M-Trends 2026: Data, Insights, and Strategies From the Frontlines

Mandiant's 2025 incident investigations reveal that attackers are becoming more sophisticated and specialized, with two distinct strategies: criminal groups focusing on quick impact and recovery denial, while espionage groups prioritize staying hidden for months using edge devices and native network tools. Key findings show that the time between initial network access and handoff to secondary attackers collapsed from over 8 hours in 2022 to just 22 seconds in 2025, and attackers have shifted from email phishing (6% of intrusions) to voice phishing (11%), suggesting that adversaries are adapting faster than traditional security controls can detect them.