TL;DR
- Attackers now transfer access between different threat groups in under 30 seconds
- Global median dwell time climbed to 14 days — attackers are staying hidden longer
- Exploits are the #1 infection vector (32%), targeting internet-facing servers
- Ransomware operators now deliberately attack backup infrastructure to prevent recovery
- 52% of organizations detected breaches internally in 2025, up from 43%
The Speed Collapse: 22 Seconds to Total Compromise
Mandiant's M-Trends 2026 report reveals a terrifying reality: cyberattackers have industrialized their operations to the point where they can hand off access between different threat groups in under 30 seconds [1]. This isn't about faster malware — it's about attackers coordinating like legitimate businesses, with specialists handling initial access, escalation, data theft, and ransomware deployment as a synchronized operation.
Free Resource
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →For SMBs, this means the traditional "detect and respond" model is broken. By the time your security team investigates an alert, attackers have already moved through multiple stages of their attack chain. The report documents cases where initial access brokers compromise a network, hand off to ransomware operators, and exfiltration specialists — all within minutes [1].
Why this matters: The window between initial compromise and operational disruption has collapsed. Organizations that rely on manual investigation workflows are now operating at a speed disadvantage that cannot be fixed with more analysts.
Related: AI-Powered Cyberattacks Nearly Doubled in 2025: Here's How SMBs Can Fight Back
Dwell Time is Rising: The Hidden Threat
While attack speed has accelerated, something counterintuitive is happening: attackers are staying hidden longer. Global median dwell time climbed to 14 days in 2025, up from 11 days in 2024 [1]. This increase is driven by:
- Long-term espionage operations by state-sponsored actors
- DPRK-linked IT worker schemes where attackers maintain persistent access for months
- Quiet compromise of legitimate credentials and tools to avoid detection
Longer dwell time means more expensive remediation. Every day an attacker remains undetected increases the complexity of removing them, as they embed themselves in legitimate systems, create backdoors, and establish redundant access paths [1].
The business impact: A 14-day undetected presence gives attackers time to:
- Map your entire network infrastructure
- Exfiltrate sensitive data slowly to avoid detection
- Identify and compromise backup systems
- Establish persistent access that survives basic remediation
The New Ransomware Playbook: Attack Recovery, Not Just Data
Ransomware tactics have evolved dramatically. Operators are no longer focused primarily on data theft for extortion. Instead, they are deliberately targeting recovery infrastructure [1]. This means:
- Attacking backup servers directly to delete or encrypt backups
- Compromising identity services like Active Directory to prevent account recovery
- Targeting virtualization management (VMware vCenter, Hyper-V) to clone and control VMs
- Disabling recovery tools before deploying ransomware
Mandiant documented incidents where threat clusters cloned virtual machines containing single sign-on (SSO) identity providers, secret vaults, and domain controllers. By accessing these powered-off clones, attackers could extract credentials and secrets without triggering security alerts on live systems [1].
The business reality: This shift means ransomware payments are more likely because organizations literally cannot recover. When backups are destroyed and identity systems are compromised, the choice isn't about data protection — it's about business survival.
Related: Ransomware Prevention: A Complete Guide for SMBs
The Infection Vector Breakdown: What's Actually Working
Exploits remain the leading initial infection vector, accounting for 32% of attacks in 2025 [1]. But the breakdown reveals important nuances:
- Exploits: 32% — primarily zero-days affecting internet-facing web application servers
- Voice phishing: 11% — interactive attacks where live operators steer targets in real-time
- Prior compromise: 10% — attackers returning through previously established access
- Stolen credentials: 9% — legitimate credentials bought or stolen on the dark web
- Web compromise: 8% — supply chain attacks and website hijacking
- Insider threat: 6% — malicious or negligent employees
- Email phishing: 6% — traditional mass email campaigns (declining significantly)
- Third-party compromise: 5% — attacks through vendors and partners
The critical insight: Email phishing is no longer a top-observed intrusion vector. Attackers have shifted toward more sophisticated, interactive methods like voice phishing and exploitation of vulnerabilities in public-facing applications [1].
For SMBs, this means investing heavily in email security is addressing yesterday's threat. The real vulnerabilities are:
- Unpatched web-facing applications (SharePoint, SAP, Oracle E-Business Suite)
- Phone-based social engineering (voice phishing)
- Third-party vendor access
- Poor credential hygiene
Industry Breakdown: Who's Being Targeted
The M-Trends 2026 data reveals which industries faced the most investigations [1]:
- High tech: 17% — software and technology companies
- Financial services: 14.6% — banks, insurance, investment firms
- Business and professional services: 13.3% — consulting, legal, accounting
- Healthcare: 11.9% — hospitals, clinics, medical providers
- Retail and hospitality: 7.3% — e-commerce, restaurants, hotels
- Government: 5.8% — federal, state, and local agencies
- Education: 4.6% — schools and universities
- Telecommunications: 4.6% — ISPs and telecom providers
What's missing: Manufacturing, construction, transportation, and other "traditional" industries still face significant risk, but they may be underrepresented because they lack incident response capabilities or don't report breaches publicly.
The lesson for SMBs: industry doesn't protect you. While high-tech and financial services face more attacks, every sector with valuable data or operational technology is a target.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →The Detection Gap: 52% Internal Detection is Progress, But Not Enough
Here's a rare positive finding: 52% of organizations detected breaches internally in 2025, up from 43% in 2024 [1]. External notifications (from law enforcement, CERTs, or cybersecurity companies) dropped from 43% to 34%.
This improvement suggests organizations are getting better at detecting malicious activity themselves. But it also means:
- 48% of organizations still rely on outsiders to tell them they've been breached
- 14% of breaches are discovered only when attackers send ransom notes
- Internal detection doesn't mean fast detection — dwell times are still increasing
The SMB challenge: Smaller organizations rarely have 24/7 security monitoring or dedicated incident response teams. This makes internal detection difficult, often relying on lucky discoveries or obvious symptoms like ransomware messages.
Malware Diversity: 714 New Families in 2025
The threat ecosystem is becoming more diverse. Mandiant tracked 714 new malware families in 2025, up from 632 in 2024, bringing the total to over 6,000 families [1]. Key findings:
- 72% of new malware targets Windows — consistent with previous years
- 12% targets Linux exclusively — stable from 2024
- Backdoors remain the most common category at 36% of observed malware
- Ransomware declined to 10% of observed malware, down from 14% in 2024
- Credential stealers increased to 9% — reflecting the focus on identity attacks
What this means: Signature-based detection is increasingly ineffective. With over 6,000 malware families and hundreds added yearly, defenders cannot rely on known-bad lists. Behavioral detection and anomaly monitoring are now essential.
Related: Identity Attacks Surge: 67% of SMBs Are Unprepared — Here's How to Defend
How SMBs Can Build Resilience Against Industrialized Attacks
The M-Trends 2026 report makes it clear: speed is now the primary defense. Here's how SMBs can respond without enterprise budgets:
1. Prioritize Detection Speed Over Tool Count
- Treat every security alert as a potential indicator of deeper intrusion
- Establish clear escalation paths: who investigates, how fast, and what authority they have
- Consider managed detection and response (MDR) services for 24/7 monitoring
- Reduce alert noise by tuning detection rules and focusing on high-fidelity signals
2. Protect Recovery Infrastructure
- Isolate backups from corporate networks — air-gap critical backups or use immutable storage
- Secure virtualization management — treat VMware vCenter and Hyper-V as Tier-0 assets
- Implement identity protection — enforce MFA, least privilege, and continuous authentication
- Test restoration regularly — verify that backups actually work before you need them
3. Patch What Matters Most
- Internet-facing applications are the #1 entry point — prioritize patching SharePoint, SAP, Oracle, and web servers
- Focus on zero-day vulnerabilities in widely used enterprise platforms
- Establish a patch SLA for critical infrastructure: 48-72 hours maximum
- Monitor vendor security advisories for CVEs in your software stack
4. Harden Identity and Access
- Eliminate shared accounts — every user needs unique credentials
- Enforce MFA everywhere — especially for remote access and admin accounts
- Implement just-in-time access — grant permissions only when needed
- Monitor for unusual activity — impossible travel, anomalous logins, bulk data access
5. Prepare for Faster Incident Response
- Develop and test an incident response plan — tabletop exercises quarterly
- Establish relationships with incident response providers before you need them
- Document your critical systems and recovery priorities
- Consider cyberinsurance to transfer residual risk
The Reality Check: You Can't Out-Spend Attackers, But You Can Out-Smart Them
Mandiant's message is clear: the threat landscape has shifted toward faster, coordinated, and industrialized attacks [1]. Defenders adding more tools to monitor the same telemetry won't close the speed gap.
What works:
- Focus on the attack pathways that actually succeed — exploits, voice phishing, credential theft
- Prioritize what attackers are targeting — backups, identity, virtualization
- Detect and respond faster — treat every alert as a potential early warning
- Assume compromise — design security around detection, not prevention
The organizations that will thrive in this new threat landscape aren't those with the biggest security budgets — they're the ones that accept that attacks are inevitable, downtime is optional, and resilience is about recovery speed, not perfect prevention [2].
FAQ
Mandiant's M-Trends 2026 report documents attackers transferring access between different threat groups in under 30 seconds [1]. This handoff allows initial access brokers, ransomware operators, and data exfiltration specialists to coordinate attacks like legitimate business operations, dramatically compressing the window for defenders to detect and respond.
Global median dwell time climbed to 14 days in 2025, up from 11 days in 2024 [1]. This increase is driven by long-term espionage operations and DPRK-linked IT worker schemes. Longer dwell time means more expensive remediation and gives attackers more time to embed themselves in systems, steal data, and compromise recovery infrastructure.
Exploits are the #1 infection vector at 32%, primarily zero-days affecting internet-facing web application servers [1]. Voice phishing accounts for 11%, prior compromise 10%, stolen credentials 9%, web compromise 8%, insider threat 6%, and email phishing only 6%. Notably, email phishing is no longer a top-observed intrusion vector.
Ransomware operators have shifted from data theft to attacking recovery infrastructure [1]. They deliberately target backup servers, identity services (Active Directory), and virtualization management platforms (VMware vCenter, Hyper-V) to prevent organizations from recovering. This increases pressure to pay because organizations literally cannot restore operations even if they have backups.
52% of organizations detected breaches internally in 2025, up from 43% in 2024 [1]. While this is progress, it means 48% still rely on external notifications from law enforcement, CERTs, or cybersecurity companies, and 14% only discover breaches when attackers send ransom notes.
References
[1] Mandiant Google Cloud, "M-Trends 2026: A Report on Threat Landscape and Tactics," Mandiant, March 2026. [Online]. Available: https://cloud.google.com/security/resources/m-trends
[2] C. Wyatt, "2026 Resilience Risk Index," Absolute Security, March 2026. [Online]. Available: https://www.absolute.com
[3] Kaspersky Security Services, "Anatomy of a Cyber World Global Report 2026," Kaspersky Securelist, March 2026. [Online]. Available: https://securelist.com/global-report-security-services-2026/119233/
[4] PwC, "Annual Threat Dynamics 2026," PwC, March 2026. [Online]. Available: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/annual-threat-dynamics.html
[5] Cybersecurity Insiders, "2026 Cybersecurity Excellence Awards Winners Announced during RSA Conference," Cybersecurity Insiders, March 2026. [Online]. Available: https://cybersecurity-excellence-awards.com/
[6] Industrial Cyber, "M-Trends 2026 reveals threat landscape shaped by faster, coordinated, and industrialized cyberattacks," Industrial Cyber, March 2026. [Online]. Available: https://industrialcyber.co/reports/m-trends-2026-reveals-threat-landscape-shaped-by-faster-coordinated-and-industrialized-cyberattacks/
[7] Infosecurity Magazine, "Enterprise Cybersecurity Software Fails 20% of the Time, Warns Absolute Security," Infosecurity Magazine, March 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/cybersecurity-software-failure-20/
[8] N-able, "State of the SOC Report 2026," N-able, March 2026. [Online]. Available: https://www.n-able.com/resources/state-of-the-soc-report-2026
Your business doesn't need a enterprise security budget to build resilience. You need smart prioritization, fast detection, and a recovery plan that actually works. At lil.business, we help SMBs implement practical cybersecurity that protects what you've built. Get a free consultation and close your resilience gap.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Hackers can now take over systems in under 30 seconds — faster than you can send an email
- They stay hidden for 14 days on average before you notice anything
- They don't just steal data anymore — they break your backup systems so you can't recover
- 52% of businesses found hackers themselves in 2025, but 48% needed someone else to tell them
The Relay Race: How Hackers Work Together
Imagine a relay race where runners pass a baton. Hackers now do the same thing, but super fast. One hacker breaks in, then within 30 seconds, they pass access to another hacker who specializes in stealing data. Then they pass it to a third hacker who locks your files and demands money [1].
This is like a professional sports team, but for breaking into computers. Each hacker is an expert at one thing:
- The scout: Finds weak spots in your computer systems
- The thief: Steals your important files and customer information
- The locksmith: Locks your files and demands payment to unlock them
The problem: They're so fast that by the time you notice something's wrong, they've already finished their whole plan.
The Ninja Problem: Hiding for Two Weeks
Here's something scary: hackers usually stay hidden in your systems for 14 days before you catch them [1]. That's two full weeks!
Think of it this way: An intruder breaks into your house, lives there for two weeks, watches everything you do, learns your passwords, and steals your stuff — and you don't even know they're there.
During those 14 days, hackers can:
- Learn exactly how your business works
- Find your most important information
- Discover where you keep your backup files
- Copy your keys so they can come back anytime
The New Trick: Breaking Your Spare Key
Here's the new scary thing hackers are doing: They're not just stealing your files anymore. They're breaking your backup systems [1].
Imagine this: You keep a spare key to your house hidden in a fake rock outside. Hackers used to just steal your stuff. Now they're finding that fake rock, taking the spare key, and throwing it away.
In computer terms, this means:
- They find your backup files and delete them
- They break the systems that help you recover your data
- They attack the programs that manage your computer network
Why this matters: If your backups are broken too, you have no choice but to pay the hackers to get your files back.
How They're Getting In: The Open Window
Hackers have favorite ways to break in, just like burglars check for unlocked windows. Here are the most common ways hackers got into businesses in 2025 [1]:
- Finding cracks in your website (32%) — Like finding an unlocked window
- Calling and tricking people (11%) — Pretending to be tech support on the phone
- Using stolen passwords (9%) — Passwords they bought or stole from other places
- Breaking through your business partners (5%) — Hacking your vendors to get to you
What's surprising: Fake emails (phishing) aren't working as well anymore. Only 6% of hacks came from fake emails in 2025. Hackers have moved to smarter tricks like voice phishing — where a real person calls you and tricks you into giving them access [1].
Who's Getting Attacked? It's Not Just Big Companies
You might think only huge companies get hacked. But Mandiant's report shows attacks across all types of businesses [1]:
- Tech companies: 17% of attacks
- Banks and financial companies: 15% of attacks
- Professional services (lawyers, accountants): 13% of attacks
- Hospitals and doctors: 12% of attacks
- Stores and restaurants: 7% of attacks
The important part: If your business has valuable information or money, hackers are interested. Size doesn't protect you anymore.
Some Good News: We're Getting Better at Catching Them
Here's some positive news: 52% of businesses caught hackers themselves in 2025, up from 43% in 2024 [1]. That means more businesses are finding hackers on their own, instead of waiting for police or security companies to tell them.
But there's still a problem:
- 48% of businesses still needed outsiders to tell them they were hacked
- 14% only found out when hackers sent a ransom note saying "Pay us or your files are gone"
The lesson: More businesses are watching for hackers, but almost half still don't know they've been attacked until it's too late.
The Speed Problem: Why Traditional Security Doesn't Work
Here's why old-fashioned security doesn't work anymore: Hackers are faster than your security team.
Imagine you're playing a game of tag, but the other person can run 100 times faster than you. That's what's happening in cybersecurity right now. By the time your security team looks at an alert and says "that looks suspicious," the hackers have already:
- Broken in
- Stolen your data
- Broken your backups
- Moved on to the next victim
The new approach: Instead of trying to build walls that hackers can't climb over, smart businesses focus on:
- Detecting hackers fast — within minutes, not days
- Having good backups that hackers can't break
- Practicing recovery so you can get back to work quickly
What Your Business Can Do: Simple Steps That Work
You don't need a million-dollar security budget. Here are practical steps that actually help:
1. Protect Your Backups (The Most Important Thing)
Think of backups like your spare key. Keep them safe:
- Keep backups separate from your main computer network
- Test your backups regularly — make sure they actually work
- Keep multiple copies — one nearby for quick recovery, one far away for safety
Simple analogy: Don't hide your spare key in the same fake rock as your front door key. Keep it somewhere completely different.
2. Fix the Holes Hackers Use Most
Remember: 32% of attacks come from unpatched software [1]. That means hackers are getting in through known cracks in your systems.
What to do:
- Update your website software and servers regularly
- Prioritize updates for systems that face the internet
- Set a schedule: check for updates every week, not every year
Simple analogy: Lock your windows and doors before you leave the house, not after you've been robbed.
3. Protect Your Passwords
9% of attacks use stolen passwords [1]. But here's the thing: once hackers have a password, they don't just use it once. They try it everywhere:
- Your email
- Your bank accounts
- Your business software
- Your cloud storage
What to do:
- Use different passwords for every account
- Turn on two-factor authentication (2FA) everywhere possible
- Use a password manager so you don't have to remember everything
Simple analogy: Don't use the same key for your house, your car, your office, and your safety deposit box.
4. Watch for the Phone Trick
Remember: 11% of attacks come from voice phishing [1]. This is when someone calls you pretending to be tech support, your bank, or another trusted source.
How it works:
- Caller: "Hi, this is Microsoft support. We detected a virus on your computer. Can you download this program so we can fix it?"
- You download the program
- You just installed the virus yourself.
What to do:
- Hang up and call back through the official phone number
- Never download software someone on the phone tells you to
- Real tech support won't call you — you have to call them
5. Have a Plan Before You Need One
Here's a scary statistic: 14% of businesses only discover they've been hacked when the hackers send a ransom note [1].
That's like discovering your house is on fire only when the roof collapses.
What to do:
- Write down what you'll do if you get hacked
- Know who to call (your IT person, a security company, your lawyer)
- Practice your response — just like a fire drill
- Keep important phone numbers written down (not just on your computer)
The Reality: You Can't Be Perfect, But You Can Be Prepared
Here's the most important thing to understand: You cannot stop every hacker. Even the biggest companies with the biggest security budgets get hacked.
But here's what you CAN do:
- Detect them fast — within hours instead of weeks
- Have good backups so you can recover without paying
- Have a plan so you know what to do when it happens
Think of it like car accidents. You can't prevent every accident, but you wear a seatbelt, you buy insurance, and you drive carefully. Cybersecurity is the same: you can't stop every attack, but you can protect your business so you survive when (not if) something happens.
The New Mindset: Resilience Over Perfection
The old way of thinking about cybersecurity was: "Build a wall that's so high no one can climb over."
The new way of thinking is: "Build a system that can recover quickly when someone gets through."
This means:
- Accept that attacks will happen
- Focus on detecting them fast
- Have reliable backups
- Practice recovery regularly
- Learn from each incident
This is called cyber resilience, and it's what separates businesses that survive attacks from businesses that go under.
FAQ
According to Mandiant's 2026 report, hackers can now pass access between different hacking groups in under 30 seconds [1]. One hacker breaks in, then immediately hands control to specialists who steal data or deploy ransomware. This is so fast that traditional security teams often can't react in time.
Hackers realized that if you have good backups, you won't pay their ransom. So now they attack your backup systems first [1]. They delete or encrypt your backups, then demand payment to restore your files. This forces more businesses to pay because they literally cannot recover otherwise.
Voice phishing is when a real person calls you pretending to be someone trustworthy (like tech support or your bank) and tricks you into giving them access [1]. It works better than fake emails because there's a real person steering the conversation, answering your questions, and building trust before stealing from you.
52% of businesses detected breaches internally in 2025, which is up from 43% in 2024 [1]. This is good news — more businesses are finding hackers on their own. But it still means 48% rely on outsiders to tell them they've been hacked, and 14% only find out when hackers send ransom notes.
References
[1] Mandiant Google Cloud, "M-Trends 2026: A Report on Threat Landscape and Tactics," Mandiant, March 2026. [Online]. Available: https://cloud.google.com/security/resources/m-trends
[2] Industrial Cyber, "M-Trends 2026 reveals threat landscape shaped by faster, coordinated, and industrialized cyberattacks," Industrial Cyber, March 2026. [Online]. Available: https://industrialcyber.co/reports/m-trends-2026-reveals-threat-landscape-shaped-by-faster-coordinated-and-industrialized-cyberattacks/
[3] Infosecurity Magazine, "Enterprise Cybersecurity Software Fails 20% of the Time, Warns Absolute Security," Infosecurity Magazine, March 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/cybersecurity-software-failure-20/
[4] Kaspersky Security Services, "Anatomy of a Cyber World Global Report 2026," Kaspersky Securelist, March 2026. [Online]. Available: https://securelist.com/global-report-security-services-2026/119233/
[5] PwC, "Annual Threat Dynamics 2026," PwC, March 2026. [Online]. Available: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/annual-threat-dynamics.html
[6] Cybersecurity Insiders, "2026 Cybersecurity Excellence Awards Winners Announced during RSA Conference," Cybersecurity Insiders, March 2026. [Online]. Available: https://cybersecurity-excellence-awards.com/
[7] N-able, "State of the SOC Report 2026," N-able, March 2026. [Online]. Available: https://www.n-able.com/resources/state-of-the-soc-report-2026
[8] Absolute Security, "2026 Resilience Risk Index," Absolute Security, March 2026. [Online]. Available: https://www.absolute.com
Cybersecurity doesn't have to be complicated or expensive. At lil.business, we help small businesses implement practical security that works. Get a free consultation and protect what you've built.
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.