The 29-minute Breakout: Why monthly vulnerability scanning no longer works

TLDR: We attended Cyber Security 2026: Kritisk infrastruktur in Stockholm, and the reality check was simple: “breakout time” has hit a record low of 29 minutes. If you’re still scanning monthly, you’re defending a version of your infrastructure that doesn’t exist anymore.

---

The time it takes for an attacker to move after a breach has dropped to just 29 minutes. 

In 2021, we talked about a “breakout time” of 100 minutes. Today? It’s less time than it takes to order a pizza. This isn’t just a minor improvement for hackers; it’s a fundamental shift. The defensive window hasn’t just shrunk: it’s disappearing.

Rather than a gradual improvement, this marks a fundamental shift in how quickly cyberattacks unfold. The traditional defensive window isn’t just shrinking, it’s disappearing. 

For security teams, the implications are significant. Vulnerability management, attack surface monitoring, and continuous security testing all need to operate at a completely different pace.

This acceleration is a recurring theme in conversations with cybersecurity leaders and it was reinforced during a recent conference in Stockholm (Cyber Security 2026: Kritisk infrastruktur).

AI in security: Why attacks are getting faster, not just smarter 

As Daniel Gillblad Chief of AI at Recorded Future puts it: AI isn’t necessarily inventing new vulnerabilities, it’s dramatically accelerating how quickly existing weaknesses are discovered and exploited.

What once required days of manual effort (reconnaissance, vulnerability discovery, and exploit development) can now be executed in minutes. Today, large language models (LLMs) can even generate exploit code almost instantly.

At the same time, attack workflows are becoming increasingly automated:

• Exposed assets are identified
• Known vulnerabilities are detected
• Exploit code is generated and executed

In some cases, fully automated attack programs can move from discovery to exploitation in just a few hours, without the attacker writing a single line of code.

This is the rise of the agentic hacker: autonomous systems that continuously scan, adapt, and exploit weaknesses at scale. The old model of slow, manual hacking is being replaced by machine-speed, autonomous attacks.

Attackers are no longer operating in bursts, but continuously, through automated systems that scan and act in real time.

Why traditional network security models are failing

For years, cybersecurity strategies relied on a “castle and moat” approach: protect the perimeter, keep attackers out, and monitor internal activity.

But as Pontus Johnson, Professor at KTH,  points out, this model breaks down when attackers are no longer slow and predictable, but automated and persistent. 

AI-driven attackers don’t sleep, slow down, or rely on manual workflows. Instead, they continuously probe for weaknesses and exploit them in real time.

Static defenses can’t keep up with dynamic threats. Security can no longer function as a static wall. It needs to behave more like an immune system, continuously running, constantly adapting, and capable of responding in real time.

This shift isn’t just theoretical, it’s driving new approaches to how security is built and operated, moving away from checklist-driven models toward continuous, adaptive systems.
It’s also reflected in emerging solutions and companies focused on keeping pace with this new reality, including initiatives led by researchers in the field.

As Per Gustavsson, CISO at Stratsys, puts it:

“Compliance is a checklist. Security is a street fight.”

Frameworks like NIS2 (the EU directive aimed at strengthening cybersecurity across critical infrastructure and essential services), help drive investment in cybersecurity, but compliance alone does not equate to real-world security.

Why monthly vulnerability scanning is no longer enough

If attackers can identify and exploit vulnerabilities in minutes, scanning your systems once a month creates a dangerous gap. This mismatch between attacker speed and defensive cadence is one of the biggest risks in modern vulnerability management.

If an AI-driven attacker can find your vulnerabilities in minutes, scanning once a month is like checking if your front door is locked on the first day of the month and leaving it wide open until the last one. 

To illustrate:

09:00 — A new asset is exposed online

09:05 — An automated agent discovers it

09:12 — A vulnerability is identified

09:30 — Exploit code is generated and executed

In less than 30 minutes, the entire attack lifecycle is complete. By the time your next scheduled vulnerability scan runs, the breach has already happened.

To close that gap, organizations need to start thinking like attackers. That means understanding how their environment looks from the outside. This isn’t just about improving existing processes, it requires a different approach to how security is run.

Industry data shows the impact clearly. Research from IBM puts the average cost of a data breach at around $4 million globally, with most organizations experiencing significant operational disruption as a result. For smaller organizations, the impact is often more severe. The Verizon Data Breach Investigations Report shows that common attack paths, such as credential theft and misconfigurations, remain dominant, with stolen credentials alone involved in nearly 50% of breaches.

In practice, that means a single successful attack isn’t just a security incident, it’s a business risk.

Continuous Security Testing: What organizations need to do instead 

If attackers are operating continuously, defense must do the same. That means moving away from periodic, snapshot-based security and toward real-time, continuous security testing.

Three principles stand out: 

• Continuous Discovery: You can’t secure what you don’t know exists. Unknown and unmanaged assets are often the easiest entry points and the first things automated attackers will find.

• Automated Vulnerability Scanning: Vulnerabilities need to be identified before attackers exploit them. Continuous, automated scanning helps surface issues as they appear, rather than weeks later.

• Attacker-Centric Testing: Security teams need to understand how their environment looks from the outside. What is exposed, reachable, and exploitable should be continuously assessed from an attacker’s perspective.

The Future of Cybersecurity: Real-time defense

Cybersecurity isn’t slowing down and neither are attackers. What used to be measured in hours is now measured in minutes.

For many organizations, especially SMEs, the consequences are real. A single successful attack can lead to significant financial damage, and in some cases, bankruptcy. As Carl-Oskar Bohlin, Minister of Civil Defence in Sweden, has noted in discussions around civil defence and resilience, the current threat landscape can feel overwhelming.

At the same time, the shift toward automation cuts both ways. The same technologies accelerating attacks, AI and automation, can also be used to improve how defenses operate.

In practice, that means changing how security is run:

• From periodic checks to continuous monitoring
• From reactive fixes to earlier detection
• From static defenses to systems that adapt over time

This isn’t about adding more tools. It’s about reducing the gap between when something becomes exposed and when it’s detected.

In a world where breakout times are measured in minutes, that gap is what matters. Curious about continuous security? Book a demo to talk to our experts or start a 2-week free trial to see it in action.