M-Trends 2026: Data, Insights, and Strategies From the Frontlines

Every year, the cyber threat landscape forces defenders to adapt to evolving adversary tactics, techniques, and procedures (TTPs). In 2025, Mandiant observed a clear divergence in adversary pacing that closely aligns with the trends we have been documenting for defenders over the past year. On one end of the spectrum, cyber criminal groups optimized for immediate impact and deliberate recovery denial. On the other end, sophisticated cyber espionage groups and insider threats optimized for extreme persistence, utilizing unmonitored edge devices and native network functionalities to evade detection. Today, we release M-Trends 2026.

Grounded in over 500,000 hours of frontline incident investigations conducted by Mandiant globally in 2025, this report provides a definitive look at the TTPs actively being used in breaches today. aside_block <ListValue: [StructValue([('title', 'M-Trends 2026 is available! '), ('body', <wagtail. rich_text. RichText object at 0x7fdb083d1e20>), ('btn_text', 'Download now'), ('href', 'https://cloud. google. com/security/resources/m-trends?

utm_source=cgc-blog&utm_medium=blog&utm_campaign=FY26-Q1-GLOBAL-STO89-website-dl-dgcsm-mtrends26-162712&utm_content=-&utm_term=-'), ('image', <GAEImage: m-trends blog callout>)])]> By the Numbers: M-Trends 2026 The metrics in this year's report highlight how adversaries are shifting their approaches to bypass modern security controls: Global Median Dwell Time: Global median dwell time rose to 14 days from 11 days. This shift likely reflects growing sophistication, particularly in evading defenses.

When looking specifically at the high quantity of cyber espionage and North Korean IT worker incidents, the median dwell time for both categories was 122 days.