Stay connected with KayaToday—follow us on Instagram and Facebook for the latest news and reviews delivered straight to you.
There is a number buried in Mandiant’s M-Trends 2026 report, released last month and drawing on more than 500,000 hours of frontline incident response work conducted globally in 2025, that deserves to be read slowly. The mean time to exploit a software vulnerability has dropped to negative seven days. Not seven days after a patch is released. Not the day a vulnerability is disclosed. Seven days before either of those events. Attackers are, with measurable regularity, finding and weaponising flaws in enterprise systems before the vendors who built those systems know the flaws exist.
This is not a projection. It is a documented pattern from a year of real investigations, corroborated by IBM’s 2026 X-Force Threat Intelligence Index and the World Economic Forum’s Global Cybersecurity Outlook, which found that 87 per cent of surveyed organisations identified AI-related vulnerabilities as the fastest-growing cyber risk they face. When three of the most methodologically distinct datasets in the industry converge on the same conclusion, the appropriate response is not further study. It is an immediate reassessment of every assumption on which current defences rest.
Twenty-Two Seconds
The velocity data is, if anything, more alarming than the timing data. In 2022, when attackers gained initial access to a network, the median time before they handed off that access to a secondary threat group — typically a ransomware operation or espionage cluster — was more than eight hours. In 2025, that window collapsed to 22 seconds. The implications for the architecture of corporate incident response are severe. Detection-and-response models built around the assumption that defenders have minutes or hours to contain a breach after initial access is established are, as currently designed, structurally inadequate. By the time an alert fires, the handoff has already happened.
This acceleration is not accidental, and it is not simply the product of more skilled attackers. It reflects a structural change in how the cybercrime ecosystem operates. Mandiant’s investigations found that initial access brokers — groups that specialise in breaching networks — are now bypassing underground markets entirely, partnering directly with ransomware operators and espionage clusters before they even launch an attack. The division of labour has become industrialised, and the transaction costs within that ecosystem have fallen to near zero.
AI in the Wrong Hands
The report’s treatment of artificial intelligence is measured in a way that the broader conversation about AI and cybersecurity rarely is. Mandiant does not conclude that 2025 was the year AI fundamentally changed the nature of cyberattacks. The vast majority of successful intrusions, it notes, still stem from fundamental human and systemic failures: unpatched systems, misconfigured cloud environments, weak credential management, and undertrained staff. These are not new problems. They are old problems that AI is making considerably worse.
What AI has done is lower the skill threshold required to conduct sophisticated attacks while simultaneously accelerating every phase of the attack lifecycle. Mandiant documented malware families — designated PROMPTFLUX and PROMPTSTEAL — that actively query large language models during execution to dynamically rewrite their own code and evade detection. Credential stealers have been observed using AI to search compromised machines for configuration files, targeting not just password stores but the growing universe of local AI command-line tools that developers and enterprise users have installed. The attack surface has expanded precisely because the tools being attacked are themselves AI-powered.
Perhaps the most consequential shift documented in the report is the decline of email phishing as the dominant social engineering vector. It now accounts for just 6 per cent of intrusions where Mandiant could identify the entry point — down from a position of dominance just a few years prior. Voice phishing, in which attackers use AI-generated voice cloning to impersonate executives or IT staff, has climbed to 11 per cent and is rising. The filters and training programmes that most organisations have built their social engineering defences around were designed for a world in which the primary threat vector was a suspicious email. That world is receding.
What Defenders Are Up Against
The report makes plain that the targets have shifted, as well as the tactics. Ransomware operators, facing improved backup and recovery capabilities among larger enterprises, have adapted by targeting the recovery infrastructure itself. Mandiant investigated multiple cases in 2025 in which attackers systematically dismantled identity services, virtualisation management systems, and backup infrastructure before deploying encryption — ensuring that even organisations with mature disaster recovery capabilities faced the prospect of weeks of downtime. The goal is no longer simply to encrypt data. It is to deny recovery.
Edge devices — VPNs, firewalls, and routers — remain the most targeted class of infrastructure for initial access, accounting for a disproportionate share of the zero-day exploits Mandiant investigated. These devices sit at the perimeter of corporate networks, are often running outdated firmware, and frequently lack the logging and endpoint detection capabilities applied to core business systems. Threat clusters have exploited this visibility gap by cloning virtual machines, including single sign-on identity providers and domain controllers, from within compromised virtualisation environments — circumventing security alerting on live systems by working on powered-off clones. It is a technique that requires considerable sophistication and leaves almost no real-time trace.
The lesson that M-Trends 2026 delivers — with the weight of half a million hours of evidence behind it — is that the cybersecurity industry’s mental model of attack timelines, entry vectors, and recovery assumptions has been comprehensively overtaken by events. Patching faster is necessary, but against a negative mean time to exploit, insufficient on its own. Detection and response are necessary, against 22-second handoff windows, inadequate as a primary strategy. The organisations that will weather the next phase of this arms race are those willing to make the harder architectural changes: eliminating entire categories of vulnerability rather than racing to remediate them, and building defences that assume breach rather than attempting to prevent it.
That is an uncomfortable conclusion for boards accustomed to approving incremental security budgets. It is, however, what the data says.
Read Also: How a Simple Trick Fooled an AI Into Handing Over $150,000 in Crypto
