Cybersecurity

M-Trends 2026: Attacker Handoff Times Shrink to 22 Seconds as Cyber Threats Industrialize

Google’s Mandiant has released its annual M-Trends report for 2026, and the findings paint a stark picture of an increasingly industrialized threat landscape. The headline stat: the median time between an initial compromise and handoff to a secondary threat group has collapsed from over eight hours in 2022 to just 22 seconds in 2025.

That’s not a typo. Twenty-two seconds from initial access broker compromise to a secondary actor pre-staging malware. The report, based on over 500,000 hours of incident investigations, reveals that exploits remain the #1 initial infection vector (32% of intrusions) for the sixth consecutive year, while voice phishing (vishing) has surged to 11% globally—now the second most common vector. Email phishing, meanwhile, continues its steady decline.

Other key findings: ransomware gangs are shifting to “recovery denial” tactics—actively destroying backups, identity services, and virtualization management planes before detonating payloads. Global median dwell time rose to 14 days (up from 11), driven by sophisticated espionage campaigns. And adversaries are now integrating LLMs into their attack chains for social engineering and detection evasion.

Source

Google Cloud Blog – M-Trends 2026 | SecurityWeek

Why This Matters

The 22-second handoff stat should terrify every security team still relying on manual triage workflows. When access brokers and ransomware operators are coordinating with the efficiency of a relay race, traditional detection-and-response timelines are simply outmatched. The shift from “dwell time” to “dwell seconds” fundamentally changes what incident response needs to look like.

The report’s emphasis on recovery denial is equally alarming. It’s no longer enough to have backups—you need to ensure your recovery infrastructure is as hardened and segmented as your production environment. If your backup admin credentials live in the same Active Directory as everything else, you’re one compromise away from a total loss scenario.

Related Posts

Post Comment

You May Have Missed

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by