Security teams spend enormous effort trying to prevent the initial breach.
They deploy endpoint protection, identity controls, firewalls, vulnerability management, and threat intelligence. Every layer is designed to stop attackers from getting inside the network.
But modern attackers plan for something different.
They assume they will eventually get in.
The real objective is not the first system they compromise. The real objective is what they can reach from it.
Once inside an environment, attackers begin expanding their access. They move between systems, escalate privileges, and search for the assets that matter most. That phase of an attack is known as lateral movement, and it has become one of the defining characteristics of modern breaches.
Research suggests this stage of an attack now begins much sooner than most organizations expect.
According to the CrowdStrike Global Threat Report 2025, the average time between an initial compromise and the start of lateral movement is 48 minutes. In some cases, attackers begin moving in less than a minute.
That means the most important phase of a breach may begin before anyone realizes the first compromise occurred.
The first system is rarely the real target
When an attacker compromises a machine, that machine is usually not the ultimate objective.
Instead, it is a foothold.
Initial access often comes from common attack vectors. Phishing emails, stolen credentials, exposed services, and vulnerabilities in internet facing systems are frequent entry points. The compromised system might be a workstation, a development server, or a misconfigured cloud workload.
But attackers rarely stop there.
From the initial foothold they begin learning about the environment. They collect credentials, inspect configurations, query directory services, and identify other reachable systems.
The goal is simple. Find a path to something more valuable.
That could be a database containing sensitive data, an identity system such as Active Directory, or cloud workloads that store critical information.
Reaching those targets almost always requires moving through other systems first.
This is where lateral movement becomes central to the attack.
How attackers move through networks
Lateral movement does not always involve obvious malicious software.
In many cases attackers rely on tools that already exist inside the environment.
Common techniques include:
Remote Desktop Protocol connections between internal machines
Windows Management Instrumentation used for remote command execution
PowerShell scripts executed across systems
SSH connections between servers
Internal API calls between services
These are legitimate administrative tools.
System administrators use them every day to manage infrastructure. When attackers use the same tools, their activity can look very similar to normal operations.
Attackers also frequently rely on stolen credentials. Once they obtain valid accounts, their actions may appear indistinguishable from those of legitimate users.
This is one reason many breaches remain undetected for long periods.
According to the IBM Cost of a Data Breach Report 2024, the average breach lifecycle from initial compromise to containment is 277 days.
Attackers often have months to explore the environment.
Lateral movement is present in most modern attacks
Security research shows how widespread this pattern has become.
A 2025 Illumio study surveying more than 1,100 cybersecurity leaders found that nearly 90 percent of organizations experienced a cyberattack involving lateral movement in the previous year.
In many incidents, the attacker enters through one system but causes damage across many others.
Ransomware operators often spend time mapping the network before launching encryption. Data theft campaigns involve identifying systems that store valuable information. Espionage operations may establish persistence across multiple machines to maintain long term access.
In each case, the attack spreads through the environment.
The breach is not a single moment. It is a process.
Why traditional security monitoring struggles to see it
Most organizations have invested heavily in security monitoring.
Endpoint detection tools analyze device activity. Identity platforms monitor authentication events. SIEM systems collect logs from across the infrastructure.
Yet lateral movement still remains difficult to detect.
One reason is that many security tools focus on individual systems rather than interactions between systems.
Endpoint tools monitor processes on a device. Identity platforms track login events. Application logs capture activity inside services.
But attackers often move through network connections between systems.
A server connecting to another server is normal. An administrator accessing a machine remotely may also be expected behavior.
The challenge is understanding whether those connections make sense in context.
Without visibility into how systems normally communicate across the network, identifying abnormal behavior becomes difficult.
Modern infrastructure created new blind spots
The architecture of modern environments makes this problem more complicated.
Applications no longer run in a small number of well defined servers.
Today infrastructure often includes:
on premise systems
public cloud workloads
containers and microservices
distributed APIs
automation platforms
These components constantly communicate with each other.
This communication generates large volumes of internal network traffic, often referred to as east west traffic.
Historically, security tools focused on north south traffic, meaning data entering or leaving the network. Firewalls and perimeter defenses were designed for that model.
But modern attacks often unfold inside the environment.
If east west traffic is not visible, attackers can move across systems without triggering alarms.
A typical breach scenario
Consider a common attack path.
An employee enters credentials on a phishing page. The attacker now has valid login access.
Using those credentials, the attacker connects to a workstation through a remote access system.
From there they begin collecting information. They inspect processes, search for credentials, and query directory services to identify other machines.
Eventually they find a privileged account or an accessible server.
They connect to that system.
From there they continue exploring the network. They move to additional machines, gain higher privileges, and identify sensitive assets.
Each step looks small on its own.
But together these actions form the path that allows the attacker to reach critical systems.
Without visibility into the broader pattern of connections, these activities can appear normal.
The shrinking detection window
The speed of modern attacks has increased dramatically.
The CrowdStrike breakout time statistic highlights how quickly attackers begin moving after gaining access.
If lateral movement begins within 48 minutes, security teams have a very small window to detect suspicious activity before the attack progresses.
Early visibility becomes critical.
If lateral movement is detected quickly, compromised systems can be isolated before attackers reach sensitive assets.
If it is missed, attackers may already control multiple machines by the time the incident is discovered.
Understanding internal network behavior
Detecting lateral movement requires understanding how systems interact within the environment.
Security teams need to answer questions such as:
Which systems normally communicate with each other
What services a machine should access
Which connections are unusual or unexpected
How traffic patterns change over time
Without that context, suspicious activity can appear legitimate.
Security teams may see isolated alerts but struggle to understand the broader attack.
Understanding network behavior across systems is therefore becoming a critical part of modern security operations.
What real internal visibility looks like
Detecting lateral movement requires more than logs from individual machines.
Security teams need visibility into how systems communicate across the entire environment.
This includes understanding patterns such as:
which workloads normally communicate with each other
how services interact across hybrid environments
whether new or unexpected connections appear between systems
how internal traffic patterns evolve over time
This type of visibility is difficult to achieve with traditional network monitoring tools.
Many existing solutions rely on sensors, agents, or complex deployments that were originally designed for traditional network architectures.
Modern environments are far more distributed. Infrastructure spans multiple cloud platforms, containers, and on premise systems.
As a result, many security teams lack a unified view of internal communication across their environment.
New approaches to network detection and response are emerging to address this gap, focusing specifically on providing visibility into east west traffic across hybrid infrastructure without requiring complex architectural changes.
The most important hour of a breach
The early stages of a breach are often the most critical.
If attackers begin moving laterally within the first hour, that hour becomes the moment when the outcome of the attack is often decided.
Detect suspicious internal activity early and the attack may be contained.
Miss it, and attackers may already have access to multiple systems by the time the breach is discovered.
In many modern incidents, the difference between a contained security event and a major breach comes down to how quickly organizations can understand what is happening inside their own network.
Platforms such as Port0 focus on this challenge, helping security teams understand internal traffic patterns and detect lateral movement across hybrid environments without the operational complexity of traditional network monitoring.
Frequently Asked Questions
What is lateral movement in a cyberattack?
Lateral movement is what happens after an attacker gains initial access. Rather than stopping at the first compromised system, attackers use it as a foothold to navigate through the environment, escalate privileges, and reach high-value targets like databases or identity systems.
How quickly do attackers begin moving laterally after a breach?
According to the CrowdStrike Global Threat Report 2025, the average time between initial compromise and the start of lateral movement is 48 minutes. In some cases it begins in under a minute.
Why is lateral movement so hard to detect?
Attackers frequently use legitimate tools already present in the environment, such as RDP, PowerShell, and SSH, combined with stolen credentials. Their activity can look indistinguishable from normal administrative behavior, especially without visibility into how systems communicate with each other.
What is east-west traffic and why does it matter for security?
East-west traffic is communication between systems inside the network, as opposed to traffic entering or leaving the perimeter. Most modern attacks unfold through east-west movement. Without visibility into those internal connections, attackers can move freely without triggering alerts.
How long do attackers typically go undetected inside a network?
According to the IBM Cost of a Data Breach Report 2024, the average breach lifecycle from initial compromise to containment is 277 days, giving attackers months to explore the environment before being discovered.
How widespread is lateral movement in real-world attacks?
A 2025 Illumio study found that nearly 90 percent of organizations experienced a cyberattack involving lateral movement in the previous year.
What can security teams do to detect lateral movement faster?
Teams need visibility into internal communication patterns across the entire environment, not just individual endpoint or identity alerts. Understanding which systems normally talk to each other makes unexpected connections easier to spot before the attack progresses.
How does agentless NDR help detect lateral movement?
Agentless NDR platforms like Port0 provide real-time visibility into east-west traffic across hybrid environments without requiring new sensors, agents, or hardware. By mapping normal internal communication patterns, Port0 surfaces unexpected connections and behavioral anomalies that indicate lateral movement, often before attackers reach their intended targets.
Why is the first hour after a breach so critical?
If lateral movement begins within 48 minutes of initial access, the first hour is often when the outcome of the attack is decided. Early detection allows teams to isolate compromised systems before the attacker reaches sensitive assets. Miss that window, and the attack may already span multiple systems by the time it is discovered.
