Daily NewsCyber Crime & Forensic

M-Trends 2026: Attackers Split Between Speed and Stealth as Cyber Battlefield Rewrites Itself

Forcing a Fundamental Rethink of How Security Operations Are Designed, Measured, and Executed

The modern cyber threat landscape is no longer moving in a single direction. That is the overriding theme of the M-Trends 2026 report recently released by Mandiant.

According to M-Trends 2026, attackers have diverged into two sharply defined camps—those engineered for speed and disruption, and those built for patience and persistence. For defenders, that split is forcing a fundamental rethink of how security operations are designed, measured, and executed.

Grounded in more than 500,000 hours of frontline incident investigations conducted globally in 2025, this year’s Mandiant M-Trends 2026 report offers a sobering view of how adversaries are evolving—not just incrementally, but structurally.

At the highest level, the M-Trends 2026 data reveals a simple truth: attackers are no longer just breaching systems. They are optimising entire operational models.

M-Trends 2026 Discovers a Tale of Two Adversaries

On one side are cybercriminal groups focused on immediate impact. Their playbook is built around speed, coordination, and recovery denial. On the other are espionage actors and insider threats, prioritising long-term access, persistence, and invisibility—often hiding in the least monitored parts of enterprise infrastructure.

This divergence is reflected in one of the report’s most closely watched metrics: dwell time. Globally, median dwell time increased from 11 days to 14 days in 2025, signalling improved attacker sophistication in evading detection. But that headline figure masks a deeper reality. In espionage and North Korean IT worker cases, dwell time stretched to 122 days—evidence of deeply embedded, long-term operations.

The 22-Second Problem

Perhaps the most striking finding in M-Trends 2026 is the collapse of the “hand-off” window between initial access and full-scale attack.

In 2022, attackers typically took more than eight hours to transition from initial compromise to secondary operations such as ransomware deployment. In 2025, that window shrank to just 22 seconds.

This is not merely acceleration—it is premeditation. Initial access brokers are now staging environments in advance, deploying malware or establishing tunnels during the first breach so that secondary actors can act immediately upon entry.

The implications are profound. What was once a window for detection and response has effectively disappeared. Security teams are now racing against automation, not just human operators.

This shift is also reflected in attack pathways. Prior compromise emerged as the third most common initial infection vector globally at 10%, and the leading vector in ransomware incidents at 30%, doubling year on year.

From Phishing Emails to Human Conversations

Traditional phishing is no longer the dominant threat vector it once was. Email-based phishing dropped to just 6% of intrusions in 2025, displaced by more interactive and manipulative techniques.

Voice phishing, or vishing, surged to 11%, making it the second most common initial infection vector. Attackers are increasingly targeting IT help desks, exploiting human trust to bypass multifactor authentication and gain access to SaaS environments.

The downstream impact is significant. By harvesting OAuth tokens, session cookies, and hard-coded credentials from compromised SaaS vendors, attackers are able to pivot seamlessly into customer environments. What begins as a single compromised identity can cascade into large-scale data theft across interconnected systems.

Ransomware’s New Objective: No Recovery

Ransomware is no longer just about encryption—it is about eliminating recovery altogether.

Mandiant, in M-Trends 2026, observed a systemic shift in 2025, with attackers deliberately targeting backup systems, identity infrastructure, and virtualisation layers. Groups leveraging tools such as REDBIKE (Akira) and AGENDA (Qilin) are now destroying the very mechanisms organisations rely on to recover.

This includes deleting cloud backup objects, abusing misconfigured Active Directory Certificate Services to create persistent administrative access, and targeting hypervisors—the “Tier-0” layer of enterprise infrastructure—to render entire fleets of virtual machines inoperable.

The result is a stark binary: pay the ransom or rebuild from scratch.

The Rise of the Invisible Network Threat

While cybercriminals move faster, espionage actors are becoming harder to see.

Edge devices—VPNs, routers, and other network appliances—have become prime targets because they often lack endpoint detection and response telemetry. Attackers are exploiting this blind spot with increasing precision.

M-Trends 2026 highlights a particularly alarming trend: the mean time to exploit vulnerabilities has dropped to an estimated minus seven days. In practical terms, this means exploitation is occurring before patches are even released.

Once inside, adversaries deploy in-memory malware such as the BRICKSTORM backdoor, enabling persistence that can survive reboots and evade conventional forensic analysis. In some cases, these operations persist for nearly 400 days—well beyond standard 90-day log retention policies, leaving organisations blind to both the origin and scope of compromise.

AI: Accelerant, Not Origin

Artificial intelligence is reshaping the threat landscape, but not in the way many expected.

Mandiant’s findings suggest that while attackers are actively integrating AI into their workflows—using it to evade detection, accelerate malware execution, and even query large language models mid-operation—AI is not yet the root cause of most breaches.

Instead, the majority of successful intrusions still stem from fundamental human and systemic failures.

That said, AI is rapidly becoming a force multiplier. Malware families are leveraging AI to adapt in real time, while techniques such as “distillation attacks” threaten to extract proprietary logic from machine learning models. Even credential stealers are now probing for local AI tools to uncover sensitive configurations.

For defenders, the message is clear: the risk is not just AI itself, but how it is integrated into broader systems and workflows.

Defenders Improving—but Not Fast Enough

There are signs of progress. In 2025, organisations detected 52% of intrusions internally, up from 43% the previous year, indicating improved visibility and monitoring.

However, attackers are still outpacing these gains, according to the M-Trends 2026 report.

High-tech organisations were the most targeted sector, accounting for 17% of incidents, overtaking financial services at 14.6%. The breadth of attacks—spanning more than 16 industry verticals—underscores the universal nature of the threat.

From Indicators to Behaviour

If there is a unifying theme in M-Trends 2026, it is that traditional security models are no longer sufficient.

Static indicators of compromise are proving ineffective against adversaries who rapidly rotate infrastructure and deploy custom, in-memory malware. Instead, Mandiant emphasises a shift towards behavioural detection—identifying anomalies in how systems and users operate, rather than relying on known signatures.

This extends to identity security, where continuous verification, strict least privilege, and centralised identity providers are becoming essential in a world where MFA alone can be bypassed.

At the same time, organisations, according to M-Trends 2026, are being urged to treat low-level alerts as potential precursors to major incidents, isolate critical control planes such as hypervisors and backup systems, and extend log retention well beyond traditional limits.

A New Operating Reality

M-Trends 2026 does not present a future scenario—it documents a present reality.

Attackers are faster, more coordinated, and increasingly capable of denying recovery. At the same time, they are more patient, more persistent, and more adept at hiding in the fabric of enterprise networks.

For CISOs and security leaders, the implication is unavoidable: resilience is no longer just about preventing breaches. It is about detecting them earlier, containing them faster, and ensuring the organisation can recover even when core systems are compromised.

In a landscape defined by both speed and stealth, the organisations that succeed will be those that can operate at both extremes—matching the attacker’s pace while closing the gaps they rely on to remain unseen.

Read the full M-Trends 2026 report HERE.

Martin Dale Bolima

Martin has been a Technology Journalist at Asia Online Publishing Group (AOPG) since July 2021, tasked primarily to handle the company’s Disruptive Tech Asia and Disruptive Tech News online portals. He also contributes to Cybersecurity ASEAN and Data&Storage ASEAN, with his main areas of interest being artificial intelligence and machine learning, cloud computing and cybersecurity. A seasoned writer and editor, Martin holds a degree in Journalism from the University of Santo Tomas in the Philippines. He began his professional career back in 2006 as a writer-editor for the University Press of First Asia, one of the premier academic publishers in the Philippines. He next dabbled in digital marketing as an SEO writer while also freelancing as a sports and features writer.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *