Josh ThomsonReady For Anything: Do You Meet The 1-10-60 Rule?

When you are the victim of a cyberattack, the time it takes you to identify and resolve a breach is critical.

Experts recommend aiming to meet the 1-10-60 rule: 1 minute to detect, 10 minutes to investigate and 60 minutes to remediate.

This doesn’t give you a lot of time to catch and neutralise a threat. But a criminal doesn’t need a lot of time to cause catastrophic damage to your business once they’ve managed to get past your defences and gained access to your sensitive information.

A survey by CrowdStrike published last year found that, far from meeting this goal, the average company would need a total of 162 hours to reach a resolution following a compromise – that’s close to a full week of round-the-clock work.


Identifying that you have been compromised is the first step to securing your business against it. The sooner you detect a breach, the more effectively you can contain the level of damage it can do. The more time a criminal is lurking in your system, the more data they can gain access to and use to exploit you.

On average it takes a matter of weeks, at least, to discover a breach. Estimates vary from 13.21 days to 197 days – that’s more than six months.

44% of businesses surveyed by CrowdStrike identified slow detection as a key factor in the severity of the compromises they suffered. This makes real time threat detection crucial to surviving should you end up the victim of an attack.


The more information you have about a breach, the easier it will be to contain and neutralise. Investigating the source of the threat, its target and the actor behind it needs to be as efficient as possible. Experts recommend that this information needs to be gathered in no more than ten minutes.

However, CrowdStrike found that investigating a breach in fact often takes more than six hours and that only 53% of victims even discover the attacker responsible for their breach at all.

Without this critical information, it can be difficult if not impossible to respond appropriately to the attack, in a way that will minimise damage to your business as much as possible. This requires a comprehensive knowledge of your entire infrastructure, where your sensitive data exists within it and what security measures are in place across your network.

It also highlights the urgent need for companies to be able to track cyber activity in the digital environment surrounding their network. The footprints left by outside actors can contain valuable clues to the methods and motives of cybercriminals.


CrowdStrike found that on average it takes organisations 31 hours of continuous work to contain the threat once they have detected and investigated a compromise. This means that, rather than shutting down the attacker and preventing further damage within a day as recommend, companies are likely to need up to a full working week to contain the breach.

Stalling business for this amount of time can have huge repercussions for an organisation, outside of any fines, losses or theft of money or data.

The best way to cut down the amount of time it takes to respond to an incident is to have an effective plan in place for whenever an emergency occurs. Taking a proactive approach to your cybersecurity puts you in the best possible position to survive when you are under attack.

Ready to protect all your assets?

Leveraging its proprietary timeline-matching technology, ThreatAware ensures you have a complete, accurate, and non-duplicated asset inventory in real-time. No more guesswork – spot and fix deficiencies across your entire IT estate instantly.

Onboard in less than 30 minutes.

Request a Trial
App screenshot