Mandiant just published M-Trends 2026, grounded in over 500,000 hours of frontline incident response from 2025. One number defines everything else in the report: the median time between an initial access partner gaining a foothold and a ransomware operator picking it up collapsed to only 22 seconds.
Read that again: 22 seconds.
That is not a detection problem; it’s an architecture problem. The rest of the data provides context:
Global median dwell time rose to 14 days, up from 11 in 2024.
Internal detection improved to 52%.
Exploits remained the leading initial infection vector for the sixth consecutive year.
Vishing surged to second at 11%.
Wiz's Cloud Threats Retrospective 2026, published the same week and drawing on cloud telemetry rather than incident response engagements, arrives at the same place from a different angle:
80% of documented cloud intrusions in 2025 began with vulnerabilities, exposed secrets, or misconfigurations.
Trust chain compromise, once a rounding error at 1% of initial access vectors, rose to 7%.
These two independent datasets show the same structural problem.
The Detection Stack Is Winning the Documentation War
The M-Trends data shows genuine progress on detection. More organizations are finding compromises internally. Dwell times, while rising, remain dramatically shorter than five years ago. Security teams are better instrumented, more mature, and faster to respond than at any point in the industry's history.
And yet: ransomware operators have shifted their primary objective from data theft to deliberate recovery denial. They are now systematically targeting backup infrastructure, identity services, and virtualization management planes. Not because they cannot be detected, but because by the time detection fires, they have already reached the infrastructure that makes recovery possible. M-Trends 2026 names this directly: the goal is to destroy the organization's ability to recover, not just to encrypt data.
The detection stack is seeing more. The attack objective has shifted to infrastructure where detection timing determines whether you recover, not whether you were compromised.
This is the structural diagnosis the Containment Era is built on. The question defenders have been optimizing to answer is "is something bad happening?" The question that determines outcomes is "if something bad is already running, what can it reach?"
Three Findings That Converge on the Same Problem
The 22-second hand-off. In 2022, the median time between initial access and the hand-off to a secondary threat group was over eight hours. In 2025, it was 22 seconds. Mandiant attributes this to tighter partnerships between initial access brokers and ransomware operators: the malware is pre-configured to deliver access directly, not advertise it.
The implication for defenders is significant. A low-priority alert that would have given you eight hours to investigate before a skilled operator was even in the environment now gives you effectively nothing. The ransomware team still needs time to move laterally, reach the backup and identity infrastructure, and deploy, but they start that clock the moment the foothold is handed off, not the moment you notice the initial alert.
Alert-based response is not designed for that reality, but architecture is.
Wiz's data shows the mechanism that makes this possible at cloud scale. The Shai Hulud npm supply chain attacks demonstrated it clearly: malicious packages with preinstall hooks executed automatically on install, with full developer privileges, before any security tooling inspected what was running. The hand-off was built into the delivery. Supply chain compromise as an initial access vector rose from 1% to 7% in Wiz's dataset from the same period. The infrastructure that automates software delivery has become the infrastructure that automates access transfer.
Recovery denial as primary objective. Ransomware operators are doing more than encrypting data. They are targeting the infrastructure organizations use to recover: Active Directory, backup management systems, hypervisor management planes, identity providers. M-Trends 2026 documents cases where attackers destroyed backup catalogs, wiped cloud storage, and embedded persistence mechanisms into fleet management tools so that the recovery process itself reinfected the environment. The attack objective is the elimination of options. An architecture that enforces network-layer policy at the workload level limits what attackers can reach in the first place. Instead of guaranteeing prevention, it guarantees containment.
Edge and core network devices as the preferred operating environment. Exploits remained the top initial infection vector for the sixth consecutive year. The most exploited vulnerabilities in 2025 were zero-days in internet-facing enterprise platforms: SAP NetWeaver, Oracle E-Business Suite, Microsoft SharePoint. The mean time to exploit for vulnerabilities is now negative seven days, meaning exploitation is happening before patches exist. Attackers are operating from edge devices precisely because those devices fall outside the reach of EDR (endpoint detection and response), are rarely patched, and provide persistent access to internal network traffic. The visibility gap is structural, not operational. More analysts and better tooling do not close it.
Wiz documented the same dynamic in real time with React2Shell (CVE-2025-55182), a code execution flaw in a widely deployed JavaScript framework. Within 24 hours of a public proof of concept, Wiz identified dozens of active exploitation campaigns. By the end of the week, over 60 distinct campaigns were exploiting it, ranging from state-backed operations to basic AI-generated scripts.
The speed and breadth meant that any organization running a vulnerable system was likely affected regardless of their detection posture. That is a timing gap that detection cannot close.
What the Containment Era Adds
The Containment Era does not argue that detection is useless. Mandiant's own data shows that internal detection is improving and that detection teams matter. The argument is narrower and more specific: detection alone, positioned as the primary line of defense, cannot close the gap when the hand-off to a skilled operator happens before an alert is even triaged, cannot protect infrastructure that attackers are specifically targeting to deny recovery, and cannot operate on network segments where it was never deployed.
The architectural answer addresses all three.
Communication governance, the principle that every workload can only reach what it has explicit permission to reach and everything else is denied by default at the network layer, contains the blast radius of any exploit regardless of whether detection fires in time. A ransomware operator who is now in your environment, handed access before your team finished reading the initial alert, still needs the network to cooperate with every subsequent step: backup enumeration, lateral movement to the hypervisor, credential staging, exfiltration. Each of those steps requires outbound or east-west communication. Each of those communication paths is either governed or it is not.
Mandiant names the right targets. Explicitly, the report recommends organizations prioritize the security of backup infrastructure, identity services, and the virtualization layer. That is the right list. The Containment Era adds the mechanism: network-layer enforcement that limits what can reach those systems in the first place, before the attacker gets there, before the alert fires, before the negotiation starts.
Wiz's recommendations for defenders arrive at the same conclusion with the same words: "Limit blast radius from shared trust and supply chain dependencies." When two independent research organizations, drawing on completely different data sets, both reach for blast radius as the framing, the diagnosis is not in dispute.
Where Organizations Should Focus
Treat the virtualization and backup layers as Tier-0 network policy targets. The attack pattern in M-Trends 2026 is consistent: gain initial access, move laterally to the management plane, target the infrastructure that enables recovery. The network path from a compromised endpoint to a vCenter server, a backup management console, or a domain controller is either controlled or it is open. If it is open, the question is not whether an attacker will use it but when.
Govern east-west traffic, not just north-south. Most egress controls focus on outbound internet traffic. The M-Trends data shows attackers moving laterally through internal network segments, living off legitimate tools, and operating from management planes where traditional security monitoring has limited coverage. Flat or inconsistently segmented networks are the structural condition that makes recovery denial viable at scale. Establish communication governance by application, environment, and sensitivity.
Stop treating low-priority alerts as low-priority. The 22-second hand-off data means that a FAKEUPDATES infection, a drive-by download, a malvertising click, now has a skilled ransomware operator behind it almost immediately, not hours later when the IAB decides to post it for sale. The operator still has work to do after that, but they start from the moment of handoff, not from whenever your team escalates the alert. M-Trends 2026 is direct about this: stopping an intrusion at the single-system stage is dramatically easier than recovering from follow-on activity. The organizations that do this well are the ones whose architectures limit what an attacker can do with initial access. Detection finds the entry, while architecture limits the damage.
Extend your patching posture to include architectural backstops. With a mean time to exploit of negative seven days, the patch cycle is structurally insufficient as a sole defense for internet-facing systems. Patching remains essential, but it is not enough on its own. The organizations that closed the gap in 2025 were not the ones who patched faster than the attackers weaponized. They were the ones whose workloads could not establish unauthorized connections in the first place.
The Bottom Line
M-Trends 2026 and Wiz's Cloud Threats Retrospective 2026 are the two most comprehensive independent datasets published this year. One draws on 500,000+ hours of incident response. The other draws on cloud telemetry across thousands of environments. They use different methodologies, cover different incident types, and reach the same conclusion.
The gap is not visibility. It is not response velocity. It is blast radius.
When the hand-off takes 22 seconds, detection cannot operate in that window. When the objective is recovery denial, the attacker does not need to stay hidden long. They need to reach the right infrastructure. When exploitation happens before patches exist, the patch cycle is structurally insufficient as a sole defense.
The Containment Era is the framework that makes those findings less consequential. Organizations that have built Communication Governance into their architecture have a structural answer to all three.
The data is in. Build the answer before you need it.
Learn more about the Containment Era and what it means for cloud network security.
Explore our free Workload Attack Path Assessment to find the hidden attack paths that ransomware groups and other threat actors could use in your network.
Frequently Asked Questions
Mandiant M-Trends 2026, grounded in over 500,000 hours of frontline incident response, found that the median time between initial access and ransomware operator handoff collapsed to 22 seconds in 2025. Global median dwell time rose to 14 days, up from 11 in 2024. Internal detection improved to 52%, and exploits remained the leading initial infection vector for the sixth consecutive year. Vishing surged to second place at 11%. These findings show that threat response timelines have compressed dramatically, leaving little room for alert-based response alone.
The Wiz Cloud Threats Retrospective 2026 found that 80% of documented cloud intrusions in 2025 began with vulnerabilities, exposed secrets, or misconfigurations. Trust chain compromise rose from 1% to 7% of initial access vectors. Supply chain attacks, like the Shai Hulud npm campaign, showed how malicious packages executed automatically with full developer privileges before security tooling could inspect them. These findings converge with Mandiant M-Trends 2026 on the same structural problem: the blast radius of an intrusion determines the outcome more than detection speed.
With the 22-second handoff documented in Mandiant M-Trends 2026 and the exploitation patterns in Wiz Cloud Threats Retrospective 2026, detection cannot operate fast enough to prevent a skilled operator from reaching critical infrastructure. Ransomware operators now target backup systems, identity services, and virtualization management planes to deny recovery. By the time a detection alert is triaged, attackers may have already reached those targets. Organizations need containment at the architecture level to limit what attackers can reach, regardless of whether an alert fires in time.
Containment means enforcing network-layer policies that restrict what each workload can communicate with by default. Every workload can only reach systems it has explicit permission to reach, and all other communication is denied. This limits the blast radius of any intrusion, regardless of detection timing. When a ransomware operator gains access, they still need the network to cooperate with lateral movement, backup enumeration, and credential staging. Containment governs those communication paths before an attacker can use them.
Based on Mandiant M-Trends 2026 and Wiz Cloud Threats Retrospective 2026, organizations should focus on three areas. First, treat backup infrastructure, identity services, and virtualization layers as Tier-0 network policy targets. Second, govern east-west traffic across internal segments, not just outbound internet traffic. Third, build architectural controls that limit unauthorized connections from internet-facing systems, since exploitation now occurs before patches exist. Both reports point to limiting blast radius from shared trust and supply chain dependencies as a foundational containment priority.
