Adversary Tactics Diverge as Dwell Time Hits 14 Days, Mandiant Report Warns

Breaking: Mandiant's M-Trends 2026 Report Uncovers Critical Shifts in Cyber Threat Landscape

Global median dwell time has risen to 14 days, up from 11 days in the previous year, according to the newly released M-Trends 2026 report. The increase signals growing adversary sophistication, particularly in evading detection. For cyber espionage and North Korean IT worker incidents, median dwell time soared to 122 days.

“This year's data highlights a clear divergence in adversary strategies,” said John Hultquist, Chief Analyst at Mandiant, part of Google Cloud. “Criminal groups are optimizing for speed and impact, while espionage actors prioritize extreme persistence, often leveraging unmonitored edge devices.”

Background

M-Trends is Mandiant's annual report based on frontline incident investigations. This edition draws from over 500,000 hours of global response work in 2025. The report provides a definitive look at the tactics, techniques, and procedures (TTPs) actively used in breaches today.

Mandiant has observed adversaries splitting into two distinct camps: one optimized for immediate impact and deliberate recovery denial, and the other for extreme persistence using native network functionalities and unmonitored edge devices.

By the Numbers: Key Findings from M-Trends 2026

• Global Median Dwell Time: 14 days (up from 11). For cyber espionage and North Korean IT worker incidents: 122 days.
• Initial Infection Vectors: Exploits remained the most common for the sixth consecutive year (32% of intrusions). Highly interactive voice phishing surged to 11%, becoming the second-most observed vector.
• Detection by Source: Organizations improved internal visibility – 52% of detections were internal, up from 43% in 2024.
• Targeted Industries: High tech sector (17%) overtook financial (14.6%) as most targeted, ending the financial sector's two-year run as top target.

“The collapse of the traditional hand-off window is a critical trend,” said Sandra Joyce, VP of Global Intelligence at Mandiant. “Criminal initial access brokers now use low-impact techniques like malicious ads or ClickFix to gain footholds, then quickly pass access to specialized groups for large-scale ransomware operations.”

What This Means

Defenders must now prepare for two fundamentally different adversary behaviors. Against criminal groups, rapid detection and response are critical to prevent encryption and extortion. Against espionage actors, long-term visibility into edge devices and native tools is required to uncover persistent threats.

The report also underscores the growing role of voice phishing and exploit-based attacks. Organizations should invest in voice security training and patch management while maintaining robust internal monitoring.

“The data confirms that the threat landscape is not just evolving—it's bifurcating,” added Hultquist. “Security teams need to adopt a dual-speed defense strategy to cover both criminal and espionage threats effectively.”

Full details are available in the M-Trends 2026 report, which provides actionable insights for security leaders worldwide.