Building true operational resilience requires moving faster than the threats you face. That starts with understanding exactly how adversaries are finding success, so you can use that intelligence to stop them.
Today, we are proud to announce the release of the M-Trends 2026 report! Distilling insights from over 500k hours of incident investigations executed by Mandiant in 2025, and supporting Google Threat Intelligence Group (GTIG) research, this year’s edition reveals the critical shifts defining today's threat landscape.
This post provides a quick preview of the themes from this year's report. Download the M-Trends 2026 report now for a comprehensive dive into our frontline data, and review the supporting resources below for more.
The collapse of the "hand-off" window
One of the most notable trends identified in Mandiant investigations is the increased specialization within the cybercrime ecosystem. In 2022, the median time between an initial access event and the hand-off to a secondary threat group was more than 8 hours. In 2025, that window collapsed to a median of just 22 seconds.
Threat groups focused on initial access are bypassing underground markets to partner directly with secondary groups. By pre-staging their preferred malware during the initial infection, the secondary group can launch high-impact operations the moment they first interact with the network.
Ransomware evolves into recovery denial
Ransomware groups are no longer just encrypting data; they are actively destroying the ability to recover by systematically targeting backup infrastructure, identity services, and virtualization—to create a "recovery deadlock" that maximizes the pressure to negotiate.
Furthermore, attackers are exploiting the "Tier-0" nature of hypervisors to bypass guest-level defenses, targeting the virtualization storage layer directly for data theft and encrypting entire hypervisor datastores that can render all associated virtual machines inoperable simultaneously.
Voice phishing and the SaaS identity crisis
While exploits remained the most common initial infection vector for the sixth consecutive year (accounting for 32% of intrusions), highly interactive voice phishing saw a significant surge to 11%, becoming the second most commonly observed vector globally. For cloud-related compromises specifically, voice phishing was the number one initial infection vector at 23%.
M-Trends 2026 reveals the cascading impact of these techniques. Threat actors are bypassing standard defenses by harvesting long-lived OAuth tokens and session cookies. By compromising third-party SaaS vendors, attackers steal hard-coded keys and personal access tokens, using those secrets to seamlessly pivot into downstream customer environments to execute large-scale data theft.
Edge devices, zero-days, and extreme persistence
While cyber criminals optimize for speed, espionage groups are optimizing for extreme persistence. Sophisticated threat clusters deliberately target edge and core network devices, exploiting their lack of support for traditional security tooling. M-Trends 2026 reveals that the mean time to exploit vulnerabilities dropped to an estimated -7 days, meaning exploitation is routinely occurring before a patch is even released.
By deploying custom, in-memory malware like the BRICKSTORM backdoor directly, attackers can turn these critical gateways into persistent, invisible vantage points for monitoring corporate traffic and lateral movement. With threats like BRICKSTORM achieving dwell times of nearly 400 days, standard 90-day log retention policies leave organizations completely blind to the initial access vector and the full scope of the intrusion.
AI threat landscape
A comprehensive overview of the 2025 threat landscape requires addressing adversary use of AI. Ongoing GTIG threat research confirms that threat actors are increasingly leveraging AI, especially during the early phases of the attack lifecycle.
M-Trends 2026 confirms attackers are abusing AI within compromised environments, however, we do not consider 2025 to be the year where breaches were the direct result of AI. The vast majority of successful intrusions still stem from fundamental human and systemic failures. Our Mandiant special report on AI risk and resilience highlights the adversarial use of AI, key trends and learnings from Mandiant AI red teaming and consulting engagements, and how AI-powered defense is already being used as a force multiplier for security operations.
Be ready to respond
The Mandiant mission is to help keep every organization secure from cyber threats and confident in their readiness. For 17 years, our annual M-Trends report has been a core component of advancing that mission, sharing frontline knowledge to help defenders close critical visibility gaps.
To learn about the cyber threat landscape, and how we recommend organizations adapt to its ongoing changes, explore our M-Trends 2026 resources:
- Download the M-Trends 2026 report for a comprehensive dive into our frontline data.
- Read the M-Trends 2026 Executive Edition for a high-level look at the data and trends, along with key recommendations.
- Register for our upcoming M-Trends 2026 webinar—the first in a planned series—for an in-depth look at the data, topics, and recommendations discussed in the report.
- Listen to a special episode of the Google Cloud Security Podcast featuring M-Trends 2026 to learn more about what the findings mean and how the report is created.
