Mandiant’s M-Trends 2026 report, released today at the RSA Conference, shows that attackers are moving faster, operating more collaboratively, and increasingly focusing on the systems organizations rely on to recover from breaches.
The report, based on more than 500,000 hours of incident response engagements in 2025, finds that attackers are compressing key phases of the attack lifecycle, even as median dwell time increased to 14 days, up from 11 days the previous year.
In addition, it reveals a change in tactics. Voice phishing accounted for 11% of initial infection vectors, making it the second most common entry point after exploits, which led at 32%. Email phishing declined to 6%, down from 14% the year before, reflecting a move toward more interactive social engineering. Together, the trends point to a shift in both how quickly attacks unfold and what attackers are trying to achieve once inside.
It also highlights a growing imbalance between speed and persistence. While some attack phases now unfold in seconds, others are becoming more prolonged. Incidents identified through external notification had a median dwell time of 25 days, compared with nine days for those detected internally, pointing to improved internal detection but continued gaps in visibility, particularly in complex environments.
At the same time, attackers are refining their objectives. Ransomware-related intrusions accounted for 13% of investigations, while extortion activity appeared in 23% of cases. Data theft was observed in 40% of incidents, up slightly from 37% the previous year.
As Jurgen Kutscher, vice president at Mandiant Consulting, Google Cloud, writes in a blog post accompanying the report, financially motivated groups are “optimized for immediate impact and deliberate recovery denial,” while other threat actors such as nation-states focus on long-term persistence.
Attack timelines compress as threat actors specialize
One of the most consequential developments is the rise of hand-off operations, in which one threat actor gains initial access and rapidly transfers it to another, often a ransomware group. A major driver of this shift is what Mandiant describes as “increased specialization and collaboration within the cybercrime ecosystem.”
The speed of that transition has changed dramatically. “In 2022, the median time between an initial access event and the hand-off to a secondary threat group was more than 8 hours. In 2025, that window collapsed to just 22 seconds,” Kutscher writes.
Prior compromise, in which access is inherited from another threat actor, accounted for roughly 10%–13% of initial infection vectors globally and as much as 30% in ransomware operations. For defenders, alerts that once seemed low priority can now escalate into full-scale incidents almost immediately.
Social engineering becomes more interactive
While exploits remain the leading initial infection vector at 32%, the report underscores a shift toward more adaptive social engineering. Voice phishing has risen sharply, while email phishing continues to decline, signaling a move away from high-volume campaigns toward real-time interaction.
Mandiant’s data shows that email phishing dropped to just 6% of intrusions in 2025. In its place, adversaries have pivoted to highly interactive, voice-based social engineering.
Attackers are also using messaging platforms and social media to engage targets directly, often bypassing technical controls by manipulating help desk processes or identity verification workflows. The report highlights how attackers are exploiting SaaS environments, harvesting tokens and credentials to move laterally across organizations and their partners.
AI accelerates early-stage attacks, not outcomes
Artificial intelligence is contributing to these changes, but not as a primary driver of successful breaches. The report indicates that attackers are using large language models to improve phishing, reconnaissance, and evasion, increasing the efficiency of early-stage operations.
At the same time, the underlying causes of successful intrusions remain unchanged. “The vast majority of successful intrusions still stem from fundamental human and systemic failures,” Kutscher writes.
AI is accelerating existing attack methods rather than replacing them, reinforcing the need for CISOs to address persistent gaps in patching, identity security, and visibility.
Ransomware shifts toward recovery denial
Ransomware tactics are evolving. While encryption and data theft remain central, attackers are increasingly focused on undermining an organization’s ability to recover. In 2025, Mandiant observed a systemic shift in which ransomware operators actively targeted backup infrastructure, identity services, and virtualization management planes.
This shift toward recovery denial changes the dynamics of extortion. By compromising or destroying recovery capabilities, attackers increase the likelihood that victims will pay, even when backups exist. “Modern ransomware is now a fundamental resilience problem, forcing organizations into a choice: pay or rebuild,” Kutscher writes.
Dwell time increases as persistence improves
The increase in median dwell time reflects a broader trend toward persistence, particularly in espionage operations and activity linked to North Korean IT worker schemes. In those cases, median dwell time reached 122 days, illustrating how some attackers are optimizing for long-term access rather than immediate impact.
Attackers are also exploiting gaps in monitoring infrastructure. The report notes that some threats achieve dwell times of nearly 400 days, highlighting persistent visibility challenges tied to limited log retention and monitoring of edge devices.
Detection improves, but gaps remain
Mandiant’s research indicates that 52% of organizations detected intrusions internally in 2025, up from 43% the previous year. External notifications accounted for 34% of detections, while the attacker first disclosed 14% of incidents.
Although internal detection is improving, reliance on external parties and adversary disclosure highlights ongoing visibility gaps, particularly in hybrid and cloud environments.
What CISOs should prioritize
Mandiant’s recommendations reflect a shift away from static defenses toward faster, more adaptive response models.
One key recommendation is that security teams need to rethink alert triage. With hand-off times now measured in seconds, low-level detections can no longer be treated as routine noise. What appears to be an isolated alert may signal the start of a secondary intrusion, requiring immediate action before attackers move to hands-on-keyboard activity.
Organizations also need to treat core infrastructure—identity systems, backup environments, and virtualization platforms—as critical control planes. These are now primary targets for attackers seeking to undermine recovery and must be isolated, tightly controlled, and protected as Tier-0 assets.
Identity is becoming a central battleground. As interactive social engineering bypasses traditional MFA, organizations need continuous identity verification, stricter privilege controls, and tighter governance over SaaS integrations.
Detection strategies must also evolve as attackers rely more on legitimate tools and in-memory malware. Static indicators are less effective, requiring a shift to behavioral detection that flags anomalies such as unusual access patterns, suspicious API activity, or misuse of authentication tokens.
Finally, visibility gaps remain a persistent problem. Extending log retention and centralizing telemetry across network, cloud, and virtualization environments are critical to detecting long-running intrusions and understanding their full scope.