In 2025, Mandiant observed a major divergence in adversary tactics—criminal groups focused on quick impact and recovery denial, while espionage actors and insiders chased extreme persistence using stealthy edge devices and native tools. The M-Trends 2026 report, based on over 500,000 hours of incident response, reveals crucial data on how attackers are bypassing modern defenses. Below, we break down the key findings into Q&A format.
What Is the M-Trends 2026 Report and Why Is It Important?
M-Trends 2026 is Mandiant’s annual report grounded in more than half a million hours of frontline incident investigations conducted globally in 2025. It provides a definitive, data-backed look at the tactics, techniques, and procedures actively used in breaches today. The report is critical because it maps the shifting adversary landscape—from cyber criminals optimizing for immediate financial damage to sophisticated nation-state actors pursuing long-term espionage via unmonitored devices. By analyzing over 500,000 hours of real incident data, the report equips defenders with actionable insights into attacker behaviors, such as rising dwell times, new initial infection vectors, and detection blind spots. This knowledge helps organizations prioritize defenses, improve internal visibility, and adapt to the accelerating pace of cyber threats.
Why Did Global Median Dwell Time Increase From 11 to 14 Days?
The global median dwell time—the number of days attackers remain undetected inside a network—rose from 11 days in 2024 to 14 days in 2025. This increase reflects growing adversary sophistication, particularly in evading modern security controls. Attackers are using stealthier techniques like living off the land and deploying threats via unmonitored edge devices, making early detection harder. When looking specifically at high-profile cyber espionage incidents and North Korean IT worker cases, the median dwell time surged to 122 days. This stark contrast highlights that while quick-hit ransomware groups move faster, persistent threat actors are investing heavily in stealth, extending their stays to exfiltrate data or establish long-term access. For defenders, this means improving detection of subtle lateral movement and monitoring native network functions is more important than ever.
Which Initial Infection Vectors Dominated Breaches in 2025?
For the sixth consecutive year, exploits remained the most common initial infection vector, accounting for 32% of all intrusions. However, a dramatic shift occurred with highly interactive voice phishing (vishing), which surged to 11%—becoming the second-most observed vector. This indicates that attackers are diversifying beyond traditional email phishing and exploiting human trust through direct phone calls. The rise of vishing aligns with the trend of initial access brokers using low-impact techniques like malicious ads or the ClickFix social engineering ruse to gain a foothold. Organizations should therefore strengthen multi-factor authentication, educate employees about vishing, and patch known exploits promptly to close these common entry points.
How Did Internal Detection Rates Improve in 2025?
Organizations are making meaningful progress in detecting threats early. Across all 2025 investigations, 52% of the time victims first detected evidence of malicious activity internally—a significant jump from 43% in 2024. This improvement suggests that investments in endpoint detection, logging, and security operations center (SOC) capabilities are paying off. Still, nearly half of incidents are first spotted by external parties such as law enforcement, industry partners, or customers, leaving room for further enhancement. The key takeaway: defenders should continue to prioritize internal detection by integrating behavioral analytics, automating alert triage, and ensuring complete visibility across all network segments, including edge devices often overlooked by traditional tools.
Which Industry Was Most Frequently Targeted in 2025?
For the first time in two years, the high-tech sector overtook the financial industry as the most targeted vertical, accounting for 17% of all incidents (compared to 14.6% for financial). This shift reflects attackers’ evolving priorities: high-tech companies hold valuable intellectual property, source code, and cloud infrastructure that appeal to both cyber criminals and nation-state actors. The report covers more than 16 industry verticals, showing that no sector is safe. Financial services remained a close second, likely due to direct monetary incentives. To adapt, high-tech firms must fortify supply chain security, protect proprietary data with encryption and access controls, and monitor for insider threats—while financial institutions continue to harden transaction systems and customer data.
What Is the “Collapse of the Hand-Off Window” and How Does It Affect Defenders?
A notable trend in 2025 is the increased specialization and collaboration within the cybercrime ecosystem. Initial access partners—often using low-impact techniques like malicious ads or ClickFix—gain a foothold and then quickly “hand off” that access to other criminal groups for ransomware or data theft. This collapse of the hand-off window means attackers are moving faster from initial breach to final payload, reducing the time defenders have to detect and contain the intrusion. The specialization means each stage is executed by experts, increasing efficiency and success rates. For defenders, this underscores the need for automated detection and response capabilities that can act within minutes—not days—and for monitoring common hand-off behaviors like unexpected remote access tools or anomalous outbound traffic.