Attackers who break into corporate and government networks often operate undetected for months, quietly extracting data, installing backdoors, and moving between systems before any defender raises an alarm. Peer-reviewed research published in the journal Computers and Security examined how detection times vary across breach categories, finding that the delay between initial compromise and discovery remains stubbornly long for certain attack types. At the same time, the U.S. Cybersecurity and Infrastructure Security Agency maintains a growing catalog of vulnerabilities already exploited in the wild, complete with dates and remediation deadlines, yet many organizations still fail to act on that information quickly enough to prevent prolonged intrusions.
Why months of silent access change the calculus for defenders
The gap between when an attacker gains a foothold and when a security team spots the intrusion determines how much damage is possible. A breach discovered within days limits the data an adversary can reach. A breach that festers for weeks or months gives intruders time to escalate privileges, map internal systems, and exfiltrate sensitive records at scale. The difference is not academic; it separates a contained incident from a crisis that triggers regulatory investigations, class-action lawsuits, and lasting reputational harm.
One reason detection drags on is that many organizations lack continuous monitoring tied to known threat intelligence. CISA’s vulnerability catalog enumerates flaws that attackers have already weaponized, listing exploitation dates and remediation guidance for each entry. Federal agencies face binding deadlines to patch those flaws, but private-sector adoption of the catalog as a prioritization tool is uneven. When a vulnerability sits on the KEV list for weeks before an organization patches it, the window for undetected exploitation widens.
A testable hypothesis follows from this dynamic: organizations that publish public breach notifications within 30 days of a KEV-listed exploitation date should, over time, show measurably shorter average detection periods than peers that delay disclosure. Rapid notification forces internal teams to compress their investigation timelines, and it creates external accountability that rewards faster detection. Future academic studies could validate this by matching breach notification filings against KEV exploitation dates and comparing dwell times across disclosure speed cohorts.
Peer-reviewed findings on breach detection timing
The strongest available evidence on why detection takes so long comes from a peer-reviewed study in Computers and Security, published by Elsevier. The research focused specifically on the detection stage of data breaches, analyzing how timing varies depending on the type of breach and the assets targeted. Rather than relying on a single vendor’s incident-response data, the study used a survey-based methodology to isolate the structural factors that slow detection across different breach categories.
Breaches involving stolen credentials or insider threats tend to remain hidden the longest because the activity mimics legitimate user behavior. Network monitoring tools tuned to flag anomalous traffic patterns often miss these intrusions entirely. By contrast, breaches that trigger visible disruptions, such as ransomware deployments, are detected faster because the damage itself serves as the alert. The research highlights that the type of asset compromised also matters: breaches targeting payment card data, for instance, may surface through fraud-detection systems at banks, while breaches affecting intellectual property or personal records can go unnoticed until a third party reports the exposure.
CISA’s KEV Catalog adds a second dimension to this problem. The catalog functions as a government-maintained dataset that records when specific vulnerabilities were known to be exploited in the wild. Each entry includes a date and remediation guidance, creating a public timeline that organizations can audit against their own patching records. When an organization discovers months later that it was breached through a vulnerability already listed in the KEV Catalog, the delay becomes measurable and, increasingly, difficult to defend to regulators or courts.
Open questions about detection gaps and disclosure speed
Several gaps in the available evidence limit how precisely anyone can quantify the detection problem across sectors and organization sizes. The peer-reviewed study in Computers and Security provides a rigorous framework for understanding detection timing by breach type, but it does not include matched incident logs that would allow researchers to compare exact dwell periods against specific KEV exploitation dates. That kind of cross-referencing would require access to both internal security logs and public breach notification filings, a dataset that does not yet exist in a standardized, researcher-accessible form.
The KEV Catalog itself, while authoritative on which vulnerabilities have been exploited, does not track whether individual organizations were breached through those flaws or how long each intrusion lasted before discovery. It is a prioritization tool, not a detection metric. Bridging the gap between the catalog’s exploitation dates and real-world detection timelines would require cooperation between federal agencies, state attorneys general who collect breach notifications, and the research community.
No primary dataset in the available sources breaks detection times down by organization size, industry vertical, or geographic region. Secondary reporting from incident-response firms has attempted to fill this gap with annual averages, but those figures are drawn from self-selected samples of companies that hired outside help, skewing the data toward larger or more security-aware organizations. Smaller firms that never engage an incident-response team, and may never discover the breach at all, are absent from those counts.
Direct statements from network operators about their internal detection processes are also missing from the primary research record. Many organizations treat details about monitoring, logging, and incident triage as sensitive operational information. As a result, academic work must infer internal practices from external outcomes, such as detection delays and the nature of reported breaches. This creates uncertainty about which specific investments-whether in tooling, staffing, or training-actually shorten dwell time in practice.
What defenders can do with imperfect data
Even with these limitations, the available evidence points toward several pragmatic steps. First, organizations can treat KEV-listed vulnerabilities as a de facto emergency patch list. When a flaw appears in the catalog, defenders should assume that exploitation is widespread and that any exposed system may already be compromised. Prioritizing remediation for those vulnerabilities, coupled with targeted threat hunting focused on affected assets, can narrow the window during which attackers can operate unseen.
Second, security teams can align their internal metrics with the detection-focused lens used in the Computers and Security study. Instead of tracking only the number of incidents handled or patches applied, organizations can measure the time from initial alert to confirmed detection and containment. Over time, those metrics can reveal whether new tools or processes are actually reducing dwell time for different breach types, especially those that are historically harder to spot, such as credential abuse and insider activity.
Third, policymakers and regulators can encourage, or in some cases require, more standardized breach reporting that includes detection timelines. If breach notifications consistently captured when an intrusion likely began, when it was discovered, and whether a KEV-listed vulnerability was involved, researchers could build the kind of cross-referenced datasets that are currently missing. That, in turn, would allow more precise benchmarking across sectors and provide clearer evidence on which defensive strategies work best.
The current research and public data do not yet allow a definitive answer to how long attackers remain inside most networks before discovery. However, they do show that certain breach types are systematically harder to detect, that widely exploited vulnerabilities are publicly known through resources like the KEV Catalog, and that the gap between those facts remains a critical weakness. Closing that gap will require not only better tools and faster patching, but also more transparent reporting and cooperative data sharing between organizations, regulators, and researchers. Until then, defenders must assume that the quietest breaches are the ones most likely to be missed-and design their monitoring, response, and disclosure practices accordingly.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
