports like this one. The threat actors are not slowing down. The question for every organization is whether their defenses can keep pace — not in theory, but in the 48 minutes, or 51 seconds, that matter most.