Mandiant, Google’s frontline cyber incident response and threat intelligence team, has released its M-Trends 2026 report, drawing on more than 500,000 hours of incident investigations conducted globally in 2025. It remains one of the more useful indicators of where cyber threats are heading because it is grounded in real-world response work rather than theory.
The message from this year’s report is clear: attackers are getting faster, quieter, and more deliberate. Increasingly, they are not just targeting user devices. They are going after the systems that control identity, access, recovery, and visibility.
For business leaders, that matters because the risk is no longer limited to whether someone clicks a bad email. The bigger issue is whether your team can detect suspicious activity early, contain it quickly, and recover without major disruption.
Software exploits remained the most common initial intrusion method in 2025, accounting for 32% of intrusions. In other words, known vulnerabilities are still giving attackers a way in.
That reinforces a familiar point: patching, vulnerability management, and reducing exposure still matter. Many compromises are not the result of highly exotic tactics. They happen because weaknesses remain open for too long, especially on internet-facing systems.
One of the more notable shifts in the report is the rise of voice phishing, which accounted for 11% of intrusions, making it the second most common initial access method observed by Mandiant in 2025. Traditional email phishing fell to 6%.
This is important because many businesses have spent years building controls around email-based threats. Attackers are now leaning more heavily into techniques that target people directly through phone calls, service desk impersonation, and identity workflows. Those methods can be harder to stop with conventional email filtering alone.
For businesses, that means awareness training and verification processes need to evolve. Staff need to be prepared not just for suspicious emails, but for convincing phone-based social engineering as well.
One of the most striking findings in the report is how little time now exists between an initial compromise and a more serious attack phase.
Mandiant found that in 2022, the median time between initial access and hand-off to a secondary threat group was more than eight hours. In 2025, that dropped to just 22 seconds.
That is a significant shift. It means a minor foothold can rapidly become something much worse, including ransomware or data theft, before many teams have time to respond manually.
While some attacks are moving faster, others are becoming more persistent. Mandiant reports that global median dwell time rose from 11 days to 14 days, and for some cyber espionage and North Korean IT worker cases, median dwell time reached 122 days.
That tells us two things at once. Some attackers are optimised for speed and impact. Others are focused on persistence, stealth, and long-term access.
There is some encouraging news in the report. Organisations detected malicious activity internally in 52% of investigations, up from 43% in 2024.
That suggests internal monitoring is improving. But when attackers can move from foothold to hand-off in seconds, detection on its own is not enough. Security teams also need effective triage, clear escalation paths, and the ability to act quickly on lower-level signals before they become larger incidents.
Mandiant also highlights that some vulnerabilities in edge infrastructure are being exploited before patches are even available, pointing to systematic exploitation of edge devices and network appliances ahead of patch release.
That is especially relevant for public-facing infrastructure such as firewalls, VPN appliances, and other edge devices. These systems are attractive targets because they sit at the boundary of the network and may not always receive the same level of monitoring coverage as endpoints or servers. This reinforces the importance of closely monitoring edge infrastructure, as early visibility can be critical when threats emerge before a patch is available.
Cyber resilience now comes down to readiness, speed, and trust. Attackers are moving faster, using quieter methods, and increasingly targeting identity, access, and recovery systems, not just endpoints.
For businesses, that means strengthening the fundamentals: improving visibility, tightening privileged access, and making sure response processes can keep pace.
If you’d like a clearer view of where your risks sit and how prepared your environment is, IT Partners can help you assess your current controls and strengthen your cyber resilience.
.jpg)
