One story. Gone deep.

CrowdStrike dropped their 2026 Global Threat Report this week. The headline number: average eCrime breakout time — the window between initial access and lateral movement — fell to 29 minutes. The fastest they observed? 27 seconds. In one case, data exfiltration started four minutes after the attacker got in.

Twenty-nine minutes.

Now picture this conversation. A board member asks the CISO: "How quickly can we respond to an incident?" The CISO says something about detection, triage, escalation, containment. The board member nods. Everyone feels good about the answer.

Nobody in that room is thinking in minutes.

Incident response plans are written in hours. Tabletop exercises run in hours. Escalation chains — the time it takes to wake up the right person, convene the right call, make the right decision — measured in hours. The muscle memory around "responding to a breach" assumes a timeline that no longer exists.

Here's the other number that should keep you up: 82% of detections last year were malware-free. No malicious files. No payloads for your antivirus to catch. Attackers used valid credentials, legitimate tools, and approved SaaS integrations to move through networks. They looked like employees. They looked like normal.

This is the translation problem. Security teams talk about breakout times, MITRE ATT&CK techniques, and identity-based attacks. Boards hear "we have tools and a plan." The gap between what the technical team knows and what leadership understands is where risk lives — and right now, that gap is about 29 minutes wide.

Your security program was designed for a world where you had time to think. That world is gone. The organizations that survive this shift won't be the ones with the best tools. They'll be the ones where the person explaining the risk can make the board feel the difference between 29 minutes and "we'll get back to you."

That's not a technology problem. That's a translation problem.

Sources: CrowdStrike 2026 Global Threat Report, CyberScoop

What else matters this week.

Cisco SD-WAN: Three Years Inside, Nobody Noticed — CVE-2026-20127, CVSS 10.0. Authentication bypass exploited since 2023. No malware, no C2 — the attacker used the system exactly as designed. Five Eyes published a 41-page joint hunting guide. CISA's Emergency Directive deadline was Friday. If you run Cisco SD-WAN, assume compromise and hunt. via CISA, Cisco Talos

AI-Augmented Hacker Breaches 600 Firewalls in 5 Weeks — Amazon's CISO published a case study of a low-skill attacker who built a custom MCP server to pipe stolen network topologies into Claude Code. The AI ran Metasploit and hashcat autonomously. No zero-days — just exposed management interfaces and weak passwords. The skill floor for offensive operations just collapsed. via AWS Security Blog

ClickFix Is Now the #1 Malware Delivery Method — Huntress Labs confirmed the copy-paste social engineering technique was responsible for 53% of all malware infections they tracked. In 18 months it went from novel to dominant. No exploit needed when the user is the exploit. via Huntress Labs

100+ Kernel Zero-Days Found in 30 Days for $600 — Researchers built an AI agent swarm to reverse-engineer and audit Windows kernel drivers at scale. Total cost: roughly the price of a nice dinner. The era of affordable zero-day discovery is here. via Yaron Dinkin

Not every signal needs action.

"AI Is an Arms Race" — CrowdStrike's own press release calls it an "AI arms race." It's a vendor report timed to sell you a platform. The data is real — the framing is marketing. Read the findings. Ignore the call to action. The 29-minute stat doesn't need CrowdStrike's sales team to be terrifying on its own.

No answer. Just the question.

If your incident response plan assumes you have hours, and attackers break out in minutes — what exactly is the plan for?

Michael Faas is a fractional CTO/CISO helping growth-stage companies navigate complexity without building bloated security programs. More at echocyber.io.