M‑Trends 2026 report: attacks evolve, but the root causes remain the same

Mandiant has released its M‑Trends 2026 report, based on more than 500,000 hours of incident investigations conducted worldwide in 2025. The full report can be read via the provided link (or by downloading the attached file); below are the most noteworthy findings.

To begin, here are some key statistics:

📌 The median dwell time within compromised infrastructure increased from 11 to 14 days; for cyber‑espionage cases, it can reach up to four months.
📌 The estimated average time‑to‑exploit dropped to –7 days: vulnerabilities are routinely exploited before a patch or public disclosure. 📌 The most common initial access vector is vulnerability exploitation (32%), followed by voice phishing (17%).
📌 In 52% of cases, organizations detected malicious activity on their own (up from 43%), indicating improved internal monitoring.
📌 The most targeted industries are high tech (17%) and finance (14.6%).

Key trends observed in 2025:

🔹 Role specialization within the cybercriminal ecosystem. Some groups focus on obtaining initial access, while others expand the intrusion and inflict the main damage (for example, deploying ransomware). The time to transfer access from the first groups to the second has dropped from more than eight hours (2022) to 22 seconds (2025). This is often due to brokers automatically delivering malware from another group into the victim's infrastructure instead of selling access on forums.

🔹 Shift from email attacks to voice‑based fraud. Email phishing has declined to 6% thanks to improved automated mail filtering. Attackers increasingly rely on voice phishing (or vishing), which enables more interactive attacks.

🔹 Attacks on backup infrastructure. In addition to exfiltration for extortion — previously discussed in earlier posts — ransomware operators now more frequently compromise virtualization systems, target identity services, and delete backups to prevent recovery.

🔹 Diverging strategies: speed vs. persistence. Common cybercriminals are accelerating their operations, while APT groups are focusing on persistence. They infect network devices with malware resilient to reboots and other standard remediation measures.

🔹 AI as an attack multiplier. Both state‑affiliated and financially motivated threat actors are using large language models (LLMs) to accelerate attacks and enable hyper‑personalized social engineering.

Researchers note that despite technological advances and the active use of AI, most incidents still stem from systematic configuration errors and the human factor. This means that while adapting to new conditions (such as the shrinking time‑to‑exploit window), organizations must not neglect fundamental measures such as secure development, monitoring, and employee training — these remain key determinants of resilience against attacks.