The 24/7 Problem: Why Attackers Don’t Wait for Business Hours

The 24/7 Problem: Why Attackers Don’t Wait for Business Hours

Attackers operate on their own schedule. Attackers operate continuously, and delays are costly. IBM attributes the largest reductions in breach cost to faster detection and containment, underscoring the danger of limited-hours monitoring. They probe, exploit, and escalate at whatever hour gives them the greatest advantage. For defenders who still rely on “business-hours security” thinking, that reality is a strategic mismatch. What matters most is not how sophisticated your tools are but how quickly your organization detects and responds. Time-to-detect and time-to-respond determine the difference between a contained incident and prolonged operational, financial, and regulatory pain.

Understanding attacker dwell time

Dwell time is the period between an attacker gaining an initial foothold and when the intrusion is detected and contained. During dwell, attackers do reconnaissance, escalate privileges, move laterally, and prepare exfiltration or encryption. Mandiant’s M-Trends analyses consistently highlight that adversaries use this window to assess value and expand access. The longer an intrusion goes unnoticed, the more options the attacker builds for impact.

Importantly, dwell time is an amplifier. A short, successful intrusion contained within hours may produce minimal business impact. The same initial access, if unnoticed for days, can become a full-scale data theft or destructive attack. This dynamic is why measurement of dwell time is central to any security conversation: it ties directly to severity and recovery effort.

Why detection delays translate to business impact

Detection delays increase cost in three connected ways. First, they increase the technical complexity of remediation as attackers create persistence and obfuscate traces. Second, they widen the scope of affected systems because lateral movement reaches more assets. Third, they increase business disruption as critical systems are taken offline for containment and investigation.

Microsoft’s Digital Defense reporting emphasises that response speed is a primary determinant of breach impact. Automated containment actions such as isolating hosts, revoking compromised credentials, and blocking malicious infrastructure can stop an attack before it escalates. Where automation is absent or slow, manual escalation creates windows attackers exploit. That operational lag is where the majority of measurable damage occurs.

Business-hours security is a dangerous fiction

Many organisations staff monitoring and remediation capability during daytime hours and reduce coverage overnight and on weekends. This pattern assumes attacks will surface when people are present to handle them. In truth, attackers often prefer off-hours activity because it maximises delay to detection and response. Batch jobs, overnight integrations, and reduced staffing make nights and weekends ideal for a rapid, noisy impact such as ransomware encryption or the exfiltration of consolidated data stores.

Even when alerts are generated outside normal hours, the absence of on-call procedures or clear playbooks means alerts may not be triaged until morning. That gap is effectively a guaranteed increase in dwell time. The operational effect is clear: an outage or data loss that begins on Friday night can turn into a Monday crisis that affects customers, regulatory obligations, and revenue. The difference is measurable. Organizations using AI-powered detection reduce per-record breach costs by nearly 45%, according to TotalAssure’s 2025 breach cost analysis.

Why tool sophistication alone will not solve the problem

Advanced EDR, XDR, and analytics platforms are valuable, but they do not automatically shorten detection or response times. Tools produce telemetry and alerts. Someone must tune alerts, triage signals, decide on containment actions, and execute them. Without tested playbooks and 24/7 operational readiness, sophisticated tooling becomes a source of noise or delayed action rather than speed.

Microsoft’s guidance and incident response research underline this point. Telemetry is only as useful as the workflows that act upon it. Automation is the multiplier: when well-designed automation executes containment steps immediately, the organisation reduces the window attackers can exploit. Where automation is absent, human decision-making under stress becomes the bottleneck. Meanwhile, staffing models lag reality. With 37% of security budgets tied up in personnel, per IANS Research, most mid-market teams simply cannot sustain round-the-clock internal coverage.

Operational practices that reduce dwell and impact

Reducing dwell time is an operational challenge with tactical and strategic levers. Tactically, organisations must prioritise detection coverage for internet-facing assets, identity services, and data exfiltration channels. Instrumentation and centralized logging across cloud and on-premise assets enable correlation that often reveals early-stage activity.

Strategically, organisations should design response playbooks that are executable 24/7. These playbooks must include automatic containment for high-confidence detections, pre-authorised escalation paths, and verified rollback and recovery procedures. Regular exercises and incident simulations ensure that handoffs work and that on-call responders can act decisively when alerts fire outside normal hours.

Practical options for continuous coverage

Not every organisation can staff a 24/7 SOC internally. Practical options include using an MSSP or managed detection and response partner, implementing staged automation for containment, and defining clear on-call rotations with documented escalation criteria. The objective is the same: close the window between detection and response so that attackers have less time to expand their options.

When engaging partners or building automation, focus on playbook clarity and integration. Ensure partners have access to the right telemetry, and that automated actions are reversible and audited. A responsive combination of detection, automation, and human decision-making is the most effective posture for reducing dwell time and business impact.

Measuring success: MTTD and MTTR

Two operational metrics matter above all: mean time to detect and mean time to respond. Track these metrics by incident class and by priority asset. Improvements in detection that are not coupled with faster response do not materially reduce risk. Likewise, fast response that lacks confident detection may cause unnecessary disruption. The goal is to reduce both measures in tandem so incidents are both discovered early and contained cleanly.

Conclusion: design for continuous threat speed

Attackers do not wait for business hours. Organizations that treat security as an elective daytime function expose themselves to longer dwell times and greater damage. The remedy is operational: improve detection coverage for critical assets, design automation-backed containment, codify clear playbooks for off-hours response, and measure both detection and response times. Microsoft’s incident research and Mandiant’s operational analyses both point to the same conclusion: speed reduces impact. Investment in 24/7 readiness and repeatable response produces outsized reductions in business risk compared with chasing the most advanced point solutions alone.

If your organisation needs to translate this into practical steps, start with a short review of your detection coverage for internet-facing apps and identity stores, a validation of your highest-confidence automated responses, and a simple table-top rehearsal of off-hours incident handling. Those modest actions materially shorten dwell time and make the difference between a contained incident and a business crisis.