How long does it take to know you have been breached — and how different are today’s intruders from the ones defenders chased a year ago? Mandiant’s new M‑Trends 2026 report, built on more than 500,000 hours of frontline incident investigations in 2025, frames a stark answer: adversaries are splitting into two very different playbooks, and that split is reshaping detection, response and risk.
What M‑Trends 2026 measured
The report documents a measurable shift in attacker behavior. Two headline metrics stand out:
- Global median dwell time increased to 14 days, up from 11 days the prior year.
- For categories identified in the report as "the high quantity of cyber espionage and North Korean IT worker incidents," the median dwell time was 122 days.
Mandiant also tracked how intruders gained their initial footholds. Exploits remained the top initial infection vector for the sixth consecutive year, accounting for 32% of intrusions. Separately, the report notes a significant surge in highly interactive voice phishing, which rose to 11% during the period of study.
The divergent adversary pacing Mandiant observed
Mandiant describes a clear split in adversary pacing and objectives. On one end are cyber criminal groups that favor immediate impact and deliberate efforts to deny recovery. On the opposite end are sophisticated cyber espionage groups and insider threats that prioritize extreme persistence. According to the report, these persistent actors leverage unmonitored edge devices and native network functionalities to evade detection and remain inside environments for long periods.
Why these findings matter — perspectives to consider
Technologists
- Longer median dwell times and incidents of extreme persistence increase the window in which adversaries can move, escalate privileges, and harvest data — challenges compounded when unmonitored edge devices and native network features are used to evade controls.
- The persistence of exploits as the most common initial vector (32% of intrusions) underscores the continuing importance of vulnerability management and patching programs, while the rise in interactive voice phishing to 11% highlights a social‑engineering vector that technical controls alone may not address.
Policymakers and enterprise leaders
- Rising median dwell time—from 11 to 14 days globally—and extremely long medians in certain espionage‑related categories (122 days) suggest that detection and response capabilities are under growing strain and that strategic decisions about investments in monitoring and incident response will shape exposure over time.
- Because attackers can either aim for rapid impact or for long concealment, policy and procurement choices must account for both fast, destructive events and slow, stealthy intrusions that exploit network-native functionalities and peripheral devices.
Users and operators
- The growth of highly interactive voice phishing to 11% indicates an attack vector that directly targets people as much as systems; awareness and operational safeguards remain relevant complements to technical defenses.
- Unmonitored edge devices are specifically called out as a tool of persistence; inventory, visibility and segmentation of those devices are practical considerations raised by the findings.
Adversaries
- The report shows adversaries optimizing along two clear axes: speed and denial of recovery, or stealth and persistence. That bifurcation affects defender choices and creates different operational tradeoffs for attackers as well.
Implications and closing thought
M‑Trends 2026 paints a cybersecurity landscape in which defenders must be prepared for both sprint attacks that seek rapid damage and marathon campaigns that aim to hide for months. The data — including a global median dwell time that ticked upward to 14 days and sector‑specific medians that reached 122 days — makes plain that detection windows are widening for many kinds of intrusions, even as certain initial vectors such as exploits remain dominant.
Is it possible to build programs that shrink both the window for a sprinting criminal and the runway for a patient espionage actor? The report’s findings amount to a practical challenge: adapt visibility, prioritize the right controls for the threat model at hand, and treat unmonitored devices and human‑targeted vectors as central pieces of the defense puzzle.
https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026/




