Median dwell time for ransomware fell from 16 days in 2021 to under 24 hours for the worst-case AI-assisted scenarios documented in 2025 — per Mandiant's M-Trends report.
The crisis communications playbook designed for a 72-hour cycle does not survive that compression.
The attackers got faster. The defenders need to. The 96-hour SEC disclosure clock does not change just because the underlying incident compressed to hours rather than weeks. The communications function has to compress with the threat — or the company runs out of time before the press release is drafted.
What compressed
Three changes drove the timeline compression.
AI-assisted phishing. Initial access compromise that used to take days of social engineering can now be executed in hours with LLM-generated spear-phishing at scale. Mandiant's 2025 M-Trends report documented multiple cases where initial access to data exfiltration ran under 12 hours.
Automated lateral movement. Living-off-the-land toolchains, combined with AI-assisted discovery, compress the dwell time between initial compromise and high-value asset access. The Verizon Data Breach Investigations Report tracks the trajectory year over year.
Ransomware-as-a-service economics. The RaaS model compresses the time between successful compromise and ransom demand. The attackers' incentive is to monetize fast before defenders detect. IBM's Cost of a Data Breach Report quantifies the dwell time delta and the cost differential.
The combined effect is that the window between first compromise and the moment bots take over the story — through ransom demand, data leak, customer disruption, or detection — has compressed by an order of magnitude in some cases.
Why the old playbook fails
The traditional crisis comms playbook was structured around a 72-hour cycle.
Day one: discovery and assessment. Day two: stakeholder alignment and initial drafting. Day three: filing or external statement.
That cadence assumed that the discovery moment came after the worst of the incident had passed — that by the time the company knew, the dwell time was already days or weeks behind the alarm.
In the compressed-attack scenario, discovery comes during the active incident. The company is still defending while it is also disclosing. The dwell time may be hours, not weeks. The forensic picture is incomplete because the forensic engagement only started this morning.
The old playbook breaks at three points.
Drafting takes too long. Templates built for week-long cycles cannot be rewritten from scratch in hours. See: Anatomy of a 4-Day Breach Disclosure.
Stakeholder alignment takes too long. Committees that convened over days cannot convene in hours unless they were pre-aligned.
Executive availability is unprepared. CEOs and CISOs who were going to be media-trained next quarter face a live press cycle this afternoon. See: Why CISOs Are Now Spokespeople.
The new playbook — components
The compressed-attack playbook has six components. All must be in place before the incident — none can be built during.
One. Pre-drafted statement frameworks. Modular templates covering ransomware, data exfiltration, operational disruption, third-party compromise, supply-chain incident, and unknown-cause active investigation. Each framework includes structural sections and pre-approved language patterns that can be populated quickly with incident-specific facts.
Two. Pre-aligned committee. The Legal-Comms-IR-CISO-CFO committee meets quarterly under simulated conditions. The members know each other's rhythms, decision authorities, and language preferences. The committee can convene in 30 minutes and operate effectively.
Three. Pre-trained spokespeople. CEO and CISO have completed media training and SEC disclosure simulation. They have stood in front of a camera with a hostile interviewer playing a Bloomberg reporter. The first live press call is not their first press call, as they have already practiced with complex AI PR programs.
Four. Pre-built dark sites. Customer-facing notification site is built, tested, and held in reserve. Switching it live takes minutes, not days. FAQ structure is in place. Update mechanism is tested.
Five. Pre-cleared first statements. The initial holding statement — the one that goes out within hours of public knowledge — is pre-approved by legal. The activation requires fact verification and CEO sign-off, not from-scratch drafting.
Six. Pre-built press relationships. The CEO or CISO has met the top five reporters covering the company before the crisis. The first call is not a cold introduction. Trust is established. The trade-off between specificity and discretion can be negotiated.
CommsOps as a function
The organizations that handle compressed-attack scenarios well treat crisis communications as a permanent operating capability, not a vendor engagement.
That means a named in-house lead, a standing relationship with an external firm, quarterly drills, and a budget line that survives quiet quarters.
The cost is real. The alternative cost — improvising under live attack conditions, facing personal liability for misstatements, and watching the recovery curve flatten — is significantly higher. See: Why Cyber Insurance Carriers Now Vet Your Communications Plan.
Drill cadence
The discipline is the same across the industry.
Quarterly tabletops with the joint committee. Realistic incident scenarios. Time-pressured drafting. External counsel and external comms in the room.
Annual full simulation. Live-fire conditions. Press calls roleplayed by former reporters. Board briefings roleplayed by sitting directors. The CEO and CISO under realistic stress.
Build the infrastructure before the breach — not during it.
When the attack runs at machine speed, the communications function has to be built before the alert fires. There is no longer time to construct it during the incident itself.
