Defenders Need Superior Software and Algorithms to Win in 2026
The OODA Loop, a military decision-making mental model, was developed by US Air Force Colonel John Boyd in the mid-1950s to apply to decision-making in high- stress situations. The fundamental components are to observe, orient, decide, and act —then restart the cycle until the conflict is resolved.
The need to make quick, confident decisions aren’t limited to the cockpit. In the emergency room, doctors must act within seconds to save patients in critical condition. Through training and real-life experience, doctors recognize how certain vital signs trigger the need for immediate treatment, such as an airway failure determining the need for immediate intubation. The entire loop is compressed to an almost reflexive response. With AI-accelerated cyber attackers, IT and security teams are being asked to move just as fast when deciding whether to escalate, investigate, or dismiss thousands of incoming alerts every day. Decisions need to be made in seconds, not minutes.Â
The longer it takes to observe and orient, the more opportunity a threat actor has to gain a foothold in the environment. How can you skip straight to action without burning out your entire team?Â
The answer is pre-planning security decisions and letting automation perform the observation and orientation of threats within milliseconds. In 2026 and beyond, the future of attack and defense in cyber will be defined by who has the better algorithms and software.
Attackers are getting faster and harder to detect
Stealth
Most cyber attacks begin quietly. An attacker slips into a business’ network through a single compromised user account, unpatched system, or a convincing phishing email.Â
The duration a threat actor remains inside the network before they’re detected is known as dwell time. Dwell time has dramatically fallen over the past decade, from an average of 243 days in 2012 to 11 days in 2024. Upon first glance, this looks like good news. We’re catching the bad guys faster.Â
Dwell time has dramatically fallen over the past decade, from an average of 243 days in 2012 to 11 days in 2024.
Between 2012 and 2016, as attacks increasingly made headlines, several endpoint detection & response (EDR) solutions entered the market and gained adoption, especially among large enterprises. More businesses were able to flag and prevent the extended unauthorized access that led to attacks.Â
By 2018, the average dwell time was down to 78 days. However, the rapid decline between then and now can’t be singularly attributed to the adoption of EDR technologies, largely because attackers changed tactics from espionage to ransomware, allowing them to profit faster. Upon closer inspection, it's ransom notes that stop the stopwatch and radically reduce the average dwell time (which is no help to defenders).
Speed
Fast forward to now: Ransomware actors view their actions as a “business” and want to get paid as soon as possible. With wider adoption of EDR and other detection controls, threat actors are prioritizing speed over stealth. It’s less about getting detected and more about quickly locking businesses out and selling their systems back to the victims.Â
If the current trend continues at the same rate, we expect to see ransom notes appear even faster, resulting in an average dwell time of 1 day by 2027. Â
Once inside a business’ network, attackers race to move laterally, exfiltrate data, or deploy ransomware. This is known as breakout time — and it’s measured in minutes, not weeks. In 2024, the average breakout time dropped to 48 minutes, meaning the critical window for defenders to catch and stop a breach is under an hour.Â
The quickest breakout time we observed was just 47 seconds. The threat actor compromised the victim through an adversary-in-the-middle attack, chose an internal colleague from the victim’s sent email history, and then sent a phishing email from the first compromised user to the internal colleague. Due to the speed, this had to be an automated attack. It’s impossible to do all of that in 47 seconds manually.Â
Some of the largest businesses, with extraordinary security budgets, have adopted the 1-10-60 rule as a goal:Â
Detect an intrusion in 1 minute
Investigate within 10 minutes
Remediate the problem in 60 minutes
Given the trajectory of attackers now, even the 1-10-60 rule isn't quick enough. Businesses need a solution that is faster, yet accessible to organizations of all sizes, budgets, and sophistication.
AI alone won’t solve the speed gap
The modern adversary is rapidly outpacing human defenders.Â
Employees attend meetings, take calls, get engrossed in tasks, and go on bathroom breaks. In that time, attackers can enter an organization and move laterally through its network, and outpace even the most attentive human employee.
This speed gap is a major stressor for resource-restrained teams, so it’s understandable that the hype around AI continues to build. Could it be the answer to outsmarting hackers for good?
Right now, the short answer is no.
How AI should be used to defend against attackers
AI excels at helping with research, generating code (for human review), and distilling or recognizing patterns in large swaths of data. AI is probabilistic (read that as “unpredictable”) on its own, but security decisions must be repeatable and predictable to be effective.
Automation can truly empower security teams
Automation is necessary for addressing and containing modern threats before they become a crisis. Unlike AI, rule-based automation can act fast and decisively — and human teams can easily review and understand why certain decisions took place. This enables security teams to focus on higher-impact work instead of spending their time triaging alerts.
When it comes to AI-enabled threat actors, there’s no room for thinking. Hostile behavior needs to be flagged or contained immediately, much like our own involuntary reflexes.
Better algorithms and software in action
If you accidentally touch a hot stove, your hand pulls away immediately before you can think about it. When it comes to AI-enabled threat actors, there’s no room for thinking. Hostile behavior needs to be flagged or contained immediately, much like our own involuntary reflexes.
Below, we’ll show a real-life example of how Wirespeed successfully observed, oriented, decided, and acted in 5 seconds.
ObserveÂ
Wirespeed saw that a client’s employee had multiple logins from suspicious IP addresses. The employee had entered their credentials on a spoofed Microsoft365 page and the threat actor was able to steal their session, avoid multi-factor authentication, and login through a privacy VPN.Â
Orient
The employee normally worked from Kentucky but appeared to be attempting to access their account from California. Even more alarming, their IP address was associated with a Romanian hosting provider.Â
Decide
In just 321 milliseconds, a verdict was made. Because Wirespeed remembers user behavior, including work behavior, all signs pointed to a compromise.Â
Act
The user account was contained in 5 seconds. Within that time period, the account was locked, limiting the attacker’s ability to move throughout the network. Then, the impacted employee was notified via email (their organization’s preferred contact method).Â
Fighting fire with fire
AI models are getting better at performing offensive cyber tasks. According to Irregular Labs, models that struggled with “basic logic” just 18 months ago are now capable of reverse engineering and exploit construction. This is good news for threat actors looking to accelerate and scale their attacks.
But with the right tools, defenders aren't at a total disadvantage. With a median time to verdict (MTTV) of 1801 milliseconds (or under 2 seconds), Wirespeed provides businesses with the capability to close the speed gap and compete against AI-enabled adversaries — turning good security into a reflex.
LIGHTING-FAST SPEED. LASER PRECISION.
Automated Threat Detection & ResponseÂ
See how Wirespeed MDR can stop threats in seconds >
This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional services are required, the services of a professional should be sought. The above real-life example is provided for illustrative purposes only. While it is reflective of an individual experience, it is not necessarily representative of all experiences and no guarantee is made as to the results other users may achieve. This blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition makes no representations as to the accuracy or completeness of this content. Any action taken based on this information is at the sole discretion and risk of the reader. Coalition and its affiliates expressly disclaim any liability for losses or damages resulting from the use of or reliance on this information, which is used strictly at the reader’s own risk.Â
Copyright © 2025. All rights reserved. Wirespeed is a trademark of Coalition, Inc.
Related blog posts
Blog
When a 10.0 CVSS Hits: Inside the React2Shell Mobilization
How Coalition mobilized to protect policyholders in response to a potentially massive cyber risk aggregation event in React2Shell.
Blog
Patch Immediately: Critical Vulnerability Dubbed 'React2Shell'
Coalition notified policyholders about a new critical vulnerability impacting React and Next.js applications that allows RCE without authentication.
Blog
Shades of Gray: The Risk of Doing Business with Hackers
Gray hat hackers may appear altruistic, but attitudes can turn quickly when money is involved. How should businesses decide who to trust?
