In 2014, the median time an attacker spent inside a victim's network before being detected was 205 days. By 2024, Mandiant estimated that number at 11 days. So, it is obvious that our detection capabilities have gotten dramatically better. The problem is that attackers have also become dramatically faster. According to CrowdStrike, the average eCrime breakout time (meaning the time between initial access and lateral movement) dropped to just 29 minutes in 2025. So, not only are threat actors more active, but they are also becoming more effective when they do gain initial access (netguardia).

Now more than ever, the conversations we have with organizations and their leadership come back to the idea that even with the best tools, people, and processes, your organization will likely experience a security incident at some point in the future. That concept is uncomfortable, but it is the foundation every meaningful security program is now built on. The organizations that have come through incidents intact are not the ones that prevented everything. They are the ones that were ready.

Why "When, Not If"

In order to successfully defend against every threat, a defender has to be right every time, across every endpoint, every credential, and every patch cycle. An attacker, on the other hand needs to be right just once. CrowdStrike now reports that 79% of detections are malware-free, up from 40% in 2019, showing that attackers are trending toward tools that are not obviously malicious to accomplish their goals (CrowdStrike).

Mature security programs with significant budgets are still getting compromised. So, the useful question is not whether your prevention controls are good. It is whether your organization has decided, before anything goes wrong, what it will do when something does.

What Assume Breach Actually Means

Assume breach is the idea that an attacker is either already inside your environment or will be soon, even with the best strategies and tools in place. Historically, security budgets have been weighted heavily toward prevention. This strategy can lead organizations to rely almost exclusively on their security tool stack to prevent an incident from happening, leaving them completely unprepared when it does.

An important thing to point out is that “assume breach” does not mean we should simply give up on trying to prevent attacks. Prevention, detection, and containment are critical aspects of an organization’s cybersecurity strategy that allow recovery to be effective when the time comes. Rather, “assume breach” highlights the new, unfortunate truth that a cybersecurity strategy based solely on prevention has stopped being sufficient on its own.

How Planning Makes the Difference

Picture two organizations hit by the same incident on the same Tuesday morning.

The unprepared organization might find out from a vendor or customer. The first 72 hours are spent trying to understand what happened. They do not understand the requirements of their cybersecurity insurance policy, reaching out to an unapproved vendor (or missing the carrier notification window entirely) and triggering a coverage denial. They restore from backups that have not been tested. Communication is reactive and scattered. They come back online in weeks, sometimes months, often with permanent customer attrition and lasting reputational damage. The prepared organization detects in hours, if not minutes. They execute a documented IR plan with named decision authority. They know who to call first, who is approved, and how to notify their insurance carrier inside the designated window. They restore from immutable backups with known recovery time and recovery point objectives. They communicate with one voice using pre-drafted templates. They come back online in days, often without making the news.

Both organizations got hit, but what happened next made all the difference.

Cultural Ownership

Assume breach fails as a concept when it lives exclusively in the minds of IT leaders or technology professionals. It only truly works when it is shared across the organization, especially in the boardroom. When the organization understands how it will respond to an incident (and that it is more likely than not that one will eventually take place), they will be prepared to recover quickly with minimal lasting impacts.

No security program prevents every attack, especially with the increasing volume and scale at which threat actors are operating. The gap between organizations that recover quickly and organizations that recover painfully is not decided in the middle of the incident. It is decided in the months and years before, by leaders who choose to prepare for the day prevention failed rather than pretend that day will never come.

Assume breach is not pessimism. In fact, it is one of the most optimistic things a security leader can do, because it is the only posture that gets your organization back on its feet.

About the Author:

Sam Reid is a solutions consultant a at Expedient Technology Solutions, a managed IT and cybersecurity firm serving organizations across the Dayton, Cincinnati, and Columbus regions. He consults with clients to help them integrate their technology with their business strategy, building a backbone on which they can build their business for years to come.