System owners are left to watch someone else's scenario.
Mandiant has published its latest M-Trends 2026 report, and the cyberthreat landscape for the past year is alarming. Attacks have become faster, stealthier, and more destructive, and the lines between different types of attackers are gradually blurring. Some act with lightning speed, while others establish themselves in infrastructure for months, remaining undetected.
The document is based on over 500,000 hours of incident investigations worldwide through 2025. The average time attackers remain undetected on a network has increased to 14 days, up from 11 the previous year. For cyberespionage operations , this figure reaches 122 days, indicating an increase in attack sophistication and the ability to bypass defenses.
Vulnerability exploitation remains the primary penetration method, accounting for 32 percent of incidents. However, the share of voice phishing has risen sharply to 11 percent. Email, on the other hand, is losing ground: such attacks have fallen to 6 percent of cases. Attackers are increasingly targeting employees directly, simulating support calls and bypassing multi-factor authentication.
Another noticeable shift is the near-instantaneous handoff of access between groups. While in 2022, more than eight hours elapsed between the hack and the start of the active phase, in 2025, this gap has shrunk to 22 seconds. The first group prepares the infrastructure, while the second immediately launches malicious operations, including ransomware.
Meanwhile, ransomware itself has changed its tactics. Now, the goal is not only to encrypt data but also to deprive the company of the ability to recover. Attackers are targeting backups, virtualization management systems, and identity services. As a result, organizations are faced with a choice: pay or rebuild their infrastructure.
The report pays special attention to attacks on network devices, such as routers and VPNs . Such systems are often unmonitored by standard security tools. Attackers exploit vulnerabilities even before updates are released and inject malicious code that persists even after reboots. In some cases, their presence on the network lasts up to 400 days, and standard event logs simply make it impossible to reconstruct the attack chain.
The report's authors also document the growing use of artificial intelligence. Some malware uses language models during execution to modify its behavior and evade detection. However, the key to successful attacks remains fundamental flaws—weak access controls, vulnerable services, and insufficient monitoring.
Against this backdrop, companies are increasingly detecting attacks themselves—52 percent of cases, up from 43 percent the year before. Technology companies have become the primary targets, surpassing the financial sector.
Mandiant believes that defenses must evolve alongside attacks. This includes constantly checking accounts, expanding logging, and moving from static indicators to behavioral analysis. Without these steps, the gap between attackers and cybercriminals will only widen.
Mandiant has published its latest M-Trends 2026 report, and the cyberthreat landscape for the past year is alarming. Attacks have become faster, stealthier, and more destructive, and the lines between different types of attackers are gradually blurring. Some act with lightning speed, while others establish themselves in infrastructure for months, remaining undetected.
The document is based on over 500,000 hours of incident investigations worldwide through 2025. The average time attackers remain undetected on a network has increased to 14 days, up from 11 the previous year. For cyberespionage operations , this figure reaches 122 days, indicating an increase in attack sophistication and the ability to bypass defenses.
Vulnerability exploitation remains the primary penetration method, accounting for 32 percent of incidents. However, the share of voice phishing has risen sharply to 11 percent. Email, on the other hand, is losing ground: such attacks have fallen to 6 percent of cases. Attackers are increasingly targeting employees directly, simulating support calls and bypassing multi-factor authentication.
Another noticeable shift is the near-instantaneous handoff of access between groups. While in 2022, more than eight hours elapsed between the hack and the start of the active phase, in 2025, this gap has shrunk to 22 seconds. The first group prepares the infrastructure, while the second immediately launches malicious operations, including ransomware.
Meanwhile, ransomware itself has changed its tactics. Now, the goal is not only to encrypt data but also to deprive the company of the ability to recover. Attackers are targeting backups, virtualization management systems, and identity services. As a result, organizations are faced with a choice: pay or rebuild their infrastructure.
The report pays special attention to attacks on network devices, such as routers and VPNs . Such systems are often unmonitored by standard security tools. Attackers exploit vulnerabilities even before updates are released and inject malicious code that persists even after reboots. In some cases, their presence on the network lasts up to 400 days, and standard event logs simply make it impossible to reconstruct the attack chain.
The report's authors also document the growing use of artificial intelligence. Some malware uses language models during execution to modify its behavior and evade detection. However, the key to successful attacks remains fundamental flaws—weak access controls, vulnerable services, and insufficient monitoring.
Against this backdrop, companies are increasingly detecting attacks themselves—52 percent of cases, up from 43 percent the year before. Technology companies have become the primary targets, surpassing the financial sector.
Mandiant believes that defenses must evolve alongside attacks. This includes constantly checking accounts, expanding logging, and moving from static indicators to behavioral analysis. Without these steps, the gap between attackers and cybercriminals will only widen.
