The dangerous myth isn’t “we’re too small to be a target.” It’s “we have a tool for that.” Most small businesses own an email filter, an endpoint antivirus, and an MFA prompt — each watching its own lane. But attackers don’t stay in one lane. A modern intrusion is a relay race across email, identity, and the endpoint, and the hand-offs between those surfaces are precisely where single-product tools go blind.

Attacks move faster than a human can switch consoles

Once an attacker lands on a machine, the clock is brutal:

  • The average eCrime “breakout time” — from the first compromised host to moving laterally — is just 48 minutes, and the fastest observed was 51 seconds. (CrowdStrike 2025 Global Threat Report, 2024 data)
  • Median time from initial access to reaching the Active Directory server is roughly 11 hours; median time from the start of an attack to data exfiltration is about 3 days. (Sophos Active Adversary Report 2025)
  • 83% of ransomware binaries are deployed outside the target’s local business hours (Sophos, 2024 data) — i.e. at 2 a.m. on a Sunday, when nobody is watching a dashboard.

If your defense is a person checking separate tools during business hours, the attacker has already finished by the time anyone logs in.

And there’s often no malware to catch

The old model — a malicious file your antivirus can flag — is fading:

  • 79% of CrowdStrike’s detections in 2024 were malware-free, reflecting hands-on-keyboard, “living-off-the-land” activity rather than a file on disk. (CrowdStrike 2025 Global Threat Report)
  • 52% of the vulnerabilities CrowdStrike observed in 2024 were related to initial access (CrowdStrike 2025) — the foothold, not the payload, is the event that matters.

A tool that waits for a virus signature never sees a hands-on-keyboard intruder using your own admin tools against you.

The way in is almost always an identity

Across the major datasets, the front door is a login, not malware:

  • Stolen credentials are the single most common breach action at 22%, with vulnerability exploitation close behind at 20% (up 34% year over year) and phishing around 15%. (Verizon 2025 DBIR)
  • In incident-response engagements specifically, exploits were the #1 initial vector at 33%, and for the first time stolen credentials rose to #2 at 16%, driven by infostealer malware. (Mandiant M-Trends 2025, 2024 investigations)

Email gets the attacker your credentials. Identity gets them in. The endpoint is where they do the damage. No single one of those tools sees the other two.

Anatomy of one chain

Here’s how a real intrusion actually crosses your surfaces:

  1. Email. An AI-written lure or a fake-CFO wire request lands — clean enough to clear a standard filter, because there’s no malware to scan.
  2. Identity. A harvested or infostealer-sourced credential logs in. MFA-fatigue push spam or a stolen session token gets past the prompt.
  3. Endpoint. Hands-on-keyboard activity begins. Within the hour, the attacker moves laterally (breakout) and starts hunting for the domain controller.
  4. Exfiltration and extortion. Data is staged and stolen, then ransomware deploys — off-hours, on purpose.

Each step is a quiet, individually-plausible event. The attack only becomes obvious when you see the steps connected.

Why disconnected tools miss it — and why dwell time is so long

When every tool watches one lane, each step looks like noise, so nobody connects them. The result shows up in detection time:

  • Global median dwell time was 11 days in 2024. When an outside party (or the attacker’s own ransom note) is what tips off the victim, the median stretches to 26 days. (Mandiant M-Trends 2025)

Eleven days of an attacker in your environment isn’t a detection problem with any one tool. It’s a correlation problem between all of them.

How Centeye sees the whole chain

Centeye watches email, identity, endpoints, web, DNS, and AI tools — and correlates them into one incident. A lure, a suspicious sign-in, a hands-on-keyboard process, and a DNS beacon stop being four ignored blips in four consoles and become one story: this is the attack that’s actually happening. Kavach, your AI SOC, investigates and contains it around the clock — at the 2 a.m. moment a human can’t — while you set how far it acts on its own, from “just alert me” to “auto-contain,” with a human in the loop on what matters.

You don’t have a malware problem or an email problem or an identity problem. You have an attack-chain problem — and the only way to see a chain is to watch every link at once.

See how it works, or read how a stolen login becomes a full takeover. Ready to see it on your environment? Get a demo.

Figures cited from the CrowdStrike 2025 Global Threat Report (2024 data), the Sophos 2025 Active Adversary Report, the Verizon 2025 Data Breach Investigations Report, and Mandiant M-Trends 2025. CrowdStrike’s malware-free figure measures Falcon detections; Mandiant’s vector percentages reflect its incident-response engagements.