Released Monday at RSAC 2026, Mandiant’s M-Trends 2026 report found the median time between an initial access event and a handoff to a second threat group collapsed from more than eight hours in 2022 to just 22 seconds in 2025. The report draws on more than 500,000 hours of Mandiant incident response work last year.
The report (Gated PDF) also points to a tactical shift in ransomware. Attackers are no longer stopping at data encryption. They are increasingly targeting backup infrastructure, identity services and virtualization management planes in what Mandiant describes as recovery denial – a strategy designed to make restoration harder even when backups exist. Exploits remained the top initial intrusion vector, while voice phishing surged to become the second most common.
Interestingly, high tech overtook financial services as the most-targeted sector in Mandiant investigations, accounting for 17% of cases in 2025.
Image Courtesy of Google
