AI Has Cut Attacker Handoff to 22 Seconds: What an SMB Should Do

One number caught my attention in the May 2026 threat-intel reporting. According to incident-response data shared by Palo Alto Networks and echoed by other major IR firms, the median time between an initial access broker landing a foothold and handing that foothold off to a secondary threat actor has dropped from roughly eight hours three years ago to 22 seconds today. Three orders of magnitude in three years. That is not a refinement. It is a different shape of problem.

I want to unpack what that number actually measures, why it has fallen so fast, and what a 15-to-100-person small business on the Central Coast should do about it. Most of what I say below is the same advice I have been giving for two years; the new data just makes the case sharper.

What the 22-second number is, and is not

The figure is a median handoff time across recent incident-response cases. It measures the gap between two events that both happen on the attacker side:

1. An initial access broker (IAB) lands access. That access is usually a valid credential to a Microsoft 365 tenant, a VPN, or a remote-access tool, captured by infostealer malware or phishing.
2. A second actor — a ransomware affiliate, a business-email-compromise crew, or a data-exfiltration group — takes possession of that access and starts using it.

In 2023, that handoff took most of a business day. There was a marketplace, a listing, a negotiation, and a sale. Defenders had hours to notice the original credential theft and act.

In 2026, the entire pipeline is automated. AI-assisted attacker tooling does the qualification step (what tenant does this credential belong to, what permissions does it have, what does the org's revenue look like, is it worth ransoming) within seconds of credential capture, prices the access, lists it on a private feed, and routes the sale to a pre-arranged buyer. The 22-second figure is the median time from "credential lands in the broker's inbox" to "buyer is logged in."

What the figure is not:

• It is not the time from initial compromise to ransomware encryption. That is still typically hours to days, depending on the buyer's playbook.
• It is not the time from a phishing click to detection. Phishing-to-foothold is its own variable.
• It is not a claim that every attack is fully automated. Plenty of intrusions still involve hands-on-keyboard humans. The change is that the handoff between stages no longer requires a human-paced negotiation.

The practical takeaway is simpler than the data. The attacker pipeline now operates faster than a human defender can intervene at the handoff stage. The only winning approach is to either prevent the credential theft in the first place or to detect and contain the access during the post-handoff phase before the attacker accomplishes their objective.

Why this is harder on small business than on the enterprise

The instinct is to assume that 22 seconds is a problem for the Fortune 500, not for a 25-person property management firm in Salinas or a 60-person ag operation outside Watsonville. The opposite is closer to true.

The brokers do not pre-filter for company size. They harvest credentials at scale and qualify everything that lands. A small business's Microsoft 365 tenant is a fine target: easy to map, often missing Conditional Access, often shares an admin account with a vendor, and frequently has a backup story that is more vulnerable than its production. The 22-second handoff applies whether the captured credential belongs to a 30,000-employee bank or a 30-employee dental group.

What differs is the response side. The bank has a 24/7 security operations center watching its tenant. The dental group has an MSP that checks email in the morning. The attacker doesn't care which one they hit; the math just works out better against the smaller one. Most of the small-business compromises I have walked into over the past 18 months had detection signal somewhere in the environment — an Entra ID risky sign-in, a Defender alert, an unusual OAuth grant — that nobody read until the ransomware note showed up.

What the realistic 2026 minimum looks like

The control set that actually moves the needle against an attacker pipeline this fast is shorter than people expect. It is four layers, and they only work as a stack.

1. Close the preventable gaps first

Before spending a dollar on monitoring, close the gaps the attacker doesn't even need 22 seconds for:

• Phishing-resistant MFA on every account that touches Microsoft 365. Authenticator app with number matching at a minimum; FIDO2 keys for admins. SMS codes are no longer adequate.
• No standing admin rights. Global admin should be a role you elevate into for a 4-hour window, not the role your daily account sits in.
• Conditional Access that blocks legacy auth, requires compliant devices for sensitive apps, and at least geo-restricts admin sign-in.
• Patch cadence that closes critical CVEs within seven days on workstations and the same day on internet-exposed servers. The patch-cadence post covers why this is non-negotiable in 2026.

Most of this lives in the identity hardening post in more detail. If you are not at that baseline, MDR will just give you faster notification of the same preventable breach.

2. EDR on every endpoint, configured and tuned

Endpoint Detection and Response replaces traditional antivirus. The difference is meaningful: AV blocks files it recognizes as bad. EDR watches process behavior, catches living-off-the-land techniques (PowerShell, scheduled tasks, WMI), and can roll back ransomware encryption on a single machine.

For most small businesses on Microsoft 365, the right entry point is Microsoft Defender for Business, included with M365 Business Premium. It is not the most powerful EDR on the market, but it is the right blend of price, fit, and integration for a 15-to-100-person business. The bigger names (SentinelOne, CrowdStrike, Huntress, Sophos Intercept X) are reasonable next steps as the org grows or compliance demands it. The wrong answer is to keep running stand-alone consumer antivirus and hope.

Worth saying out loud: an EDR product that nobody is watching is half the value. Which gets us to the next layer.

3. A 24/7 MDR layer on top of the EDR

Managed Detection and Response is the service tier where a 24/7 team (your MSP's security operations team, a SOC partner, or a vendor-provided service) watches the alerts your EDR and Microsoft 365 throw off, investigates them, and takes containment actions. The good MDR providers cover both endpoint and identity signals, because in 2026 a meaningful share of intrusions skip the endpoint entirely and ride in on a stolen session token.

The economics for an SMB: a credible MDR layer for a 25-person business runs $20 to $45 per user per month in 2026, all-in. That is real money, but it is in the same range as the cost of a single hour of post-breach IR work. The pricing model is shifting from "premium add-on" to "table stakes."

What to look for in an MDR partner:

• 24/7/365 coverage by humans, not just on-call. The 22-second number is the reason. An on-call rotation that wakes someone up at 3 a.m. is not the same as a SOC analyst who saw the alert at 3:00:04.
• Coverage of identity, not only endpoints. Ask explicitly how they handle Entra ID risky sign-ins, OAuth consent grants, and impossible-travel alerts.
• Documented playbooks for automated containment. What do they automatically isolate, what do they automatically revoke, what requires a human approval. You want a thoughtful answer here, not "we call you."
• Reporting that a non-technical owner can read. Monthly executive summary, quarterly trend review, ad-hoc incident write-ups.

4. Automated containment with a thoughtful scope

The final layer is the one that closes the timing gap. When the EDR alert fires and the MDR analyst confirms a real incident, the response cannot wait for a manual approval chain. Automated containment lets the platform isolate the endpoint, revoke the user's active sessions, and block the offending OAuth app within seconds.

The pushback I hear is "what if it shuts something down by mistake." It is a fair concern, and the answer is to scope the automation tightly. Containment in 2026 is narrow: one device off the network, one session revoked, one app blocked. The blast radius of a false positive is one user briefly inconvenienced. The blast radius of doing nothing while ransomware stages is the whole business. For SMBs the ratio is overwhelmingly in favor of automated containment.

What this looks like in dollars for a Central Coast small business

For a representative 25-user professional services firm in Salinas, Monterey, or Santa Cruz running on Microsoft 365 Business Premium, the 2026 minimum stack lands somewhere in this range, per month, all-in:

• M365 Business Premium (includes Defender for Business, Entra ID P1, Intune): roughly $22 per user.
• MDR service covering endpoint and identity: roughly $20 to $45 per user, depending on provider and depth.
• Managed IT wrapping patching, identity hardening, backup, and the human relationship: roughly $125 to $185 per user, depending on scope. See our managed IT pricing post.

The all-in number for a 25-person firm typically lands between $170 and $250 per user per month for a credible 2026 program. The headline you do not want to read is the one where a six-figure ransomware payout, business interruption, and notification costs make that number look like a bargain in retrospect.

Where this fits with the rest of the week

This post pairs with several other pieces in the cybersecurity cluster:

• The Exchange zero-day post from May 15: an example of the kind of disclosure that, in 2023, you had hours to respond to. In 2026, the brokered access exists before the patch ships.
• The ransomware-how-it-gets-in post: the same pipeline this article describes, viewed from the victim's side.
• The identity hardening post: the prevention layer below MDR.
• The cyber-insurance renewal checklist: underwriters now ask about MDR by name. If you do not have it, your premium reflects that.

The honest read is that 2026 is the year MDR moves from "nice to have for the cautious SMB" to "the realistic minimum for any business that runs on Microsoft 365." Twenty-two seconds is the reason. Human-paced operations cannot beat that clock; automated detection plus a real responder on the other end can.

FAQs about AI attack speed and MDR for small business

What does the 22-second number actually mean?

It is the median time, as measured across recent incident-response data, between an initial access broker landing a foothold and handing that foothold off to a secondary threat actor (typically a ransomware affiliate or a data-exfiltration crew). Three years ago that handoff took around eight hours. In 2026 it averages 22 seconds. The compression is driven by AI-assisted attacker tooling that automates the qualification, packaging, and sale of accesses.

Does this affect a small business or only large enterprises?

It affects small business more, not less. The 22-second figure is an average across all targets, including SMBs. Initial access brokers do not skip small businesses. They harvest credentials, qualify the environment with a quick automated scan, and put the access up for sale. A 20-person firm with a Microsoft 365 tenant looks the same to the broker pipeline as a 2,000-person firm. The smaller you are, the less likely it is that any human will see the alert in time.

Can we just patch faster instead of paying for monitoring?

Patching closes the door before the attacker arrives, which is essential. Monitoring catches the attacker after they get in through a door you did not know was open, including stolen credentials, malicious OAuth grants, and zero-days. The two are complementary controls, not substitutes. The Central Coast small businesses I see compromised in 2026 almost always have a patching gap and no detection layer. Closing one of those without the other still leaves the gap open.

What is MDR and how is it different from antivirus?

MDR stands for Managed Detection and Response. It is a service where a 24/7 team watches alerts from your endpoint and identity tooling (typically EDR plus Microsoft 365 sign-in logs), investigates anomalies, and takes containment actions like isolating an endpoint or revoking a session token. Antivirus blocks known-bad files. EDR watches behaviors and can roll back ransomware on a single machine. MDR is the human and automation layer on top that decides what to do when those tools fire alerts at 2 a.m.

Is automated containment safe? Can it shut down our business by mistake?

Modern MDR platforms scope containment narrowly: isolate one endpoint from the network, revoke one user's sessions, block one OAuth app. The blast radius of a false positive is one user being briefly inconvenienced, not the business going down. The blast radius of doing nothing when ransomware is staging is the whole business. The ratio is heavily in favor of automated containment for SMBs, which is why even our most cost-sensitive clients are running it now.

We are a 10-person firm. Is MDR really realistic for us?

Yes, and the math is better at 10 users than at 100. Per-user MDR pricing is roughly flat, so the total monthly spend for a 10-person firm is in the low hundreds. The breach economics do not scale down the same way; a ransomware event at a 10-person firm can still cost $50,000 to $150,000 between recovery, lost revenue, and notification. The smaller the firm, the less margin it has to absorb that hit, which is the argument for spending modestly on prevention.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.