What is breakout time in the context of an intrusion?

• A. The time to detect an intrusion after initial compromise
• B. The time it takes intruder to begin moving laterally once they have an initial foothold in the network
• C. The time to escalate privileges locally
• D. The time to revoke access after incident

Answer: (B)

Breakout time is the interval between an attacker establishing an initial foothold on one host and beginning to move laterally to other systems in the network. It reflects how quickly the intruder expands access after the first compromise, which is a critical window for defenders to detect and contain the intrusion before broader access is gained. This period can vary from minutes to hours depending on network segmentation, detection capabilities, and attacker methods.

The other options describe different concepts: the time to detect an intrusion after the initial compromise is about detection dwell time, not expansion; escalating privileges locally is a separate step focused on gaining higher rights on a single host; and revoking access after an incident relates to remediation and containment, not the attack’s spread through the network.