Hackers are handing over access to ransomware groups in 22 seconds in 2025 and onwards, instead of 8 hours before. This was showcased in Google's Mandiant report, where they investigated 500,000 hours of "frontline incident investigations" in 2025.
Every year, M-trends releases its M-trends report, which is real data from actual breaches and investigations. This is by far the most credible report in the market.
The Big Numbers:
Attackers stayed hidden for 14 days on average instead of 11 from before whereas espionage groups stayed hidden for 122 days.
Exploits were the most common attack vector, accounting for 32% of intrusions. While "highly interactive voice phishing" saw a surge of 11%
The high-tech sector is the most targeted industry, overtaking finance.
Scary Highlights:
- Mean time to exploit is 7 days. You cannot fix patches fast enough.
- Ransomware can now DESTROY BACKUPS. From nuking hypervisors to deleting backups and corrupting AD.
- Vishing has replaced phishing
- Edge devices are targeted for they have no EDR (endpoint detections and response).
- And AI? Well malware families like PROMPTFLUX and PROMPTSTEAL can query large LLM models mid execution to evade detection.
The Solution?
As given by the report summarized into headlines:
Treat Low-Impact Alerts as Critical Indicators
Isolate Critical Control Planes
Shift to Continuous Identity Verification
Transition from Static IOCs to Behavioral Anomaly Detection
Expand Visibility and Extend Log Retention
References:
Google says to follow their "Google Secure AI Framework (SAIF)" guidelines.
To read the full report, visit https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026
To read about AI risk and resilience, visit https://cloud.google.com/security/resources/ai-risk-and-resilience