Cyberattacks remain undetected for an average of 108 days

A third of all cyberattacks remain undetected for months. Experts reveal the tactics that threaten companies.

The current security report “Anatomy of a Cyber World” by Kaspersky provides an analysis of last year’s global cyber incidents. The statistical evaluations make it clear that while the basic structure of hackers’ methods has barely changed, their execution is becoming increasingly complex. A central finding of the investigation is that a considerable portion of attacks remain undetected over a very long period, while the other half of incidents unleash their full damage within just a few hours. The distribution of intrusion paths shows a clear concentration on known vulnerabilities and the exploitation of organizational trust structures.

Software gaps and stolen accounts as the main gateways

According to Kaspersky’s data, the exploitation of publicly accessible applications remains the most frequently used method for breaking into foreign networks. In 2025, 44 percent of the investigated incidents were attributable to this vector. Attackers exploit security gaps in web applications or other outward facing programs for which patches have not yet been installed. In second place, with 25 percent, is the misuse of valid user accounts. In these cases, actors obtain correct passwords and usernames through phishing or by buying access credentials on the dark web. Because they log in with genuine identities, they often remain invisible to simple security solutions for a long time, since their behavior initially resembles normal usage.

Trust in service providers becomes a dangerous trap

A trend that has intensified in recent years is compromise via partner companies or service providers. This vector, which was responsible for 16 percent of attacks in 2025, has displaced classic malicious emails from the top ranks. Hackers specifically target IT integrators or software providers that have access to their customers’ systems. Small service providers are particularly at risk here, as they often do not have the resources to secure their own networks to the highest standards. If attackers manage to take over such a company, they can use existing remote maintenance access to penetrate the networks of the actual target companies undetected.

A third of cyberattacks last more than three months

The duration of an attack provides important clues about the intentions of the perpetrators. The report shows that 33 percent of incidents have a median duration of 108 days. This corresponds to a period of around three and a half months in which the actors were able to move freely through the system. In these cases, the criminals are not interested in quick sabotage, but in long term goals. They install mechanisms for permanent presence and try to gain control over the Active Directory, which manages the entire user administration of a company. During this phase, large amounts of data are often exfiltrated unnoticed before the attack finally becomes visible through encryption or a deletion demand.

Rapid data encryption in less than 24 hours

In contrast to lengthy operations, the majority of attacks have a duration of less than 24 hours. Around 51 percent of the incidents in 2025 fall into this category. The primary goal of these attacks is almost always the rapid encryption of data using ransomware in order to make a ransom demand. The attackers use automated tools to spread through the network as quickly as possible after the initial intrusion and to render backups as well as productive data unusable. This speed poses major challenges for companies, as conventional response times are often not enough to avert the damage in its early stages.

Hybrid tactics deceive internal IT security

In addition to very short and very long attacks, the report also identified a hybrid pattern in 16 percent of cases. These attacks initially appear to be short term disruptions or simple compromises that seemingly subside after a short time. In fact, these operations stretch over an average of 19 days. The attackers first carry out an offensive action to test the defenses or collect initial data, and return later for deeper manipulations. This tactic serves to lull security officers into a false sense of security or to divert attention from the actual malicious activities running in the background.

Prevention and monitoring stop complex attacks

In view of this complex threat situation, experts recommend a move away from purely reactive security concepts. Since many attacks begin months in advance, real time monitoring of the entire network traffic is essential. Basic protective measures include the consistent enforcement of multi factor authentication for all external access, in order to prevent the misuse of stolen passwords. In addition, companies must strictly manage the access rights for third party providers and service providers according to the principle of minimal authorization. Regular checks of publicly accessible applications and the timely installation of security patches continue to form the backbone of an effective defense against automated attacks. Only through the combination of technical monitoring and organizational caution can the long dwell times of hackers be effectively shortened.