Dwell Time Creeps Up
Mandiant’s M-Trends 2026 report is out, and the headline number is a jump in median dwell time—14 days, up from 11. For those keeping score, that’s a 27% increase. This isn’t just a statistical blip; it signals adversaries are getting savvier at evading detection, spending more time inside networks before being noticed. When you isolate the truly persistent threats—state-sponsored espionage groups and those tied to North Korean state actors—that dwell time balloons to a staggering 122 days. That’s four months of unfettered access. This isn’t the digital Wild West; it’s a calculated, drawn-out infiltration.
What’s Driving the Extension?
Several factors seem to be at play here. Adversaries are clearly refining their techniques, techniques and procedures (TTPs) to sidestep the layered defenses most organizations now have in place. The report notes a shift in sophistication, particularly among espionage actors, who are adept at blending in. They’re likely leveraging unmonitored edge devices and those deeply embedded, native network functionalities that security tools often overlook. It’s less about brute force and more about sophisticated camouflage.
Exploits Still King, But Vishing Roars
Exploits, for the sixth year running, remain the top initial infection vector, accounting for a significant 32% of breaches. But the real story this year is the meteoric rise of highly interactive voice phishing, or vishing, which has rocketed to 11% of intrusions. That’s a substantial leap, pushing it firmly into the second spot. This isn’t your grandfather’s dodgy email; this is targeted, human-engineered deception delivered directly to the ear, often impersonating trusted sources to coax credentials or sensitive information out of unsuspecting employees. Email phishing, meanwhile, has receded to a mere 6%, a proof to improved automated defenses against that particular attack vector.
The Collapsing “Hand-Off” Window
The cybercrime ecosystem is showing an alarming level of specialization and, frankly, efficiency. Initial access brokers are no longer just getting a toe in the door; they’re paving the way for ransomware gangs with terrifying speed. In 2022, the median time between an initial access event and the hand-off to a secondary threat group was over eight hours. By 2025, that window had shrunk to just 22 seconds. Twenty-two seconds. That means the secondary group is often pre-staged with malware and configured access, ready to deploy their payload the moment they’re handed the keys. Prior compromise, often facilitated by these initial access brokers, is now the third-most common infection vector globally and the top vector for ransomware attacks, doubling its prevalence from the previous year. This rapid handover is a critical bottleneck that defenders have largely failed to address.
Ransomware Becomes Recovery Denial
Ransomware isn’t just about encrypting data anymore; it’s evolved into a sophisticated strategy of recovery denial. Mandiant observed prolific groups like Akira and Qilin not just locking files but actively targeting and destroying backup infrastructure, identity services, and virtualization management planes. Think about that for a second. They’re not just stealing your valuables; they’re dismantling the vault and melting down the keys. Attackers are weaponizing misconfigurations in Active Directory Certificate Services to create persistent admin accounts and are outright deleting backup objects from cloud storage. This shift from data exfiltration and encryption to outright destruction of recovery capabilities represents a significant escalation in the impact and severity of ransomware attacks.
“The global median dwell time rose to 14 days from 11 days. This shift likely reflects growing sophistication, particularly in evading defenses.”
This quote from the report is the starkest indicator. It’s not that organizations are suddenly worse at detecting threats; it’s that the threats themselves have become inherently harder to detect. The increasing reliance on stolen credentials, coupled with the exploitation of third-party SaaS vendors for access to hard-coded keys and session cookies, means attackers are operating with a level of insider-like privileges. The ease with which they can pivot into downstream customer environments to execute large-scale data theft is a direct consequence of this evolving attack surface.
Internal Detection on the Rise… For Now
There’s a glimmer of good news, however small. Organizations are getting better at detecting malicious activity internally. In 2025, 52% of investigations began with internal detection, a notable increase from 43% in 2024. This suggests that investments in detection and response capabilities are starting to bear fruit. However, this positive trend could be overshadowed by the rising dwell times and the sheer adaptability of the threat actors. It’s a race, and while defenders are gaining ground in some areas, adversaries are advancing rapidly in others, particularly in their ability to sustain operations undetected.
High Tech is the New Financial Sector Target
Geographically, the high-tech sector has overtaken the financial sector as the most targeted industry, accounting for 17% of incidents compared to the financial sector’s 14.6%. This shift out of the top spot, which the financial industry held for the past two years, indicates that adversaries are chasing new avenues of compromise, likely related to intellectual property theft, supply chain attacks, or the ongoing digital transformation efforts within the tech sector itself.
🧬 Related Insights
- Read more: Ransomware’s Brutal 2025: Record Victims, Squeezed Profits, Same Old Tricks
- Read more: Fake Windows Update in France Steals Passwords from Breach-Exposed Users
Frequently Asked Questions
What does Mandiant’s M-Trends report analyze?
M-Trends analyzes data from over 500,000 hours of frontline incident investigations conducted globally by Mandiant in the past year to identify emerging cyber threat tactics, techniques, and procedures (TTPs).
Is my organization safe from vishing attacks?
No organization is entirely safe. The rise of vishing necessitates enhanced employee training on social engineering tactics, the implementation of strong call verification protocols, and the use of security solutions that can detect anomalies in communication patterns.
Why is dwell time important in cybersecurity?
Dwell time is the period an attacker remains undetected within a network. A longer dwell time allows attackers more opportunity to escalate privileges, exfiltrate data, deploy malware, and cause greater damage before being discovered and removed.
