M‑Trends 2026: cyberattacks accelerate

Mandiant’s M‑Trends 2026 is anchored in more than 500,000 hours of incident‑response investigations conducted in 2025, forming the report’s primary dataset. (services.google.com) The median time between an initial access event and hand‑off to a secondary actor collapsed from hours in prior years to just 22 seconds in 2025, reflecting extreme operational specialization among adversary roles. (securityweek.com) Global median attacker dwell time increased to 14 days in 2025, up from 11 days in 2024, while the high‑tech sector accounted for 17% of incidents versus finance at 14.6%, marking a sectoral shift in targeting. (cloud.google.com) Exploits remained the single largest initial infection vector at 32% in 2025, voice‑based social engineering (vishing) rose to 11%, and email phishing fell to 6%, demonstrating a pivot from mass phishing to interactive compromise methods. (services.google.com) Ransomware operators focused on “recovery denial” by targeting backups, virtualization layers and identity systems to impede restore processes, a tactic observed across multiple high‑impact incidents in 2025. (csoonline.com) Organizations detected malicious activity internally 52% of the time in 2025, up from 43% in 2024, even as voice phishing became the top initial vector for cloud compromises (23%), highlighting identity and telemetry gaps in SaaS environments. (cloud.google.com)