What is attacker dwell time?

Dwell time is the number of days between an attacker first gaining access to a network and the moment the organisation discovers the intrusion. Mandiant tracks it globally as a primary indicator of detection maturity. The 2025 M-Trends report puts the global median at 10 days. In our own engagements with Filipino SMBs the figure is consistently higher because most lack a dedicated SOC and rely on outsourced IT providers without 24/7 telemetry.

Why is dwell time worse for Philippine SMBs than the global average?

Three structural reasons. First, most Filipino SMBs use external MSPs whose monitoring stops at endpoint antivirus. Second, business communication runs heavily through Facebook Messenger and Viber where attacker activity leaves no audit log. Third, EDR tools that catch lateral movement quickly cost between PHP 250,000 and PHP 600,000 a year and most owners assume their firewall and Microsoft Defender are sufficient. They are not.

What can a red team find in 11 days that traditional security tools miss?

Real attackers use the same tradecraft we replicate in red team engagements: living-off-the-land techniques (built-in Windows tools), abuse of legitimate cloud services for command-and-control, and identity-layer attacks that bypass endpoint detection entirely. A red team simulates these directly and reports exactly which detections fire, which stay silent, and how long the operator could have stayed unnoticed.

How much does it cost to run a red team assessment in the Philippines?

Our entry red team for Filipino SMBs starts at USD 5,000 (around PHP 280,000) and runs two weeks. Larger scopes that include Microsoft 365, Active Directory, and physical or social engineering range between USD 8,000 and USD 15,000. Compared to the IBM 2024 figure of USD 4.88 million as the average breach cost, this is roughly 0.1% of the worst-case loss.

11 days. The average time before a Philippine SMB notices an attacker is inside.

Eleven days. That is the figure we keep landing on. Mandiant's 2025 M-Trends Report places the global median dwell time at ten days. When we compared our own engagement notes from the past 18 months across Manila, Cebu, and Davao, the equivalent figure for Filipino SMBs sits closer to eleven. Some businesses we worked with had been compromised for over a month before our team flagged it during scoping calls.

For an SMB owner reading this in a coffee shop right now, the implication is simple. There is roughly a one in three chance that someone you do not know has access to at least one system in your business at this moment. They are reading email. They are mapping who pays whom. They are waiting for the right wire transfer to redirect.

This article explains why detection takes that long in the Philippines specifically, what an attacker does with eleven days of unsupervised access, and the three structural changes that bring detection time down from days to hours.

Why detection takes longer in the Philippines

Filipino SMBs share a security profile that almost guarantees slow detection. Most rely on a single outsourced IT provider whose service contract covers helpdesk and infrastructure. Threat detection sits outside that contract. The MSP installs antivirus on endpoints, configures the firewall, and considers the job done. None of that catches an attacker who is already inside.

Business communication is the second blind spot. In the Philippines, internal coordination runs heavily through Facebook Messenger group chats and Viber. Neither leaves a business-grade audit trail. When an attacker compromises an employee account and uses Messenger to extract internal information, there is no SIEM rule that fires. Microsoft Defender does not see it. The CISO does not exist. The owner finds out when the wire transfer has already cleared.

Third, the tools that would catch lateral movement quickly are priced for enterprises. A proper Endpoint Detection and Response platform with 24/7 monitoring runs between PHP 250,000 and PHP 600,000 per year for a small organisation. Most SMB owners assume their existing antivirus does the job. According to Verizon's 2024 DBIR, antivirus alone catches less than 7% of modern intrusions.

The combined effect is straightforward. Filipino SMBs run on tools that were never designed to detect a present-day attacker, communicate over channels with no logging, and trust an MSP whose contract does not cover the threat.

What an attacker does with 11 days inside your business

Eleven days is a long time for a competent operator. It is also remarkably consistent across the engagements we run. Day one is rarely loud. Most initial access happens through phishing, and the first few hours are spent confirming the foothold and identifying the user's role inside the business.

By day three, a real attacker has done what we do during reconnaissance: pulled the organisational chart from the email signature graph, mapped who reports to whom, and identified the two or three people who can authorise wire transfers. They have read the last 90 days of email between the CEO and the CFO. They know the cadence of payments to suppliers in Hong Kong, Singapore, and Shenzhen.

By day five, lateral movement is usually done. The attacker has pivoted from the initial phished account into the accounting workstation, often using a legitimate password reuse pattern (the bookkeeper kept the same password for Outlook and the local QuickBooks login). At this stage they have read-write access to invoice templates, banking instructions, and the customer master file.

Day eight to eleven is the patient phase. The attacker waits for the right moment. A supplier invoice arrives. The attacker intercepts it, edits the bank account details (one digit changed, or a Hong Kong account swapped for a Mauritius one), and re-sends from a domain visually identical to the supplier. The CFO approves it because the email thread looks legitimate, the amount matches an expected payment, and the supplier has been billing for years. Days later the supplier asks where their payment is. That is the moment of detection.

Anything earlier is luck.

What changes when you cut detection from 11 days to 11 hours

Three structural shifts move detection from weeks to hours, and none of them require enterprise budgets.

The first is logging. Microsoft 365 Business Premium includes audit log retention and Defender for Office 365 alerts. Most Filipino SMBs we audit have these features available in their licence and never turned them on. Switching them on takes one administrator a Saturday afternoon. After that, anomalous mailbox forwarding rules (a classic BEC pre-attack signal) generate visible alerts within minutes of being created.

The second is segmentation. The accounting workstation should not share a flat network with the receptionist's laptop. A basic VLAN configuration on a small business firewall (Fortinet, Sophos, or Mikrotik) breaks the easy lateral path. We see this missing in roughly 8 of 10 SMB engagements.

The third is a 30-minute monthly conversation. We call it the security standup. The MSP, the owner, and one operator in the business review three things together: who has access to what, which alerts fired in the past 30 days, and which payments above PHP 100,000 went to a new bank account. That last question alone catches most BEC fraud before the wire clears.

None of this is glamorous. None of it costs more than a few thousand pesos a month if the licences are already in place. The 11-day-to-11-hour shift comes from operational discipline, not new spend.

What a red team actually shows you

A red team engagement is the cleanest way to get a real number for your business. We start where an attacker would start: an open-source view of your organisation, your domain's mail records, your employees' LinkedIn presence, and the credentials of yours that have already leaked in past breaches (we check every Filipino SMB against HaveIBeenPwned and the dark-web equivalents). From there we attempt initial access using the same tradecraft a real adversary would use.

The deliverable is a written report with three numbers that matter. How many ways an attacker can get in. How long they can stay before any of your existing tools fire. What they can reach once they are inside. The report includes recommended controls ranked by cost-to-impact, and our team is available for a working session with your MSP to implement them.

For Filipino SMBs we offer the engagement at USD 5,000, which works out to about PHP 280,000 at current rates. Two weeks from kickoff to delivered report. We have run this exact scope for businesses ranging from a 12-person logistics firm in Pasig to a 70-person BPO in Cebu. The findings differ. The structural pattern is uncomfortably consistent.

The honest math

The IBM 2024 Cost of a Data Breach Report puts the global average breach cost at USD 4.88 million. For a Filipino SMB that figure compresses to a smaller absolute number, but a much larger relative number. We have worked with businesses where a successful BEC attack consumed three months of net profit in a single morning. One bookkeeping firm we know in Manila lost the equivalent of 18 months of operating margin to a single fraudulent wire and only avoided closing because the owner had personal savings to inject.

Compared to that, USD 5,000 for an honest map of your attack surface is rounding error. The decision is not really about price. It is about whether you would rather find out from a controlled engagement how your business looks to an attacker, or from a phone call from your bank asking why you wired PHP 6 million to an account in Mauritius last Tuesday.

If you have read this far, you already know which of those two phone calls is more likely.

Recommended next step

If you run a Philippine business with more than five employees and you have not done a security assessment in the past 12 months, the realistic question is not whether you have an exposure. It is which one. Book a 15-min scoping call with your industry and rough employee count. We will tell you within 15 minutes whether a paid engagement makes sense for your size, and if it does not, we will tell you that too.

The 11 days an attacker has been waiting are not coming back. The 11 hours version of your business starts the day you decide to look.