Mandiant’s M-Trends 2026 report is the most comprehensive analysis of enterprise intrusion activity published each year, drawing on data from incident response engagements across hundreds of organisations globally. The 2026 edition documents a finding that has significant implications for how organisations think about detection and response: the median time between an initial access event and the handoff to a secondary threat actor has collapsed from more than eight hours in 2022 to 22 seconds.
The report draws from more than 500,000 hours of incident response investigations conducted during 2025, making it one of the largest single-year datasets in the field.
What the 22-second figure means
In a typical advanced intrusion, initial access is acquired by one actor, often an initial access broker (IAB) who specialises in acquiring credentials, exploiting vulnerabilities, or establishing footholds in target environments. The IAB then transfers access to a secondary group, typically ransomware operators or nation-state aligned actors, who use the established foothold to pursue their actual objectives.
In 2022, the median time between the initial access event and the handoff to the secondary group was more than eight hours. This gap existed because the initial access broker’s business model involved advertising the access, negotiating terms, and transferring it over underground channels. This process had latency.
By 2025, that latency had dropped to 22 seconds. Mandiant’s explanation is that initial access partners are now pre-staging the secondary group’s preferred malware and tunnelling infrastructure during the initial compromise, before the handoff. The secondary group is fully equipped and waiting. When the handoff occurs, it is not a transfer of credentials: it is activation of pre-positioned tooling.
Why this changes incident response fundamentally
The traditional assumption in incident response planning is that organisations have a window between compromise and escalation during which detection can prevent the worst outcomes. That window was measured in hours, and sometimes days. A well-designed detection and response capability could catch credential theft or lateral movement before ransomware was deployed or data was exfiltrated.
At 22 seconds, that window does not exist in any practical sense for organisations that rely on humans to triage and respond to alerts. A security operations centre that receives an alert, opens a ticket, assigns it to an analyst, and begins triage is already past the handoff moment. The secondary actor has the access and is operating in the environment.
Mandiant’s conclusion from this finding is a shift in emphasis from detection to remediation during what they call the non-interactive phase: the period between initial compromise and the first time the attacker takes interactive control. During this phase, pre-positioned tools are staging but no human operator is yet guiding the activity. If an organisation’s monitoring can identify and terminate the compromised session before an interactive operator connects, the 22-second handoff does not lead to secondary actor activity in the environment.
What is enabling 22-second handoffs
The acceleration in handoff timing reflects changes in how the initial access market operates. Several factors contribute.
Automation of handoffs. Underground marketplaces now support automated transfer of access tokens, session cookies, and pre-positioned implants rather than manual negotiation. An IAB can configure an automated trigger that transfers access to a pre-registered buyer the moment initial foothold criteria are met.
Pre-staged tooling. Secondary actors have invested in tooling that can be deployed by the initial access broker during the compromise, before the handoff. The IAB is no longer just delivering a credential. They are delivering a configured operational environment that the secondary actor can step directly into.
Financial incentives. The economics of ransomware operations reward speed. The faster the secondary actor can reach encryption capability, the less time defenders have to detect and respond. Market competition between IABs has driven them to compete on handoff speed alongside quality of access.
The European context
The M-Trends 2026 findings arrive as European organisations face regulatory requirements to report significant cyber incidents within 24 and 72 hours under NIS2. The 22-second handoff creates a difficult operational reality for this reporting obligation: if the compromise-to-escalation window is shorter than the detection window, organisations may not know they have experienced an incident until the secondary actor has already been operating for hours or days.
Mandiant’s data also found that the median dwell time, the period between initial compromise and detection, has not correspondingly collapsed. While handoff is instant, detection often still takes days. This means secondary actors are spending extended periods in environments after a nearly-instantaneous entry.
For European organisations in NIS2-regulated sectors, this combination of fast escalation and slow detection means that a significant incident may be well advanced before the 24-hour early warning clock starts. NIS2 regulators have not yet published definitive guidance on when the notification timer starts, and whether it begins at the initial access event, the detection event, or the point at which the organisation becomes aware of the incident’s significance. This is a gap that organisations operating in regulated sectors should seek legal clarity on.
What changes in practice
The M-Trends finding points to several shifts in how effective security programmes operate in 2026.
Moving controls to the pre-compromise layer. If the detection-to-response timeline cannot compete with a 22-second handoff, then controls that operate before or during initial access become more important than controls that trigger post-compromise. This means investment in hardening the initial access attack surface: phishing-resistant multi-factor authentication, credential exposure monitoring, vulnerability management with short mean times to patch for externally exposed systems, and email security that catches initial access lures.
Automated response alongside alerting. Security operations programmes that rely on humans to make response decisions in the initial minutes will consistently miss the window. Automated response capabilities that can terminate suspicious sessions, isolate compromised endpoints, or revoke tokens without human triage are necessary to operate in an environment where the critical window is measured in seconds.
Assuming breach in tabletop exercises. Incident response exercises that treat detection as a realistic prevention mechanism are no longer adequate. Exercises that begin at the point where the secondary actor is already active, before detection has occurred, test the response capabilities that matter most under the conditions that the threat environment actually presents.
Monitoring for pre-staged tooling. If IABs are deploying tooling before the handoff, that tooling creates signals before the secondary actor begins interactive operations. Endpoint detection that can identify implant staging activity, anomalous processes, or unusual scheduled task creation in the period immediately after a compromise event may be the only practical detection opportunity within the window.
If your organisation wants to assess whether your current security monitoring and incident response capability is designed for the 22-second handoff environment, review your NIS2 incident notification procedures, or understand how Mandiant’s findings apply to your specific infrastructure and threat model, contact Excello Digital. We work with European organisations on threat-informed security architecture and incident response readiness.