Threat Intel - Mandiant's Insights on Evolving Cyber Threats
Basically, Mandiant's report shows how cybercriminals are changing their tactics to evade detection and cause more damage.
Mandiant's M-Trends 2026 report reveals how cyber threats are evolving. Organizations face increased risks from ransomware and voice phishing tactics. Understanding these trends is vital for improving security measures and defending against sophisticated attacks.
The Threat
Mandiant's M-Trends 2026 report offers a deep dive into the evolving cyber threat landscape. In 2025, a noticeable divergence in adversary tactics emerged. On one side, cybercriminals focused on immediate impact and recovery denial. On the other, sophisticated cyber espionage groups optimized for extreme persistence, using unmonitored edge devices to evade detection. This report is grounded in over 500,000 hours of incident investigations, providing a comprehensive look at current tactics, techniques, and procedures (TTPs).
The report highlights that the global median dwell time for intrusions rose to 14 days, up from 11 days. This increase suggests that attackers are becoming more adept at evading defenses. Notably, incidents related to cyber espionage and North Korean IT workers saw median dwell times of 122 days. These figures underscore the growing sophistication of adversaries in the cyber landscape.
Who's Behind It
The report identifies a range of threat actors, from cybercriminal groups to state-sponsored espionage units. Criminal groups have increasingly specialized, collaborating within the cybercrime ecosystem. Initial access partners now use low-impact techniques to gain footholds, handing off access to secondary groups for high-impact operations like ransomware. In 2025, the time between initial access and hand-off collapsed from over 8 hours to just 22 seconds. This rapid transition allows attackers to launch operations almost immediately upon gaining access.
Moreover, voice phishing, or vishing, has surged, becoming a primary method for gaining access to software-as-a-service (SaaS) environments. Attackers are increasingly targeting IT help desks, leveraging social engineering to bypass multi-factor authentication (MFA).
Tactics & Techniques
Ransomware tactics have evolved significantly. Attackers are not just encrypting data; they are actively destroying recovery capabilities. In 2025, ransomware groups targeted backup infrastructures and identity services, exploiting misconfigured systems to create admin accounts that bypass security measures. This shift represents a systemic change in how ransomware is executed, forcing organizations into a difficult choice: pay the ransom or rebuild from scratch.
Additionally, adversaries are leveraging edge devices and zero-day vulnerabilities for extreme persistence. The mean time to exploit vulnerabilities has dropped to an estimated -7 days, meaning exploitation often occurs before patches are available. This trend highlights the urgency for organizations to enhance their defenses against these evolving threats.
Defensive Measures
To combat these sophisticated threats, organizations must adapt their security strategies. Mandiant recommends treating low-impact alerts as critical indicators of potential secondary intrusions. Security teams should restructure response playbooks to prioritize these alerts, ensuring proactive remediation before attackers can execute their plans.
Furthermore, isolating critical control planes and implementing continuous identity verification are essential steps. Organizations should decouple backup environments from corporate networks and use immutable storage to protect against destructive attacks. By staying ahead of adversaries and adopting these recommendations, organizations can enhance their operational resilience and better navigate the complex cyber threat landscape.
Mandiant Threat Intel