Dwell Time: What’s Lurking in Your Network?

If an attacker breached your network today, how long would it take you to know? A day? A week? A month?

For many organizations, the real answer is closer to six months. According to IBM’s 2025 Cost of Data Breach Report, attackers still enjoy an average of 207 days to move undetected across environments — long enough to identify critical assets, escalate privileges, and prepare a devastating strike. In operational technology (OT) environments, that dwell time often stretches even longer, thanks to poor visibility and detection tools that simply don’t work the same way.

Cybersecurity isn’t just about stopping threats at the gate. It’s about knowing what threats have made it through the gate and are now inside. It’s about detecting attacks when they arrive, before they do anything malicious. It’s about detecting attacks before they launch.

Let’s take a closer look at what is dwell time and why traditional cybersecurity tools so often fail in OT environments. 

What Is Dwell Time?

Dwell time is the length of time a threat actor is present in your network before being detected. That can include days of quiet observation, weeks of lateral movement, or even months of establishing persistence.

And here’s why it matters: the longer a threat actor lurks, the more catastrophic the breach becomes. During this critical period, threat actors meticulously map your infrastructure, escalate privileges, steal credentials, read communications, implant additional payloads, exfiltrate data, or even poison your backups — all without setting off a single alarm. By the time your system finally raises an alert, usually after a catastrophic attack has been launched, it's already too late. 

In critical infrastructure and OT networks — like power grids, water systems, and manufacturing lines — long dwell times aren’t just costly; they're outright dangerous. If the attacker is skilled enough, you might not grasp the full extent of the damage until weeks or even months after the initial compromise. Detection rarely comes from cybersecurity tools suddenly waking up. If an attack isn’t caught early, chances are it won’t be caught at all — until a devastating strike makes itself known.

Why Traditional Cybersecurity Tools Keep Falling Short

When your team talks about security key performance indicators (KPIs), dwell time shouldn’t be a footnote. It should be a warning flare.

Long dwell times mean one of two things:

1. You’re not detecting early-stage threats.
2. You’re not looking where it counts.

Most cybersecurity tools are built on a reactive model. They wait to see malware that has been previously documented, or for an attack to execute, or something to behave abnormally. For example:

• EDR/XDR (Endpoint Detection and Response or Extended Detection and Response): These tools monitor endpoint activity and flag suspicious behavior based on predefined rules, heuristics, or machine learning models. But they are mostly reactive by nature. They often kick in only after an attacker does something abnormal — like encrypting files or reaching out to a command-and-control server. By that point, the adversary has already embedded itself deep into your systems. Worse, EDR agents often consume too much memory to fit into small OT devices or they consume far too many system resources to run effectively in OT environments.
• SIEM (Security Information and Event Management): SIEMs pull together logs from across the network to help security teams spot anomalies and correlate events. The problem? Logs only reveal what’s been captured — and if logging isn’t perfectly configured, or systems aren’t reporting the right data, threats slip through. Sophisticated malware can even generate “reasonable” logs that look legitimate to the SIEM. On top of that, SIEMs are slow to respond and notoriously noisy, flooded with false positives that lead straight to alert fatigue.
• NDR (Network Detection and Response): These cybersecurity tools monitor network traffic to detect lateral movement, unusual connections, or unauthorized data transfers. But if an attacker injects malware that lies dormant, or operates entirely within the endpoint without talking over the network, NDR doesn’t see it. In a world where AI can write reasonable essays and passable music, AI-powered malware can easily produce “acceptable” network traffic.
• AV (Signature-Based Antivirus): AV tools rely on known malware signatures. They work reasonably well against commodity threats and older, well-documented malware, but today’s adversaries don’t play by those rules. They use polymorphic code that constantly shifts its signature, or entirely new malware. Traditional signature-based engines simply can’t keep up.

Most of these cybersecurity tools are heavy, centralized, and built for well-connected, cloud-native IT environments — not for the resource-constrained realities of OT. In many OT settings, systems are semi-isolated by design. They are running decades-old hardware and proprietary software, often on endpoints that were never intended to be connected, let alone secured.

You cannot just deploy a standard hundred-megabyte EDR agent into a programmable logic controller with only 8 MB of memory. You also cannot rely on streaming telemetry when bandwidth is throttled.

Visibility in these environments is fragmented at best, and attackers know it. They exploit the soft spots: outdated firmware, legacy protocols, unmanaged assets, new and previously undocumented malware, and the lack of internal detection. They don’t need to brute-force your firewall. Instead, they can quietly step around your security stack, knowing no one is monitoring what’s happening inside the device itself.

The Crytica Approach: Shrink Dwell Time to Minutes

Crytica was built around a different philosophy: detect threats upon injection, before execution.

While most cybersecurity tools react after the fact, Crytica’s Rapid Detection & Alert (RDA) system can continuously scan systems, providing detection protection in near real time — before execution, not after.

• RDA detects at injection, not detonation. That means RDA identifies malicious code when it is written into a system — not after it runs, not after it exfiltrates data, and not after it damages your system. RDA sees it before it activates. We focus on presence, not behavior.
  
• RDA scans the device itself, in seconds. Not just logs. Not just traffic. Not just known indicators. RDA performs comprehensive scans of what is inside a device, identifying early-stage threats that most cybersecurity tools miss. Even in resource-limited environments, full coverage takes seconds, not hours.
  
• RDA is ultralight. Crytica’s detection probe’s code is under 100KB, which means it can run on devices with severe resource constraints: programmable logic controllers, human-machine interfaces, and embedded control systems in industrial environments. It requires minimal CPU, and minimum system overhead.
  
• RDA is resilient. If an RDA probe is deactivated, disconnected, or even compromised, it automatically redeploys — without manual intervention, remote access, or reliance on a central command system. This makes it ideal for decentralized architectures and OT environments where devices are often geographically dispersed or intermittently connected.
  
• RDA adds to your stack. Crytica’s RDA layers seamlessly with your existing defenses, providing endpoint visibility in places your SIEM, NDR, and EDR can’t reach. Especially in OT environments where legacy systems and low-bandwidth links dominate, RDA brings lightweight, full-scope detection to the edge — without disrupting operations.

Crytica’s Rapid Detection & Alert system is built specifically for OT and critical infrastructure. By detecting threats at injection, scanning entire systems in seconds, and operating with near-zero overhead, RDA closes the visibility gaps others leave open. It delivers rapid, resilient detection — before execution, before damage, and before it’s too late.

What’s Lurking in Your Network?

Here’s the reality: you don’t know what’s lurking in your network.

Not because you haven’t invested in security, but because most cybersecurity tools were never designed for the OT world. Most depend on bulky, resource-intensive agents, rely on false-positive-prone probabilistic or AI detection algorithms, require cloud connectivity, and depend on armies of cybersecurity “experts” to filter the noise. OT systems often cannot — and should not — be forced to suffer through all of that.

Attackers count on dwell time — the unconscionable gap that gives them weeks or months of freedom. And OT delivers exactly what they want: unpatched systems, outdated firmware, limited visibility, and endpoints no one’s watching from the inside.

While your dashboards stay quiet, they’re already inside: mapping your control systems, escalating privileges, staging persistence, and preparing to strike. And in OT, the fallout isn’t just financial. It's operational, and sometimes even life-critical.

At Crytica, we close the visibility gap in places others cannot reach. We detect malware before execution, even on devices with just a few megabytes of memory. We scan from inside of a device, not just network traffic. We work in semi-isolated, resource-constrained systems — where traditional cybersecurity tools fail.

If you want to protect what matters, the best way to reduce risk isn’t more alerts. It’s less dwell time. And we’re ready to help you get there. Reach out to the Crytica team for a demo today!

‍