Mandiant M-Trends 2026: Critical Cybersecurity Insights from the Frontline

<p>The Mandiant M-Trends 2026 report is out, analyzing over 500,000 hours of incident response from 2025. This year's findings reveal a stark divergence in adversary tactics and key shifts in <a href="#dwell-time">dwell times</a>, <a href="#initial-infection">attack vectors</a>, and <a href="#targeted-industries">industry targeting</a>. Dive into the most pressing questions answered below.</p> <h2 id="key-findings">What are the top-level findings of the M-Trends 2026 report?</h2> <p>The report highlights a clear divide in adversary behavior. On one side, cybercriminal groups optimize for <strong>immediate impact</strong> and <strong>deliberate recovery denial</strong>. On the other, sophisticated espionage groups and insider threats focus on <strong>extreme persistence</strong>, leveraging unmonitored edge devices and native network functions to evade detection. The global median dwell time has risen to 14 days, up from 11, reflecting growing sophistication. Exploits remain the top initial infection vector at 32%, but voice phishing has surged to 11%, becoming second-most common. Internal detection improved to 52%, and the high-tech sector (17%) overtook financial (14.6%) as the most targeted industry.</p><figure style="margin:20px 0"><img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BA.max-2600x2600.png" alt="Mandiant M-Trends 2026: Critical Cybersecurity Insights from the Frontline" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.mandiant.com</figcaption></figure> <h2 id="dwell-time">How has the global median dwell time changed in 2025?</h2> <p>Global median dwell time increased from <strong>11 days</strong> in 2024 to <strong>14 days</strong> in 2025. This rise signals that adversaries are becoming more adept at evading detection, particularly in cyber espionage and North Korean IT worker incidents, where median dwell time soared to <strong>122 days</strong>. The extended dwell time allows attackers to maintain access longer, conduct reconnaissance, and exfiltrate data without triggering alarms. For defenders, this underscores the need for <em>continuous monitoring</em> and faster containment strategies to reduce the window of undetected activity.</p> <h2 id="initial-infection">What are the most common initial infection vectors?</h2> <p>For the sixth consecutive year, <strong>exploits</strong> are the leading initial infection vector, accounting for <strong>32%</strong> of intrusions. However, a notable shift is the surge in <strong>highly interactive voice phishing</strong>, which rose to <strong>11%</strong>, making it the second most common vector. This technique involves direct phone calls to trick victims into providing credentials or installing malware. Other vectors like malicious ads and the ClickFix social engineering technique are also on the rise, especially among initial access brokers who then hand off access to other threat actors.</p> <h2 id="internal-detection">How have organizations improved their detection capabilities?</h2> <p>Organizations are making significant progress in internal threat detection. In 2025, <strong>52%</strong> of breaches were first detected by the victim organization themselves, up from <strong>43%</strong> in 2024. This improvement reflects investments in security monitoring tools, <em>security operations centers</em>, and incident response readiness. However, the remaining 48% were still notified by external parties, such as law enforcement or threat intelligence feeds, indicating that there is still room for improvement in proactive detection and visibility across all environments.</p><figure style="margin:20px 0"><img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/MT26_Email-Hero-Image_1820x1362.max-600x600.png" alt="Mandiant M-Trends 2026: Critical Cybersecurity Insights from the Frontline" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.mandiant.com</figcaption></figure> <h2 id="targeted-industries">Which industries are most targeted by attackers?</h2> <p>The <strong>high-tech sector</strong> has become the most targeted industry in 2025, representing <strong>17%</strong> of all incidents, overtaking the financial sector which had held the top spot in 2023 and 2024 at <strong>14.6%</strong>. The report covers more than 16 industry verticals, with other frequently targeted sectors including government, healthcare, and education. The shift to high-tech suggests attackers are increasingly interested in intellectual property, proprietary algorithms, and supply chain access points that can be used to reach downstream victims.</p> <h2 id="hand-off-window">What is the 'hand-off window' and why is it collapsing?</h2> <p>The 'hand-off window' refers to the period after initial access is gained by one group (e.g., via low-impact techniques like ads or ClickFix) and before they transfer that access to a more specialized threat actor. In 2025, this window is collapsing due to <strong>increased specialization and collaboration</strong> within the cybercrime ecosystem. Initial access partners now quickly sell or trade access to ransomware groups or data extortion specialists, bypassing the traditional delay. This accelerates the attack lifecycle and reduces the time for defenders to detect and respond, making rapid incident response even more critical.</p>