The cyber threat landscape continues to evolve, compelling defenders to adapt to new tactics, techniques, and procedures (TTPs). In 2025, Mandiant identified a significant divergence in adversary pacing, with cybercriminal groups focusing on immediate impact and sophisticated espionage groups emphasizing extreme persistence.
Today, we present M-Trends 2026, based on over 500,000 hours of incident investigations conducted globally in 2025. This report provides a comprehensive overview of the TTPs currently employed in breaches.
By the Numbers: M-Trends 2026
This year's metrics illustrate how adversaries are evolving their strategies to circumvent modern security measures:
- Global Median Dwell Time: Increased to 14 days from 11 days, reflecting enhanced sophistication in evading defenses. For cyber espionage and North Korean IT worker incidents, median dwell time reached 122 days.
- Initial Infection Vectors: Exploits remain the most common vector at 32%. However, voice phishing surged to 11%, becoming the second most observed vector.
- Detection by Source: Organizations improved internal visibility, with 52% of malicious activity detected internally, up from 43% in 2024.
- Targeted Industries: Over 16 industries were affected, with the high tech sector (17%) surpassing the financial sector (14.6%) as the most targeted.
The Collapse of the "Hand-Off" Window
A notable trend in 2025 is the increased specialization within the cybercrime ecosystem. Initial access partners are now using low-impact techniques to gain footholds and quickly hand off access to secondary groups for high-impact operations. The median time for this hand-off shrank dramatically from over 8 hours in 2022 to just 22 seconds in 2025.
This shift is evident in breach patterns, with prior compromises becoming the third most common initial infection vector globally (10%) and the leading vector in ransomware operations (30%).
Voice Phishing and the SaaS Identity Crisis
Email phishing has historically been a primary tactic, but its prevalence dropped to 6% in 2025 as adversaries shifted to voice-based social engineering. Groups like UNC3944 have targeted IT help desks to bypass multifactor authentication and access software-as-a-service (SaaS) environments.
M-Trends 2026 highlights how attackers are harvesting long-lived OAuth tokens and session cookies, compromising third-party vendors to execute large-scale data theft.
Ransomware Evolves into Recovery Denial
Ransomware groups are now not only encrypting data but also destroying recovery capabilities. In 2025, operators targeted backup infrastructures and identity services, exploiting misconfigured systems to create admin accounts and delete backup objects.
This trend presents a significant resilience challenge, forcing organizations to choose between paying ransoms or rebuilding their systems.
Edge Devices and Extreme Persistence
While cybercriminals focus on speed, espionage groups prioritize persistence. Threat clusters target edge devices like VPNs and routers, which often lack standard detection capabilities. The mean time to exploit vulnerabilities has decreased to an estimated -7 days, indicating that exploitation frequently occurs before patches are available.
Attackers deploy in-memory malware like BRICKSTORM on these devices, establishing persistence that can survive remediation efforts, creating visibility gaps for security teams.
Recommendations for Defenders
To effectively counter modern threats, organizations must adapt swiftly. M-Trends 2026 offers actionable recommendations:
- Treat Low-Impact Alerts as Critical Indicators: Restructure response playbooks to prioritize routine malware alerts as indicators of potential secondary intrusions.
- Isolate Critical Control Planes: Treat virtualization and management platforms as Tier-0 assets with strict access controls.
- Shift to Continuous Identity Verification: Enforce least privilege access and regularly audit SaaS integrations.
- Transition to Behavioral Anomaly Detection: Implement behavior-based detection models to identify unauthorized access and suspicious activities.
- Expand Visibility and Extend Log Retention: Enhance threat detection and extend log retention beyond 90 days to close visibility gaps.
Mandiant's mission is to empower organizations to stay secure against cyber threats. For 17 years, the annual M-Trends report has been instrumental in advancing this mission, providing critical insights to help defenders close visibility gaps.
