Adversary Tactics Diverge as Dwell Time Hits 14 Days, Mandiant Report Warns

<article> <h2 id="breaking">Breaking: Mandiant's M-Trends 2026 Report Uncovers Critical Shifts in Cyber Threat Landscape</h2> <p>Global median dwell time has risen to 14 days, up from 11 days in the previous year, according to the newly released <strong>M-Trends 2026</strong> report. The increase signals growing adversary sophistication, particularly in evading detection. For cyber espionage and North Korean IT worker incidents, median dwell time soared to 122 days.</p><figure style="margin:20px 0"><img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BA.max-2600x2600.png" alt="Adversary Tactics Diverge as Dwell Time Hits 14 Days, Mandiant Report Warns" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.mandiant.com</figcaption></figure> <p>“This year's data highlights a clear divergence in adversary strategies,” said <em>John Hultquist</em>, Chief Analyst at Mandiant, part of Google Cloud. “Criminal groups are optimizing for speed and impact, while espionage actors prioritize extreme persistence, often leveraging unmonitored edge devices.”</p> <h3 id="background">Background</h3> <p>M-Trends is Mandiant's annual report based on frontline incident investigations. This edition draws from over 500,000 hours of global response work in 2025. The report provides a definitive look at the tactics, techniques, and procedures (TTPs) actively used in breaches today.</p> <p>Mandiant has observed adversaries splitting into two distinct camps: one optimized for immediate impact and deliberate recovery denial, and the other for extreme persistence using native network functionalities and unmonitored edge devices.</p> <h3 id="key-findings">By the Numbers: Key Findings from M-Trends 2026</h3> <ul> <li><strong>Global Median Dwell Time:</strong> 14 days (up from 11). For cyber espionage and North Korean IT worker incidents: 122 days.</li> <li><strong>Initial Infection Vectors:</strong> Exploits remained the most common for the sixth consecutive year (32% of intrusions). Highly interactive voice phishing surged to 11%, becoming the second-most observed vector.</li> <li><strong>Detection by Source:</strong> Organizations improved internal visibility – 52% of detections were internal, up from 43% in 2024.</li> <li><strong>Targeted Industries:</strong> High tech sector (17%) overtook financial (14.6%) as most targeted, ending the financial sector's two-year run as top target.</li> </ul> <p>“The collapse of the traditional hand-off window is a critical trend,” said <em>Sandra Joyce</em>, VP of Global Intelligence at Mandiant. “Criminal initial access brokers now use low-impact techniques like malicious ads or ClickFix to gain footholds, then quickly pass access to specialized groups for large-scale ransomware operations.”</p><figure style="margin:20px 0"><img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/MT26_Email-Hero-Image_1820x1362.max-600x600.png" alt="Adversary Tactics Diverge as Dwell Time Hits 14 Days, Mandiant Report Warns" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.mandiant.com</figcaption></figure> <h3 id="what-this-means">What This Means</h3> <p>Defenders must now prepare for two fundamentally different adversary behaviors. Against criminal groups, rapid detection and response are critical to prevent encryption and extortion. Against espionage actors, long-term visibility into edge devices and native tools is required to uncover persistent threats.</p> <p>The report also underscores the growing role of <a href="#key-findings">voice phishing</a> and <a href="#background">exploit-based attacks</a>. Organizations should invest in voice security training and patch management while maintaining robust internal monitoring.</p> <p>“The data confirms that the threat landscape is not just evolving—it's bifurcating,” added Hultquist. “Security teams need to adopt a dual-speed defense strategy to cover both criminal and espionage threats effectively.”</p> <p>Full details are available in the <strong>M-Trends 2026</strong> report, which provides actionable insights for security leaders worldwide.</p> </article>