One Compromised System and BOOM, Meet Your Blast Radius.

A single compromised system can reach 85% of the environment in one hop.

Enterprise security risk in 2025 is not driven by rare zero-day exploits or novel attack techniques. It is driven by the routine abuse of normal, trusted access paths that already exist inside enterprise environments.

To understand how real attacks unfold after initial access, Zero Networks analyzed approximately 3.4 trillion activities across 400 enterprise environments over a 12-month period (December 2024 – December 2025).

The findings point to a clear conclusion: the most dangerous activity often looks legitimate, blends into everyday operations, and occurs after initial access – when attackers are expanding impact rather than breaking in.

AI-powered attacks are accelerating initial access. But our data shows that business impact is determined less by how attackers get in, and far more by what they can reach once they do. As AI-driven breaches become inevitable, the only durable advantage defenders have is limiting how far attackers can move after entry.

This has major implications for how organizations think about prevention, resilience, and security investment. Waiting to detect and respond is no longer sufficient when the access paths attackers rely on remain persistently open.

TL;DR

Security outcomes improve fastest when organizations eliminate always-on access, reduce attacker paths, and measure success by time-to-containment and blast-radius reduction, not alert volume.

Background

Modern ransomware and intrusion campaigns have outpaced traditional security models. By systematically evading EDR and XDR controls, abusing legitimate credentials, and rotating techniques, attackers have turned defense into a reactive game of escalation and cleanup.

The failure is structural, not operational.

Most enterprise networks do not expose thousands of ports. They rely on a small, predictable set – typically 20–30 ports – to keep the business running. Within that set, roughly 10 privileged management protocols (including RDP, SMB, WinRM, and RPC) function as high-trust highways for IT operations.

These same highways now account for the majority of breach expansion.

Because they remain open and reachable around the clock, attackers who gain any foothold inherit persistent lateral movement paths. Once inside, they rarely need sophisticated exploits. They reuse the same trusted access paths administrators depend on every day.

True business and cyber resilience requires moving away from a detect-and-respond mindset toward a closed-by-default architecture rooted in least privilege. Eliminating persistent access paths and enforcing identity-based, just-in-time access removes an attacker’s ability to move – often before the first alert ever fires.

From a business risk standpoint, the objective is structural immunity: systems are invisible by default, access is granted only when explicitly required, and blast radius is constrained by design rather than response speed.

Threat Analysis

Most threats look legitimate – until they aren’t

The overwhelming majority of detections in this dataset originated from verified penetration testing activity. This matters because penetration testers behave like real attackers. They use real credentials, rely on legitimate tools, and exploit trusted access paths rather than exotic vulnerabilities.

In practice, this means attackers can:

• Compromise at least 60% of the environment in less than an hour, once initial access is gained.
• Remain undetected for extended periods while using legitimate access.

Attackers often retain meaningful access after compromise, even as detection improves. Mandiant’s M-Trends reporting puts the global median dwell time at roughly 10–11 days, down from prior years but still long enough for significant lateral movement and impact. Other studies show dwell time varies widely by attack type, with credential-based intrusions often persisting longer because they blend into normal administrative activity, reinforcing that containment, not just detection speed, determines business risk.

For leadership, the implication is clear: if skilled testers can move this easily, real attackers can too. Once access exists, detection alone cannot reliably distinguish good from bad.

A small number of protocols account for most risk

Across environments, detections consistently concentrated on a narrow set of enterprise protocols. SMB, RDP, WinRM, and RPC dominated activity, accounting for 71% of the 3.4 million detected threat activities.

These protocols are foundational to Windows, Active Directory, and IT operations. They are required for business continuity and cannot simply be disabled.

This concentration reveals a critical insight: attackers do not need many techniques to be effective. Once inside, they repeatedly exploit the same trusted pathways enterprises depend on to function.

Most enterprise risk flows through a handful of trusted pathways created for operational convenience – not attacker sophistication.

Lateral movement is the dominant risk pattern

Across protocols and environments, the same behaviors appeared repeatedly:

• Reuse of valid credentials
• Movement from one system to another
• Enumeration of systems, services, and privileges

In practical terms:

• A single compromised host could reach a median of 85% of internal systems in the first hop and effectively 100% in the second hop
• The ratio of alerts generated to actual access paths eliminated was 30%, highlighting alert noise versus real risk reduction

The most significant business risk is not the initial breach. It is an uncontrolled internal spread.

Risk exposure varies dramatically by organization

Detection patterns varied widely across customers. Some environments triggered alerts across many protocols, indicating broad internal reachability. Others showed much narrower exposure.

This variance was driven less by industry or attacker sophistication and more by internal access architecture. Two organizations in the same sector can have radically different blast radii.

Security maturity should be measured by:

• How many systems are reachable by default
• How quickly access can be revoked
• How fast lateral movement is stopped – not how many alerts are generated

Low-frequency signals often indicate high-impact risk

Certain systems appeared less frequently in detections, including:

• Microsoft SQL Server (~3% of detections, ranked 9th)
• System Center Configuration Manager (2%, ranked 10th)
• Active Directory Web Services (2%, ranked 11th)

While these systems generate fewer alerts, access to them signals potential control over core databases, endpoint management, or identity infrastructure. Compromise at this layer can rapidly transform a limited incident into a major operational disruption. For executives, fewer alerts do not mean lower risk. Some of the most dangerous access paths are quiet by design.

Impact

Traditional security metrics reward alert volume and detection fidelity. The data shows this is misaligned with actual business risk.

What matters instead:

• How much of the environment is reachable from a single compromise
• How quickly attackers can move once inside
• How fast access can be revoked and paths eliminated

Always-on access creates permanent exposure. Even perfect detection still leaves attackers operating faster than human response cycles.

Mitigation

The most effective organizations invert the model.

Instead of leaving infrastructure reachable and relying on reactive alerts, they enforce:

• Closed-by-default network access
• Identity-verified MFA
• Automatic revocation when access is no longer required

This approach:

• Dramatically reduces lateral movement
• Contains threats at the source, shrinking blast radius by design
• Lowers operational noise and unnecessary patching
• Improves resilience without adding tooling complexity

Visibility and automation are now table stakes in the shift to proactive threat containment. The strategic advantage lies in real-time, identity-based enforcement at the network layer, making infrastructure effectively invisible to unauthorized users.

What This Means for Business Leaders

Breaches aren’t the failure – blast radius is.

Enterprises don’t need more alerts; they need fewer paths for attackers to move. For CIOs and CISOs, the reality is that attackers move faster than humans ever will, so stopping spread matters more than stopping entry. Security investment must protect what actually matters to the business – uptime, recovery speed, and continuity – not dashboards or alert volume. And penetration tests should no longer be treated as compliance artifacts; they are early warnings of the next real breach.