Mandiant: initial access now 22 seconds

Cloud security teams got a blunt new timing lesson in late March. Mandiant’s M-Trends 2026 report says the median gap between initial access and handoff to a second threat group fell to 22 seconds in 2025, down from more than eight hours in 2022. That is not “attackers finish the whole breach in 22 seconds.” It is narrower, but still ugly — the moment one crew gets in, another crew can be moving almost immediately. (cloud.google.com) ### What actually got faster? The handoff got faster. That means one group — often an initial access broker or malware distributor — lands the foothold, and a second group takes over for the money phase, the espionage phase, or the destructive phase. Mandiant says this division-of-labor pattern showed up in 9% of 2025 investigations, up from 4% in 2022. Basically, the cybercrime supply chain is getting tighter and more automated. (securityweek.com) ### Why does 22 seconds matter? Because defenders used to have a little breathing room between “something weird happened” and “the real operator is here.” That buffer is disappearing. Mandiant ties the collapse to closer collaboration between access partners and secondary groups, and in some cases to automation — brokers are not always selling access on a forum later, they are delivering malware directly for the next crew. That turns what used to be a sequence into more of a relay baton pass. (securityweek.com) ### Does this mean every breach is instant? No — and this is the part people flatten too much. Mandiant’s global median dwell time in 2025 was still 14 days, up from 11 days in 2024. Some espionage and North Korean IT worker cases had median dwell times of 122 days. So the same report is really describing two different tempos at once: smash-and-grab crime that moves in seconds, and stealthy persistence that lasts for months. (cloud.google.com) ### How are attackers getting in? Exploits stayed the top initial infection vector for the sixth straight year, accounting for 32% of intrusions Mandiant investigated in 2025. Voice phishing jumped to 11%, making it the second most common vector, while email phishing dropped to 6%, down sharply from 22% in 2022. That shift matters — live phone-based social engineering is harder to block with the old email-first playbook. (cloud.google.com) ### What does that look like in practice? Mandiant highlights campaigns where attackers talked help desks into password resets and MFA changes, or tricked users into approving attacker-controlled SaaS apps. It also describes a case where UNC1543’s FAKEUPDATES infection was followed by UNC2165 activity about 70 minutes later, ending with backup destruction and RansomHub deployment across Windows and virtualization management servers. The point is not the exact malware family. The point is that “low-noise foothold first, heavy damage second” is now a routine operating model. (helpnetsecurity.com) ### Are defenders getting any better? Somewhat. Organizations first detected malicious activity internally in 52% of 2025 investigations, up from 43% in 2024. But that improvement sits next to a harsher reality — if the dangerous handoff can happen in seconds, human escalation chains are too slow. Detection still matters, but containment has to be pre-wired. (cloud.google.com) ### So what changes now? The old model was “spot the ransomware operator.” The new model is “break the chain before the operator arrives.” That means better visibility on edge devices, SaaS integrations, identity changes, help-desk workflows, backup systems, and virtualization layers — the places attackers touch before the flashy part starts. Mandiant’s own framing is that passive defense is no longer enough when the intervention window has collapsed from hours to seconds. (cloud.google.com) ### Bottom line? The scary number is not just 22 seconds. It is what 22 seconds says about the market structure of cybercrime. Access, execution, and extortion are getting modular. When the handoff is that fast, the defender’s job stops being “respond quickly” and starts being “already be in position.” (securityweek.com)