M-Trends 2026: Key Findings and Frontline Insights from Global Cyber Incident Response

Introduction: The Shifting Cyber Threat Landscape

Every year, cybersecurity defenders must adapt to the ever-evolving tactics and techniques of adversaries. Mandiant's M-Trends 2026 report, based on over 500,000 hours of frontline incident investigations conducted globally in 2025, offers a definitive look at the current threat environment. The report highlights a clear divergence in adversary behavior: cybercriminal groups are optimizing for immediate impact and deliberate recovery denial, while sophisticated cyber espionage groups and insider threats focus on extreme persistence, often exploiting unmonitored edge devices and native network functionalities to evade detection.

By the Numbers: Key Metrics from M-Trends 2026

The metrics in this year's report reveal how adversaries are shifting their approaches to bypass modern security controls. Below are the most striking statistics.

Global Median Dwell Time Rises to 14 Days

The global median dwell time—the time between a compromise and its detection—increased from 11 days in 2024 to 14 days in 2025. This rise likely reflects growing attacker sophistication, particularly in evading defenses. When examining specific categories, such as cyber espionage and North Korean IT worker incidents, the median dwell time soared to 122 days, underscoring the stealthy nature of these advanced threats.

Initial Infection Vectors: Exploits Dominate, Voice Phishing Surges

For the sixth consecutive year, exploits remain the most common initial infection vector, accounting for 32% of intrusions. However, a significant surge in highly interactive voice phishing pushed it to 11%, making it the second most commonly observed vector. This shift indicates that adversaries are increasingly using social engineering tactics that bypass traditional email-based defenses.

Internal Detection Improves to 52%

Organizations are making strides in internal visibility. Across all 2025 investigations, 52% of breaches were first detected internally, up from 43% in 2024. This improvement suggests that investments in monitoring, threat hunting, and security operations are paying off, though there is still room for growth.

High-Tech Sector Overtakes Financial as Most Targeted

The full scope of incidents affected more than 16 industry verticals. The high-tech sector (17%) surpassed the financial sector (14.6%) as the most frequently targeted industry, ending the financial sector's two-year reign at the top. This shift highlights the high value of intellectual property and sensitive data held by technology firms.

The Collapse of the 'Hand-Off' Window: Specialization in Cyber Crime

One of the most notable trends in 2025 is the increased specialization and collaboration within the cyber crime ecosystem. Initial access partners are using low-impact techniques—such as malicious advertisements or the ClickFix social engineering technique—to gain a foothold. They then hand off access to specialized ransomware groups or data extortionists, collapsing the traditional 'hand-off' window. This model enables attackers to move faster and avoid detection by distributing tasks among different actors, each focused on a specific phase of the attack lifecycle.

Implications for Defenders

This collaborative model means that defenders must prepare for multi-stage attacks where each stage may be executed by a different group. Organizations should prioritize:

• Monitoring for initial access techniques like malicious ads and voice phishing.
• Implementing robust internal detection mechanisms to catch early signs of compromise.
• Segmenting networks and applying zero-trust principles to limit lateral movement.

Persistence and Espionage: The Long Game

On the other end of the spectrum, advanced persistent threat (APT) groups and insider threats are showing extreme persistence. The median dwell time of 122 days for espionage incidents indicates that these adversaries are willing to invest time to achieve long-term strategic objectives. They often leverage unmonitored edge devices and abuse native network functionalities to blend in with legitimate traffic.

Detecting the Stealthy Adversary

To counter these threats, security teams must extend visibility beyond traditional endpoints and focus on:

1. Monitoring edge devices and cloud environments for anomalous behavior.
2. Using behavioral analytics to detect subtle deviations from normal patterns.
3. Conducting regular threat hunting exercises focused on persistence mechanisms.

Strategies for the Frontlines

The data from M-Trends 2026 underscores the need for a proactive, intelligence-driven security posture. Key recommendations include:

• Reduce dwell time by accelerating detection capabilities through improved logging and automated triage.
• Strengthen defenses against voice phishing with employee training and verification protocols.
• Focus on high-tech sector risks if operating in that industry, but apply lessons to all verticals.
• Adopt threat intelligence feeds to stay ahead of evolving TTPs.

For a complete analysis and additional strategic guidance, download the full M-Trends 2026 report.