Key Takeaways
- Median dwell time is now 10 days. Slow detection processes are no longer acceptable.
- Exploitation of vulnerabilities is now the number one initial access method, ahead of phishing.
- Edge devices, like firewalls and VPNs, are being used as long-term hiding spots by sophisticated threat groups.
- Only 46% of organizations caught their own breach. The other 54% found out from someone else.
- AI is a real advantage for defenders when it is applied to investigation, triage, and simulation work.
From Dwell Time to Edge Attacks: Breaking Down M-Trends 2026
Mandiant’s M-Trends report is one of the most trusted annual reads in cybersecurity. It is built on real incident investigations, not surveys or estimates. The 2026 edition covers a 15-year data stretch and surfaces five findings that every security team needs to pay attention to.
1. Attackers Are Spending Less Time Inside Your Systems
Median dwell time dropped to 10 days in 2026, down from 16 days the year before. That is the lowest figure in the report’s 15-year history.
Two things are driving this number down:
- Defenders are getting better at spotting unusual activity early, but ransomware attacks are also getting louder by design.
- Modern ransomware groups do not try to hide. They move fast, encrypt fast, and make themselves known. Speed is their strategy.
So a shorter dwell time is not entirely a win. It also means the window to catch an attacker before damage is done keeps shrinking.
What this means for your team: detection speed matters more than ever.
2. Phishing Is No Longer the Top Entry Point
For the first time in the report’s history, vulnerability exploitation (38%) has overtaken phishing (17%) as the most common way attackers get in.
Attackers are moving away from tricking people and toward breaking systems. Unpatched software, zero-day vulnerabilities, and edge devices are now the front door. This shift is partly because phishing detection has improved, but also because the number of known unpatched vulnerabilities keeps growing faster than most teams can keep up.
The implication is significant. Security awareness training and email filtering are still worth doing. But if your patch management is months behind, that is now a bigger liability than your employees clicking bad links.
What Counts as Vulnerability Exploitation?
This includes attacks against internet-facing applications, zero-day exploits in popular software, and flaws in security appliances like firewalls and VPN gateways. Essentially, any weakness in your technical stack that an attacker can reach without a human doing anything wrong.
3. Edge Devices Have Become the Attacker’s Favorite Hiding Spot
Firewalls, VPN concentrators, and routers. These devices sit at the edge of your network and, in many organizations, they sit completely outside your detection coverage.
The M-Trends 2026 report calls out China-nexus threat groups specifically for targeting edge infrastructure. These devices rarely have endpoint detection tools running on them. That makes them ideal for long-term persistence. An attacker can sit inside an edge device for months, watching traffic and moving laterally, without triggering a single alert in your SIEM.
This is not a theoretical risk. It is a documented pattern in active investigations.
What Is “Living off the Land”?
Living off the Land, or LotL, means attackers use the tools already built into your operating system to move around, rather than dropping custom malware. Because they are using legitimate software, detection tools that look for known threats often miss them entirely.
4. Organizations Are Getting Better at Finding Their Own Breaches
Forty-six percent of organizations discovered their own breach through internal detection in 2026, up from 37% the year before. That improvement reflects real investment in SOC capabilities and internal monitoring.
But the other side of that number: Fifty-four percent of organizations still found out they were breached from an outside party. Law enforcement, a threat intel vendor, or in some cases, the attackers themselves.
That means more than half of companies in active breach investigations had no internal signal that anything was wrong. That is not a tooling problem alone—it is a coverage and capacity problem.
Why Internal Detection Rates Matter
When an external party tells you about your breach, response time has already been lost. The earlier your team finds an incident, the lower the cost. IBM’s 2024 breach cost report found that breaches caught internally cost organizations an average of $4.88 million less than those flagged externally.
5. Defenders Are Using AI Too, and It Is Working
The report notes a meaningful rise in AI use by Red and Purple Teams. These are the ethical hackers and internal defenders who simulate attacks to find gaps before real attackers do.
AI is helping these teams analyze large data sets faster, automate repetitive testing tasks, and run more realistic attack simulations. This is not about replacing analysts—it is about giving experienced people the speed to cover more ground in less time.
The risk of attackers using AI gets most of the attention, but the upside gets less: defenders who use AI well are catching things faster and at a scale that was not possible three years ago.
How Secure.com Helps You Act on These Findings
Most security teams already know the problems. The harder part is covering them without burning out the people they have.
Secure.com’s Digital Security Teammates are built for exactly this gap:
- Continuous monitoring of your attack surface across cloud, on-premises, and SaaS environments
- Real-time alert triage so your team focuses on what actually matters, not a queue of noise
- Vulnerability prioritization based on exploitability (KEV), asset criticality, and business impact—not just CVSS scores
- Internal detection coverage that flags drift and anomalies before they become incidents
- AI-powered case management and investigation workflows that provide L1 analysts with enriched context, threat intelligence, and guided response playbooks
Conclusion
The M-Trends 2026 report does not describe a future threat landscape. It describes what is happening right now, in real investigations, at real companies. Dwell time is shrinking, entry points are shifting, and edge infrastructure is being used against organizations that do not know it is exposed.
The organizations that close the gap between these findings and their actual security posture are the ones that get hit less often. The ones that read the report and move on are the ones that show up in next year’s data.
FAQs
What is the M-Trends report?
M-Trends is an annual cybersecurity report published by Mandiant, now part of Google Cloud. It is based on real incident response investigations and tracks how attacker behavior is changing year over year.
What does median dwell time mean?
Dwell time is how long an attacker stays inside a network before being detected. The median figure is the midpoint across all investigated incidents. A lower number generally means faster detection, though faster ransomware attacks also pull this number down.
Why are edge devices a bigger risk now?
Edge devices like firewalls and VPN gateways often do not have the same monitoring tools that endpoints and servers have. Attackers know this and use these devices to stay hidden for extended periods while maintaining access to the network.
Does AI actually help defenders or is it mostly hype?
The M-Trends data points to real benefits. Red and Purple Teams using AI are running faster and more thorough security tests. Separately, IBM’s breach cost data shows that organizations with AI-assisted detection resolve incidents significantly faster and at lower cost.
What should my team prioritize after reading M-Trends 2026?
Start with patch coverage on internet-facing systems and edge devices. Then review your internal detection capability. If more than half your alerts are going unreviewed or your team is relying on external parties for breach notification, that is where the work is.
