In the NBA Playoffs, the Shot Clock Is 24 Seconds. In Cybersecurity, You Get 29 Minutes.

-
Thought Leadership Credential Risk
May 2026  ·  8 min read

Once an attacker gets a stolen credential, the average time before they've moved through your entire network is now just 29 minutes — down 65% from last year. The NBA shot clock gives teams 24 seconds to act or lose possession. Your business has 29 minutes. Most don't know the clock has started.

Right now, somewhere in the 2026 NBA Playoffs, a coach is drawing up a play with less than 24 seconds on the shot clock. Every team in the league has practiced this moment hundreds of times. The play is already scripted. The roles are already assigned. The decision about who gets the ball and where they go has already been made — because when the clock is running, there is no time to figure it out from scratch.

Now consider what your business does when someone's work credentials get stolen.

In February 2026, CrowdStrike released its annual Global Threat Report — the most comprehensive analysis of real-world cyberattacks drawn from tracking more than 280 named threat groups. The headline finding: the average time for an attacker to move from initial access to full lateral network movement — from the moment they use a stolen credential to the moment they've spread through your systems — is now 29 minutes.

That's the average. The fastest recorded breakout in 2025 took 27 seconds. In one documented case, data exfiltration began within four minutes of initial access.

The shot clock is running. Most businesses don't even know the game has started.

24s NBA shot clock — time to attempt a shot or lose possession NBA Official Rules
29 min Average attacker breakout time — credential to full lateral movement CrowdStrike 2026 Global Threat Report
292 days Average SMB detection time for stolen credential breach IBM Cost of a Data Breach 2025

Read those three numbers again. An NBA team gets 24 seconds to act before they lose possession. An attacker with your stolen credential needs 29 minutes to own your network. And your business, on average, takes 292 days to find out it happened. That's not a shot clock violation. That's playing the entire season without knowing you were down by 30.

"Breakout time is the clearest signal of how intrusion has changed. Adversaries are moving from initial access to lateral movement in minutes." — Adam Meyers, head of counter adversary operations at CrowdStrike, on the 2026 Global Threat Report findings.

Breaking down the 29-minute game — quarter by quarter

In basketball, every team studies film. They know exactly what their opponent will run — how they attack in transition, what they do with the shot clock winding down. The best defensive teams don't react to what they see. They anticipate what they know is coming.

Here's what an attacker does with your stolen credential in 29 minutes.

Q1Minutes 0–4: Initial access and reconnaissance

First possession
On the court The opening minutes are about establishing rhythm — testing the defense, finding mismatches, identifying which rotations break down under pressure. The best teams come in with a specific game plan but adapt within the first few possessions to what the defense is actually giving them.
In your network The attacker logs in with the stolen credential. It looks like a normal login — recognized device, familiar location, valid username and password. In the first minutes they enumerate what the account can reach: email history, shared drives, connected applications. They're mapping the floor. In one documented 2025 case, data exfiltration had already begun within four minutes of this first login.

Q2Minutes 4–15: Privilege escalation and lateral movement

Building the lead
On the court This is where teams build leads — exploiting the mismatches found in Q1, running set plays against tired defenders. A team that goes into halftime with a comfortable lead has forced the other side to play catch-up, operating under time pressure with fewer options.
In your network The attacker moves from the initial account to adjacent systems — testing whether the same credential works on your CRM, accounting software, cloud storage. 82% of 2025 intrusions were malware-free, using valid credentials and legitimate tools. No antivirus alert fires. They're playing with your access, using your tools, blending into normal activity.

Q3Minutes 15–25: Persistence and data access

Taking control
On the court Third quarter adjustments. The team that made better halftime adjustments wins Q3 and usually the game. The trailing team is now burning timeouts and running out of clock to mount a comeback.
In your network The attacker creates persistence — a backup access method so they can return even if the original credential is changed. A new admin account, a forwarding rule on the compromised email, a remote access tool. Now they own a position in your network independent of the credential that got them in. Changing the password no longer evicts them.

Q4Minutes 25–29: Exfiltration or ransomware staging

Clock winding down
On the court Late fourth quarter. The leading team runs clock. Every second matters. The teams that win close games are the ones who practiced specifically for this moment — late game execution, knowing exactly who has the ball and what happens next.
In your network By minute 29, the average attacker has secured a payday — client data staged for exfiltration, ransomware pre-positioned for deployment, credentials sold to other actors. The fastest 25% of 2025 intrusions reached full data exfiltration in under 72 minutes. By the time your alert fires — if it ever does — the game is already over.

The coaching staff your business doesn't have

Every NBA playoff team has a bench of assistant coaches watching specific matchups, a video coordinator pulling real-time film, and a system that communicates what's happening to everyone simultaneously. The moment a defensive rotation breaks down, someone spots it before it becomes a bucket — not after.

Most small businesses have no equivalent. They have perimeter defenses — a zone defense against a team running pick-and-roll all game. They have antivirus — which caught malware in 18% of 2025 intrusions, meaning it missed 82%. And they have a password policy — which does nothing about the credential that's already been stolen and is already in use.

82% of CrowdStrike's threat detections in 2025 were malware-free. Attackers logged in with valid credentials and used legitimate admin tools — the same ones your IT team uses. Traditional security tools are optimized to catch things that don't look like you. When an attacker is using your own credentials, they look exactly like you. Your defense can't stop what it can't distinguish from normal.
29 min average breakout time in 2025 — down from 48 minutes in 2024 CrowdStrike 2026 Global Threat Report
27 sec fastest observed breakout ever recorded — credential to full lateral movement CrowdStrike 2026 Global Threat Report
65% faster than the year before — attack speed is accelerating every season CrowdStrike 2026 Global Threat Report

What the best defensive teams actually do

The teams that win defensive battles in the NBA playoffs don't react better. They prepare better. The teams that win in 24 seconds are the ones who walk into every possession with a plan already made.

Pre-game

Know which credentials are already exposed

Before the game starts, know which of your employees' credentials have already appeared in breach databases — because if they have, an attacker may already be testing them. Continuous monitoring of your credential exposure is scouting your opponent before tip-off, not scrambling to recognize their plays after they've scored.

Q1 stop

MFA on every account — make the first possession impossible

MFA is the shot clock reset. Even with a valid stolen credential, properly deployed MFA forces the attacker to beat a second layer before they're in. Only 1 in 3 SMBs enforce MFA on all systems. The other two are giving up open layups on every first possession.

Q2 stop

Behavioral anomaly detection — call the mismatch when you see it

A login at 2am from an account that never logs in at 2am. A massive file download from an account that normally reads five documents a day. These are the defensive breakdowns — visible in real time if someone is watching. The teams that win close games call out the rotation before it collapses.

Halftime

Incident response plan — scripted plays for every scenario

The 29-minute window demands pre-made decisions, not real-time improvisation. Who gets called when a credential compromise is detected? What gets isolated first? Who authorizes the response? The businesses that survive breaches have their plays written down before the game starts.

Full court

Know your attack surface continuously — not at the start of the season

An NBA team doesn't watch film from last season and call it prepared for this opponent. Your attack surface changes every time you add a tool, update software, or a new credential appears in a breach database. Continuous visibility is the full-court press — it doesn't give attackers room to set up their plays before you've spotted them.

Platforms like Veriti Spottr are built to be your defensive coaching staff — continuous scanning of your attack surface, identification of exposed credentials, and a CyberScore that updates in real time so you know where the mismatches are before the attacker exploits them. The shot clock is 29 minutes. Your incident response plan is your scripted play. You don't draw it up when the buzzer sounds — you run it because you practiced it.

The buzzer-beater nobody wants

Every NBA team in the 2026 playoffs — OKC, Detroit, San Antonio, New York — has a shot clock violation drill. They know exactly what to do when possession is running out. Not because it happens often. Because when it does, every second of confusion is a second the other team uses.

Your credential exposure may already be ticking. A stolen password from a breach your employee wasn't involved in, already being tested against your systems by an automated tool that doesn't sleep. The average business finds out 292 days later. The average attacker is done in 29 minutes.

The shot clock doesn't care whether you know it's running. You get 29 minutes either way. The teams that win are the ones who walked into the arena with a plan already made.

Know your credential exposure before the shot clock starts. Veriti Spottr's beta is free.

Join the free beta →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more