Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

More Than 60% Of Hackers Can Exfiltrate Data In Less Than Five Hours, Finds Inaugural Hacking Report

New research from Bishop Fox and SANS provides unique adversarial perspective, and offers “best worst-case” defensive scenario


PHOENIX, AZ – September 28, 2022 Bishop Fox, the leading authority in offensive security, today announced the results of a groundbreaking new survey that explores the minds and methodologies of modern attackers. Executed in collaboration with SANS, the research found that more than half of hackers could execute an end-to-end attack – from compromise to data exfiltration – in less than a day. While the statistics in themselves are concerning for security teams, they are likely a “best worst-case” scenario, as they are based on ethical approaches. Nearly half of those surveyed said employing unethical measures would have a high, or extremely high, impact on their success.

The inaugural 2022 SANS survey solicited insights from more than 300 ethical hackers to understand the intricacies of how attackers think, the tools they use, their speed, specialization, and favorite targets, among other elements. In contrast to other surveys that take a defender’s point-of-view and provide more theoretical models of potential threats, attacks, and compromise, this report flips the script to explore how adversaries view specific environments and provides insights into where they find the most success.

“Many SANS surveys and whitepapers focus on a defensive security perspective – often soliciting opinions from organizations defending against attacks. This survey yielded a new, welcome perspective,” said Matt Bromiley, Digital Forensics and Incident Response Instructor at SANS. “We wanted to get an adversary’s point of view as to whether the defenders are successfully detecting attacks, and how easily or quickly they are able to execute those attacks. There are two sides to every story. Understanding how they work together can help build more resilient cyber defenses.”

To put the new survey findings in context, one only has to look at the venerable Verizon Data Breach Report to understand the urgency around metrics like an end-to-end attack taking less than a day. According to the Verizon report, around 70% of detected breaches fall in the “days or less” to detect category, and more than 20% in the “months or more” to detect. Even more worrying is that Verizon also put the top “Discovery Method” for more than half of breaches as “Actor Disclosure,” essentially ransomware notes, or posts offering evidence and/or data for sale in criminal forums.

The SANS research reinforces that most security teams are still struggling mightily with detection and response; nearly three-quarters indicated that organizations have only few or some detection and response capabilities to effectively stop an attack. Meanwhile, hackers can move quickly and decisively, even with less experience. In fact, the largest portion of the survey group has 1-6 years of experience in ethical hacking, with only 16% holding more than 10 years. 

In terms of specific stages of attack and success rates, the data largely followed a trend of five hours or less. The specific findings include:

  • Nearly 40% indicated that they can break into an environment more often than not, if not always
  • When they do break into an environment, nearly 60% report they are able to do so in 5 hours or less
  • More than one third of respondents can escalate or move laterally within 3-5 hours, with one fifth doing so in 2 hours or less
  • Nearly two thirds of respondents need 5 hours or less to collect and potentially exfiltrate data once they have gained access, with more than 40% requiring 2 hours or less

“We hope this report helps security teams make better offensive and defensive decisions by exploring actual attacker thought processes and behavior – and seeing what works and what doesn’t work in real world situations,” said Tom Eston, Bishop Fox AVP of Consulting. “With these insights, we can better understand the ‘cost of doing business’ for attackers, as well as the speed with which they execute. Knowing how adversaries operate, and their preferences in terms of tactics and techniques, can help organizations evaluate their investments, and better understand where they need to double down on controls, policies, testing, and defenses.”

About Bishop Fox

Bishop Fox is the leading authority in offensive security, providing solutions ranging from continuous penetration testing, red teaming, and attack surface management to product, cloud, and application security assessments. We’ve worked with more than 25% of the Fortune 100, half of the Fortune 10, eight of the top 10 global technology companies, and all of the top global media companies to improve their security. Our Cosmos platform, service innovation, and culture of excellence continue to gather accolades from industry award programs including Fast Company, Inc., SC Media, and others, and our offerings are consistently ranked as “world class” in customer experience surveys. We’ve been actively contributing to and supporting the security community for almost two decades and have published more than 16 open-source tools and 50 security advisories in the last five years. Learn more at or follow us on Twitter.

Media Contact:

Kevin Kosh, Senior Director of Communications

[email protected]

Ready to get started? We can help.

Contact Us

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.