AI is helping threat actors to accelerate attacks, but it can also empower incident responders to quickly contain threats, ReliaQuest has claimed in a new report.
The firm’s Annual Cyber-Threat Report 2026 is based on an analysis of customer incidents.
It found that breakout time last year took on average just 34 minutes; 29% quicker than in 2024. The fastest ever recorded time taken from access to lateral movement was just four minutes – 85% faster than the year before.
The fastest recorded exfiltration time was just six minutes; down from 4 hours 29 minutes in 2024.
ReliaQuest said these stats can be explained by the growing use of automation and AI, with 80% of ransomware groups using one or both in their attacks last year.
AI is also being used prior to attacks, the report claimed. It can help threat actors with reconnaissance by automating the analysis of social media profiles, corporate websites and public data sources in order to identify high-value targets and draft convincing social engineering scripts.
Elsewhere, the report revealed that a quarter of attacks used social engineering for initial access last year, with ClickFix responsible for delivering most (59%) of the top malware families.
The social engineering technique is also the reason why drive-by-compromise is now the top initial access technique, just ahead of phishing.
Common Security Failures
ReliaQuest also revealed why many incident responders are struggling to match the speed and sophistication of modern threat groups. The most common security control failures it found in 2025 were:
- Insufficient logging which allows attacks to go undetected
- Unmanaged devices without security controls like endpoint protection or monitoring agents
- Insecure VPNs lacking MFA or device-based certificates, which allow attackers to exploit stolen credentials
- External exposure via vulnerabilities in internet-facing devices
- Helpdesk procedural flaws which make organizations easy targets for social engineering attacks
- Poor password policy and controls such as weak, reused, or poorly rotated passwords, and gaps in MFA and local admin password management, enabling quick privileged access and lateral movement
- Overprivileged and misconfigured cloud accounts, enabling access to these environments
Fighting AI with AI
Mike McPherson, SVP of GreyMatter Operations at ReliaQuest, said AI and automation have “changed the game” in cybersecurity – for attackers and defenders.
“Thankfully defenders can outperform adversaries with agentic AI and achieve an average containment time of four minutes. This speed is essential to rival the breakout times observed this year – a race that manual response, at 16 hours on average without automation, cannot win,” he continued.
“Agentic AI enables organizations to move to predictive security – by analyzing vast datasets of rich threat intelligence, agents can adapt this intel to a customer’s unique environment and close gaps before a threat actor may attack.”
ReliaQuest urged network defenders to ensure all devices and access paths are visible to their security operations (SecOps) teams – especially edge devices. It added that they must continuously manage risk across the external attack surface by maintaining a current inventory of assets and remediating any new exposures.
Finally, CISOs should strengthen identity controls, with high-assurance verification for helpdesk resets and identity changes, minimal standing privileges, and phishing-resistant privileged access.
