Read as
Last updated: April 29, 2026
Encrypted traffic, volume overload, alert fatigue. Why attacker dwell time is weeks to months on average.
Every attack described in this track passes through a network. In theory, defenders have complete visibility. In practice, defenders miss most attacks until well after the fact. This module closes the Network Mindset track by explaining why network detection underperforms its promise — and what the mature programs actually do.
Why this happens
Network detection is hard for structural reasons:
- Encryption dominates. ~95% of outbound traffic is HTTPS. Inline inspection requires TLS interception, which has collateral costs. Without interception, you see domain + volume + JA3 — not content.
- Volume overwhelms. Mid-size enterprise: 100s of GB of log data daily. Real attacks are 0.01% of that. Finding them requires precise queries + good detections.
- Baseline drift. “Normal” changes constantly. New SaaS integration, new vendor, new employee traveling — each shifts the distribution.
- False positives exhaust analysts. Generic rules fire on legitimate behavior; analysts disable or ignore. After a few weeks, the detection exists but nobody responds.
- Attackers blend with legitimate tools. Living-off-the-land binaries (LOLBAS) — attackers use tools already on the system. Process + connection look normal; intent is malicious.
- Time-to-detection measured in months. Industry average dwell time (M-Trends, Mandiant) was 10 days in 2023 but often extends to months for sophisticated attackers who actively avoid detection.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants