Speed Access Reuse and Limited Visibility Define Recent Cyberattacks

Mandiant’s M-Trends 2026 report is based on more than 500,000 hours of incident response work conducted in 2025.

The findings show attacks progressing with minimal delay between entry and execution, while some adversaries remain embedded in environments for months without detection.

Two clear attacker approaches appear in the data.

Some groups carry out tightly coordinated actions designed to cause immediate disruption. Others maintain long-term access by operating through systems that fall outside standard monitoring.

This exposes gaps in how organizations detect activity and maintain control over access.

Why It Matters: When access is operationalized within seconds and recovery paths are deliberately removed, containment can already be out of reach by the time activity is detected. Prior access, identity abuse, and visibility gaps compound quickly, leaving little room to interrupt or regain control once operations begin.

• Time to Impact has Nearly Vanished While Dwell Time Remains High: The median dwell time reached 14 days, with espionage cases extending to 122 days. At the same time, the delay between initial access and follow-on activity dropped to 22 seconds. Initial access brokers prepare environments in advance, so secondary actors can act immediately. Prior compromise now plays a major role in new intrusions, especially in ransomware cases.

• Entry Methods Combine Technical Exploits With Human Interaction: Exploits remain the top initial vector at 32%. Voice phishing rose to 11% and now surpasses email phishing, which fell to 6%. Attackers target help desks and support workflows to bypass authentication controls. Previously stolen access is reused across groups, making earlier breaches a continuing risk.

• Identity Systems and SaaS Access Drive Lateral Movement: Attackers collect OAuth tokens, session cookies, and API keys to move through cloud services. Compromised vendors allow access into customer environments through trusted connections. Internal detection improved to 52% of cases, yet activity often appears legitimate, which makes identification harder in cloud environments.

• Ransomware Operations Focus on Disabling Recovery: Attackers target backup systems and virtualization platforms, often working through identity infrastructure to gain control. Techniques include abuse of Active Directory Certificate Services, deletion of cloud backups, and direct attacks on hypervisor storage. When these areas are compromised, entire environments can become unusable, leaving limited recovery options.

• Persistence Tactics Extend Into Edge Devices and AI-Related Activity: Threat actors target VPNs and network devices that lack endpoint monitoring. Exploitation can occur before patches are available, with a measured window of negative seven days. In-memory malware allows access to persist for long periods, sometimes beyond log retention limits. AI is used within attacks, such as querying models during execution or extracting data from AI systems, though most breaches still begin with common security gaps.

Go Deeper -> M-Trends 2026: Data, Insights, and Strategies From the Frontlines – Google Cloud