Why a 19-day defence update cycle no longer works in cybersecurity

Most organisations take around 19 days to update employee-facing defences after a new threat is identified. That period covers the work between recognising a fresh attack tactic and changing how your people respond to it.

That benchmark comes from SoSafe’s survey of security professionals across 9 European markets, with respondents drawn from a wide range of company sizes and sectors including finance, technology, manufacturing, healthcare, professional services, and insurance. 

In SoSafe’s State of AI and Social Engineering 2025 Report, 83% of security leaders said they had experienced at least one AI-based social engineering attack in 2025, up from 50% in 2024. The same report found that 79% had encountered AI-generated phishing emails and 57% had seen fake AI-generated business documents such as invoices, contracts, or policies. In practical terms, a 19 days gap means a threat can be recognised internally while employees are still receiving guidance shaped by an earlier version of that attack. It is a bit like updating a weather warning after the storm has already reached the coast.

TL;DR

Cyber resilience now depends on how quickly your organisation can turn a new threat into changed employee behaviour. As AI makes social engineering faster, cheaper, and easier to personalise, a 19-day defence update cycle leaves too much room for attackers. This article explains where that delay builds and how organisations can adapt faster across controls, processes, guidance, reporting, and training.

The hacker’s OODA loop and the CISO’s approval loop

Attackers now work through a fast cycle much like military strategist John Boyd’s decision-making model: OODA loop: Observe, Orient, Decide, Act. They spot an opening, judge what is likely to work, launch an attack, and adjust quickly based on the response.

Organisations usually move through a slower cycle. A suspicious message is reported. The team validates whether the tactic is relevant. Someone decides whether the pattern is isolated or likely to recur. Security awareness training content or simulations are updated. Internal stakeholders review the change. The update is then rolled out across regions, teams, and tools. That process works, but it takes time. 

The risk sits in the gap between those two loops. Attackers learn through speed. Organisations learn through process.

Security teams can often contain a specific technical incident much faster than 19 days. The 19-day figure is not a claim about slow incident response in the SOC sense. It is a benchmark for how long many European organisations take to update the people-facing side of defence, including awareness content, phishing simulations, reporting guidance, and reinforcement in the flow of work.ENISA’s notes that emerging technologies such as AI and automation are making phishing easier to produce and more targeted in execution. When the attack changes quickly and the human-facing response changes slowly, defenders end up preparing people for the version they saw last month instead of the one arriving this morning.

The threat has changed shape, speed, and reach

The case against a three-week update cycle rests on more than frequency. Attack campaigns have become far more adaptive. 

IBM’s Cost of a Data Breach Report 2025 notes that generative AI has reduced the time needed to craft a convincing phishing email from 16 hours to five minutes, and that AI-generated phishing and deepfake impersonation are already showing up in breach activity. 

SoSafe’s survey for the Adaptive Defence Playbook 2026 found out that 67% of security professionals reported an increase in the number of AI-engineered attacks over the last 12 months. The same research found that 71% reported an increased scope of attacks, with many pointing to multi-channel strategies, multi-step attacks, deepfakes, emails, and SMS messages. 

That combination changes the burden on defenders. A generic phishing lure is no longer the whole story. A request may begin with email, continue in a messaging tool, and then move into a fake invoice, a voice note, or a document request that feels completely ordinary in context. The attack becomes more believable because it follows the same paths that day-to-day work already follows.

What the science says about why training needs to adapt faster

Security professionals already know that social engineering works by exploiting attention, workload, trust, urgency, and familiarity. What matters is how quickly their cybersecurity awareness training programme can respond to those conditions. 

A review article on human cognition showed that social engineering succeeds by leaning on cognitive functions that shape how people process information under pressure, especially in environments where decisions have to be made quickly.  That has direct implications for programme design. If attacks work by exploiting fast, routine decision-making, then reinforcement also has to reach people close to those routines.

Workload is part of the same picture. Researchers found that self-perceived work overload was positively associated with clicking behaviour. That is not surprising, but it is important. The study supports what security teams see in real life: people make weaker decisions when attention is fragmented and speed is rewarded.

Urgency cues matter too. A real-world study on employees’ susceptibility to phishing attacks found that people were more vulnerable when the phishing email exploited urgency. Again, that fits day-to-day experience. The employee is not sitting in a calm evaluation setting. They are triaging messages between tasks, meetings, approvals, and deadlines.

Memory research shows that retention weakens when learning is left untouched and strengthens when reinforcement is repeated over time. In security terms, awareness  training holds up better when it is revisited and tied back to real scenarios. A long delay between a reported threat and the reinforcement designed to address it weakens that learning loop.A yearlong phishing simulation exercise in a large hospital adds one more useful insight: context-specific phishing emails performed differently from more general phishing content, underlining how much relevance shapes user response.

Why many training programmes still struggle to adapt

The reasons are usually structural. 

Large organisations need governance, accuracy, localisation, consistency, and auditability. Security teams hardly have the time to push a new message or training asset live across the workforce without coordination. 

The slowdown appears when each stage in the chain depends on a handoff. The threat signal sits with one team. The simulation update sits with another. Local reinforcement depends on managers or regional owners. Measurement lives somewhere else.

The organisation can change. The challenge is that change takes time to pass through the system.Resilience has become a velocity question.How quickly can the organisation learn from a tactic and make the next attempt less effective?

The confidence gap

In the Adaptive Defence Playbook, 95% of security professionals said their organisation is adaptive across changing threats, organisational shifts, employee differences, and internal behavioural signals.

That sounds encouraging, but it sits uneasily beside the rest of the data. A 19-day update cycle still leaves a long delay between threat change and behavioural response. Many organisations have the intent to adapt and some of the right elements are already in place. The harder part is turning that intent into fast, repeatable execution.

The gap is therefore not only technical or organisational. It is also a gap between how adaptive programmes feel internally and how quickly they actually move in practice.

How can you reduce the 19-day gap

Closing the gap starts with shortening the path between four connected activities: detect, mirror, intervene, and measure.

Detection improves when employee reporting becomes operationally useful. The point is not simply to collect suspicious emails in a shared mailbox. The point is to make those reports visible, classifiable, and actionable quickly enough that they can shape the next defensive move. This is the logic behind SoSafe’s Threat Inbox, a single place to ingest reported emails, investigate them safely, classify them properly, and respond to the employee who raised the flag. It turns reporting into a live detection layer rather than a record of what already happened.

Mirroring matters because static content ages fast. When a real phishing attempt can be turned into a current simulation, reinforcement stays connected to what employees are actually seeing. SoSafe’s Recreate Attack capability is built around that idea: converting a real attack example into a safe, editable simulation within minutes so the workforce can rehearse the pattern while it is still relevant. That helps reduce the 19-day lag by shortening the time between signal and training.

Intervention becomes more effective when it follows risk-bearing workflows instead of being broadcast evenly across everyone. Some roles carry more consequence because they approve payments, delegate access, move data, or trigger operational changes. Tools such as Policy Management, Policy to Lesson, and Learn Anywhere support reinforcement in the places where judgement has the biggest operational effect, including moments where unsafe approvals, weak handoffs, or shadow AI habits can do the most damage.

Measurement closes the loop. Security leaders need to know whether the workforce is becoming harder to exploit, not just whether a campaign was delivered. SoSafe’s Simulation Analytics Dashboard, Risk Signals Integrations, and Human Risk OS™ connect reporting velocity, behavioural trends, and workforce risk signals back into one picture. That is what helps a team judge whether the loop is actually tightening or whether the programme is still treading water.

Put together, these capabilities support a practical rhythm: detect early, mirror quickly, intervene where the consequences are highest, and measure whether the response is improving. Every one of those steps trims part of the delay that sits inside the 19-day benchmark.

If you see a tactic today, your environment should be harder to exploit tomorrow, not next quarter.”

– Rob Daly, CTO, SoSafe

Why reducing this gap is key for leadership in 2026

Boards and executive teams need a way to judge whether the organisation is reducing exposure at the pace the threat demands. That is why the 19-day benchmark is useful. It gives security leaders a concrete way to discuss adaptation speed. 

Once the lag is visible, better questions follow. Where does the delay begin? Which decisions have the highest downstream risk? Which interventions shorten the loop fastest? Which metrics show that behaviour is changing rather than merely being observed?

Those are operational questions. They also create a stronger business case than generic awareness language ever will.

See how 1,000 security leaders are benchmarking attack exposure, adaptation speed, and behavioural readiness in practice.

Read the full report