You Can't Out-React an AI-Powered Attack. Here's What Actually Works.

The fastest cyberattacks today go from initial access to full data exfiltration in under an hour. In some cases, under 25 minutes.

That number changes the math on how a security program should be built. A program designed primarily around reacting to breaches is making a bet that your team can close a 25-minute window consistently, at scale, across every gap in your environment. That's not a bet most teams can win.

The right response isn't to run faster on the reactive side. It's to shrink the attack surface so there's less to exploit in the first place.

Palo Alto Networks' 2026 Unit 42 Global Incident Response Report puts data behind this: the fastest attacks now reach full exfiltration in 72 minutes, four times faster than a year ago. In one in five cases, data is gone in under an hour. In a controlled simulation, Unit 42 researchers compressed that to 25 minutes.

AI changed the economics of exploitation. Not the categories of risk.

The gaps security teams have always managed haven't changed in kind. Dormant accounts, excessive permissions, misconfigured cloud resources, overexposed data, contractors who retained access after offboarding. These aren't new problems. What's changed is how fast and easily an attacker can find them.

The same Unit 42 report found that identity weaknesses played a material role in nearly 90% of investigations, and that in most cases, attackers aren't breaking in. They're logging in, with stolen credentials and tokens, then exploiting fragmented identity estates to move laterally and escalate privileges without triggering traditional defenses. 

The 2026 CrowdStrike Global Threat Report adds another dimension: average attacker breakout time, from initial foothold to lateral movement across your environment, fell to just 29 minutes in 2025, a 65% drop from the year before. The fastest recorded breakout took 27 seconds.

These aren't abstract threat trends. They change the calculus on every open issue in your backlog. The dormant account you planned to clean up next quarter. The contractor access nobody got around to revoking. The S3 bucket with permissions that are too broad. Each one is now a faster path to a worse outcome.

The instinct to go faster on detection is understandable. It's also insufficient.

When the threat environment accelerates, the natural move is to invest in faster detection and response. That investment matters. But it can't be the whole answer.

AI-powered attacks don't just move faster, they compress the window in which detection can make a difference. When the fastest attacks reach exfiltration in under an hour, a mean time to detect measured in days isn't just slow, it's structurally insufficient for stopping that specific incident. Detection finds the attacker after they're in. Posture work closes the doors before they arrive.

The programs holding up right now are built on this premise. You don't just want to know when something went wrong. You want fewer things that can go wrong in the first place. You want that list getting shorter every day, reviewing quarterly is no longer enough.

The fundamentals are now urgent. Most programs aren't built to execute on them continuously.

The average enterprise has thousands of known hygiene issues sitting in queues right now. Dormant accounts that should be disabled. Certificates that will expire unnoticed. Employees with access they no longer need. Contractors whose HR records show they left months ago but whose cloud access is still active. And beyond what's already flagged, an unknown number of issues that no single tool surfaces, because they only become visible when you connect identity data with cloud configurations, with HR records, with IT asset management.

The reason these issues accumulate isn't negligence. Execution at scale is genuinely hard. A dormant account isn't just an identity problem. It's an identity plus HR plus app dependency plus access policy problem, and no single tool holds all four pieces. So you end up with ownership that's unclear, dependencies that aren't documented, and fixes that require three tickets, two Slack threads, and a week of waiting. And in a world where attackers can find and exploit it in under an hour, the backlog is the risk.

The Unit 42 report puts a sharp point on this: 75% of incidents had evidence sitting in logs. The signals were there, but organizational silos prevented teams from connecting them in time. The problem isn't visibility. It's context and execution.

What proactive hygiene execution actually requires

Getting to a program that closes gaps continuously, not just finds them, requires three things working together.

Context that crosses system boundaries. 

Who owns this asset? What depends on it? What breaks if we change it? Those answers live across your identity provider, HR system, cloud platform, and ITSM. No single tool sees all of them. And ownership that looked clear six months ago may have shifted when a team reorganized or a key person left. The context has to be live, not a snapshot.

Remediation that goes all the way. 

Finding the issue is step one. Tracing it to a real current owner, modeling what breaks if you change it, sequencing the fix across the right systems and teams, and actually closing it. That's the work that reduces risk. Surf's Context Graph connects signals from the tools your team already relies on like vulnerability scanners, cloud security platforms, and data security tools, so every action is grounded in a full picture of your environment.

Your team in control at every step. 

Continuous doesn't mean autonomous. The organizations making the most progress have defined clearly what requires human judgment and what can be handled systematically, with approvals, guardrails, and a full audit trail either way. When Surf closes 200 dormant accounts in a Tuesday morning run, your team can see exactly which accounts were touched, why, what the predicted impact was, who approved it, and what happened after.

The teams getting ahead of this will look different in 18 months

When the fastest attacks go from access to exfiltration in 72 minutes, and identity weaknesses are involved in nearly 9 out of 10 investigations, the programs that hold up are the ones continuously reducing what there is to exploit, not just watching for when it gets exploited.

Security teams have always known this work mattered. They've always wanted to do it. The question is whether your program is built to execute on it at the pace the environment now demands.

The teams moving now are the ones who will define what good looks like on the other side.