ACCORDING to Google, the M-Trends 2026 report is based on information from its Threat Intelligence Group and more than 500,000 hours of Mandiant incident investigations conducted in 2025. One of the standout findings is that the time from initial access to handoff to a secondary threat group has dropped from hours to 22 seconds in 2025, continuing a downward trend since 2022 when the median was over eight hours.
Mandiant researchers say this suggests closer collaboration between initial access partners and secondary groups, and note that in many cases the short window results from automated processes where initial access brokers deliver malware on behalf of secondary groups. The most common initial infection vector was exploits (32%), followed by phishing (11%), prior compromise (10%), and stolen credentials (9%), with email phishing at 6% and continuing declines.
The three most exploited vulnerabilities were SAP NetWeaver CVE-2025-31324, Oracle EBS CVE-2025-61882, and SharePoint CVE-2025-53770 (ToolShell). Breaches were detected internally in 52% of cases, and 34% involved learning about the intrusion from an external entity, with a 14‑day median dwell time in 2025. North Korean IT workers and other actors are noted as contributing to undetected incidents.