Why faster detection saves money: the cost of dwell time
The time it takes to detect and contain a breach is one of the strongest levers on its cost. IBM\'s analysis finds that breaches taking more than 200 days to identify and contain cost about $1.88 million more on average than those resolved in under 200 days. The reason is simple: most breach cost accrues while the breach is still active, so every extra day an attacker has access adds records exposed, systems compromised and business disrupted. That makes detection speed unusually high-ROI — money spent shortening the breach lifecycle pays back against a very large avoided cost. This guide explains the dwell-time delta, why it exists, and how to estimate the payoff of faster detection with the cost of detection delay calculator.
What dwell time is
Dwell time is the interval during which a breach is live but unresolved — from an attacker\'s initial access to the moment the incident is both identified and contained. IBM frames this as the breach lifecycle: the time to identify that something is wrong plus the time to contain it. The two stages are distinct. Identification is the detection problem — noticing the intrusion at all. Containment is the response problem — stopping it once noticed. A breach can sit undetected for months and then be contained in days, or be spotted quickly but take weeks to fully shut down. Both stretches add to dwell time, and both add to cost.
The 200-day threshold and the ~$1.88M delta
The headline finding is stark. When IBM splits breaches by whether their full lifecycle ran over or under 200 days, the long-lifecycle group costs roughly $1.88 million more on average. The 200-day mark is not a magic number — it is a convenient split point in the data — but the direction and the magnitude are consistent year after year: slower breaches are dramatically more expensive than faster ones.
The figure is an enterprise-scale average, so a small business will not see a $1.88 million swing in absolute terms. But the mechanism scales down perfectly, and the proportional penalty for slowness is similar at any size. For a small firm whose modeled breach costs a few hundred thousand dollars, halving the dwell time can still cut the cost by a meaningful fraction — which is exactly what the detection-delay calculator estimates.
Why cost accrues with time
Dwell time is so expensive because breach cost is not a one-time charge incurred at the moment of discovery — much of it is generated continuously while the breach is open. Walk through the components covered in how data breach cost is calculated and the time dependence is everywhere.
More records and systems are reached
An attacker with access for 250 days can move laterally, escalate privileges and reach far more data than one ejected in 25. More records exposed means a larger variable cost — more notification, more monitoring, more per-record liability — and a wider blast radius across systems.
Lost business compounds
The largest cost component, lost business, grows with the severity and duration of the incident. A breach that quietly drained data for the better part of a year is a worse story for customers and regulators than one caught and contained in a fortnight, and the churn and reputational damage scale accordingly.
Detection and response work expands
The longer the lifecycle, the more forensic ground there is to cover. Investigators must reconstruct a longer timeline across more systems, and crisis management runs for longer. The detection-and-response component swells in direct proportion to how long the attacker was active.
Downtime stretches
If the breach disrupts operations, every additional day of dwell time is potentially another day of degraded or halted business. Size that interruption with the cost of downtime calculator; for many small firms it rivals the direct response cost.
Why detection speed is high-ROI
Put the mechanism together and the investment case writes itself. Most controls reduce either how often you are breached or how much one breach costs. Detection-and-response controls do something distinctive: they cut the cost of breaches that happen anyway, by shortening the window in which cost accrues. Because the avoided cost — the dwell-time delta — is so large, even moderately priced detection capability tends to show a strong return.
The controls most associated with a shorter lifecycle in IBM\'s data are security analytics (SIEM and EDR), AI-assisted detection and automation, and a tested incident-response plan. The first two shrink the time to identify; the last shrinks the time to contain, because a rehearsed team moves faster than one improvising. To convert that into numbers, take your baseline breach cost and Annual Loss Expectancy, apply each control\'s mitigation factor, and weigh the avoided loss against the annual cost using the security control ROI calculator — the method is laid out in the ROI of security controls.
Estimating the cost of your detection delay
The cost of detection delay calculator anchors to the IBM finding and lets you see how moving along the lifecycle changes the cost for a breach of your size. The practical takeaway for a small business is not to chase a specific day count but to recognize the shape of the curve: slower is sharply more expensive, the early days of detection capability buy the most, and a tested response plan is one of the cheapest ways to compress the containment half of the lifecycle. Detection speed is not a luxury bought after the obvious controls — for many organizations it is the single highest-return investment available, precisely because it works on the cost that has already started to accrue.
Frequently asked questions
What is dwell time in a data breach?
Dwell time is how long a breach goes unaddressed — the period from when an attacker first gains access to when the incident is identified and contained. It is often measured as the breach lifecycle: time to identify plus time to contain. Longer dwell time means more data accessed, more systems touched and more cost.
How much more does a long-dwell breach cost?
IBM's analysis finds that breaches taking more than 200 days to identify and contain cost about $1.88 million more on average than those resolved in under 200 days. The gap is one of the largest single cost levers an organization can influence.
Why does faster detection save money?
Because most breach cost accrues while the breach is active. The longer an attacker has access, the more records they reach, the more systems they compromise and the longer business is disrupted — all of which inflate every cost component. Detection that shortens the lifecycle cuts the cost before it is incurred.
Which controls reduce dwell time the most?
Security analytics (SIEM/EDR), AI-assisted detection and automation, and a tested incident-response plan are the controls most associated with a shorter breach lifecycle in IBM's data. Estimate their payoff with the security control ROI calculator.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.