While attackers can compromise a domain in two hours, they typically wait an average of 180 days before deploying ransomware or revealing their presence. This extended dwell time means organizations need sufficient log history to investigate the full attack chain and identify the initial breach point, which may have occurred months before detection.