80% of enterprise servers are reachable from anywhere inside the network, creating greenfield conditions for ransomware, operational disruption, and full-environment compromise.

6.5% of the 832 malicious accounts banned between March 2025 and March 2026 used AI to assist with lateral movement.

57% of healthcare and manufacturing security leaders rank microsegmentation as their top initiative to stop lateral movement.

Nearly half of healthcare and manufacturing security leaders experienced a lateral movement attack in the past year.

52% of healthcare leaders cite lack of continuous monitoring for lateral movement and segmentation failures as a critical or significant limitation.

37.5% of organizations report Lateral Movement

Threat actors utilizing AI and automation tools can achieve lateral movement within an organization in as little as 4 minutes, 85% faster than the previous year.

On average, lateral movement within an organization takes 34 minutes, 29% quicker than the 48 minutes recorded in 2024.

96% of incidents involving lateral movement end with the release of ransomware.

67% of security leaders lack visibility into access behaviour and lateral movement.

76% of organizations have at least one public-facing asset that enables lateral movement.

47% say that a challenge in securing and managing hybrid cloud is the lack of comprehensive insight and visibility across their environments, including lateral movement in East-West traffic.

DirectDefense mapped alerts to the MITRE ATT&CK® framework to identify the top five tactics. The top five tactics identified are: Initial Access, Persistence, Lateral Movement, Execution, and Credential Access.

For Lateral Movement, the most observed technique by DirectDefense is Valid Accounts, using stolen credentials to escalate privileges. Alerts triggered for Lateral Movement include: Lateral Movement – Local Credentials.

96% of attackers targeting energy and utilities sector relied on remote services to move laterally.