Mandiant Report: Cyberattack Tactics Shift Toward Speed, Persistence, and Recovery Denial
Mandiant’s M-Trends 2026 report, released at the RSA Conference, reveals a rapidly evolving cyber threat landscape marked by faster attacks, more sophisticated social engineering, and a focus on undermining recovery capabilities. Based on over 500,000 hours of incident response engagements in 2025, the findings highlight key shifts in attacker behavior and defensive challenges.
Key Trends in Attack Vectors and Tactics
Exploits remain the leading initial infection vector at 32%, but voice phishing has surged to 11%, becoming the second most common entry point. Email phishing, meanwhile, declined to 6% from 14% the prior year, reflecting a broader move toward interactive social engineering. Attackers are increasingly leveraging messaging platforms, social media, and manipulated help desk processes to bypass technical controls.
Ransomware tactics have also evolved. While encryption and data theft persist, operators now prioritize recovery denial targeting backup infrastructure, identity services, and virtualization management planes to cripple an organization’s ability to restore operations. This shift turns ransomware into a "resilience problem," forcing victims to choose between paying or rebuilding from scratch.
Speed vs. Persistence: A Dual Threat
Attack timelines have compressed dramatically. The median time between initial access and handoff to a secondary threat group often a ransomware operator collapsed from over 8 hours in 2022 to just 22 seconds in 2025. This specialization within the cybercrime ecosystem has led to a rise in hand-off operations, where one actor gains access and rapidly transfers it to another.
Yet, median dwell time increased to 14 days (up from 11 days in 2024), driven by espionage operations and North Korean IT worker schemes, where attackers maintained access for a median of 122 days. Incidents detected externally had a median dwell time of 25 days, compared to 9 days for internal detections, underscoring persistent visibility gaps in complex environments.
Identity and SaaS Under Siege
Identity systems have become a central battleground. Attackers exploit SaaS environments, harvesting tokens and credentials to move laterally across organizations and partners. Interactive social engineering such as voice phishing often bypasses multi-factor authentication (MFA), necessitating stricter privilege controls and continuous identity verification.
Defensive Gaps and Recommendations
While internal detection improved (52% of intrusions in 2025, up from 43% the prior year), 34% of incidents were still identified by external notifications, and 14% by the attackers themselves. Visibility remains a critical weakness, with some threats persisting for nearly 400 days due to limited log retention and monitoring of edge devices.
Mandiant’s report emphasizes the need for behavioral detection over static indicators, as attackers increasingly rely on legitimate tools and in-memory malware. Core infrastructure identity systems, backups, and virtualization platforms must be treated as Tier-0 assets, isolated and tightly controlled. Alert triage must also adapt, as low-level detections can escalate into full-scale incidents within seconds.
AI’s Role: Accelerating, Not Revolutionizing
Artificial intelligence is enhancing early-stage attacks improving phishing, reconnaissance, and evasion but is not yet a primary driver of successful breaches. The report notes that fundamental human and systemic failures remain the root cause of most intrusions.
The findings underscore a threat landscape where speed, collaboration, and recovery denial define modern cybercrime, while nation-state actors prioritize long-term persistence. Defenders must balance rapid response with improved visibility to counter these evolving tactics.
Mandiant (part of Google Cloud) cybersecurity rating report: https://www.rankiteo.com/company/mandiant
"id": "MAN1774283026",
"linkid": "mandiant",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'attack_vector': ['exploits',
'voice phishing',
'email phishing',
'messaging platforms',
'social media',
'manipulated help desk processes'],
'data_breach': {'data_encryption': 'yes (in ransomware cases)',
'data_exfiltration': 'yes',
'personally_identifiable_information': 'yes',
'type_of_data_compromised': ['tokens',
'credentials',
'personally identifiable '
'information']},
'date_publicly_disclosed': '2026',
'description': 'Mandiant’s M-Trends 2026 report reveals a rapidly evolving '
'cyber threat landscape marked by faster attacks, more '
'sophisticated social engineering, and a focus on undermining '
'recovery capabilities. Based on over 500,000 hours of '
'incident response engagements in 2025, the findings highlight '
'key shifts in attacker behavior and defensive challenges.',
'impact': {'operational_impact': 'crippled ability to restore operations',
'systems_affected': ['backup infrastructure',
'identity services',
'virtualization management planes',
'SaaS environments']},
'lessons_learned': 'Attackers are prioritizing speed, persistence, and '
'recovery denial. Visibility gaps in complex environments '
'remain a critical weakness. Identity systems and SaaS '
'environments are under siege, requiring stricter '
'privilege controls and continuous identity verification.',
'motivation': ['financial gain', 'espionage', 'data theft', 'recovery denial'],
'post_incident_analysis': {'corrective_actions': ['Improve internal detection '
'capabilities',
'Enhance monitoring of edge '
'devices',
'Isolate and tightly '
'control Tier-0 assets'],
'root_causes': ['fundamental human and systemic '
'failures',
'limited log retention',
'visibility gaps in complex '
'environments']},
'ransomware': {'data_encryption': 'yes', 'data_exfiltration': 'yes'},
'recommendations': ['Implement behavioral detection over static indicators',
'Treat core infrastructure identity systems, backups, and '
'virtualization platforms as Tier-0 assets and isolate '
'them',
'Enhance alert triage to address low-level detections '
'that can escalate rapidly',
'Improve log retention and monitoring of edge devices',
'Adopt stricter privilege controls and continuous '
'identity verification'],
'references': [{'source': 'Mandiant M-Trends 2026 Report'}],
'response': {'enhanced_monitoring': 'recommended for behavioral detection',
'network_segmentation': 'recommended for Tier-0 assets'},
'threat_actor': ['ransomware operators',
'nation-state actors',
'North Korean IT workers',
'cybercrime ecosystem actors'],
'title': 'Mandiant Report: Cyberattack Tactics Shift Toward Speed, '
'Persistence, and Recovery Denial',
'type': ['ransomware', 'espionage', 'social engineering']}