Attackers are racing ahead, compressing the time it takes to break into networks from hours to seconds. The latest Mandiant threat report warns that adversaries now pivot between initial access brokers and hands-on operators in about 22 seconds on average, turning small footholds into full-scale compromises before many teams can open an incident ticket.
It’s a blunt reminder that speed now decides outcomes. Defenders who cannot see, decide, and act in near real time are conceding the initiative to criminal and espionage groups that have industrialized intrusion workflows.
- Attackers Are Outpacing Defenders Across Industries
- Zero-Day Windows Are Shrinking as Patch Cycles Lag
- Voice Phishing And SaaS Takeovers Surge
- Ransomware Now Destroys Recovery Infrastructure
- What Works Right Now to Slow and Stop Fast Attacks
- Build Recovery That Survives Ransomware
- Measure Speed and Practice Relentlessly to Improve
Attackers Are Outpacing Defenders Across Industries
Mandiant describes a “division of labor” economy: one crew gains entry via malvertising, fake browser updates, or credential theft; a second group seizes control with hands-on-keyboard operations. That relay is happening faster than many alerting pipelines can process a single event.
Dwell time still averages about two weeks, but that statistic is misleading comfort. Espionage intrusions can persist quietly for months, with a median exceeding 100 days, while smash-and-grab criminal crews aim to disrupt and monetize within hours.
Sectors at the top of the crosshairs include high tech (17%) and financial services (14.6%), underscoring that intellectual property and money remain prime targets.
Zero-Day Windows Are Shrinking as Patch Cycles Lag
Adversaries are pressuring patch cycles by exploiting some vulnerabilities roughly a week before fixes ship, according to Mandiant. That means “Patch Tuesday” thinking is obsolete; exposure has to be reduced even when code changes aren’t ready.
Pragmatic countermeasures include prioritizing Known Exploited Vulnerabilities from CISA, implementing virtual patching with WAF and EDR controls, and rapidly disabling or isolating affected services. Inventory discipline and software bills of materials are becoming foundational, not optional.
Voice Phishing And SaaS Takeovers Surge
Nearly one-third of intrusions start with exploit chains, but the runner-up is strikingly human: interactive, voice-based social engineering. Help desks are being manipulated to reset MFA or issue temporary access, opening the door to business-critical SaaS environments.
Verizon’s Data Breach Investigations Report has repeatedly found that the human element is involved in about 68% of breaches. Mandiant echoes that theme, noting that even as attackers use AI for reconnaissance and malware assistance—one observed stealer, QUIETVAULT, hunts for AI tooling and developer tokens—most successful intrusions still trace to preventable human and systemic failures.
Ransomware Now Destroys Recovery Infrastructure
Modern ransomware groups don’t just encrypt files; they go after the infrastructure that lets you bounce back. Mandiant observed attackers deleting cloud backup objects, targeting virtualization storage layers, and encrypting hypervisor datastores to cripple many virtual machines at once.
The aim is recovery denial, not just extortion. If your backups can be altered or your hypervisor management plane shares identity with everyday admin accounts, your “Plan B” is already compromised.
What Works Right Now to Slow and Stop Fast Attacks
Accelerate detection and containment. Strive for minutes-to-detect and under-an-hour containment across endpoints, identity providers, and SaaS. Mandiant reports a positive trend: more than half of intrusions are now first detected internally, up from the prior year—a sign that visibility investments are paying off.
Instrument identity like a critical system. Treat identity as the new perimeter with phishing-resistant MFA (FIDO2/WebAuthn), number matching, and the removal of SMS codes. Enforce conditional access, device health checks, and session risk scoring. Build identity threat detection and response to flag impossible travel, mass token minting, and surges in MFA fatigue prompts.
Harden the help desk. Require call-backs to known numbers, verify high-risk requests with out-of-band approvals, and ban password or MFA resets initiated solely via chat or voice. Train staff against deepfake voice pressure and scripted urgency. Rotate help desk credentials frequently and log every elevation.
Reduce blast radius. Segment networks and SaaS roles so that a single endpoint compromise cannot reach crown jewels. Apply just-in-time and just-enough privilege with privileged access management, ephemeral credentials, and hardware-backed break-glass accounts that are vaulted and tightly audited.
Close exposed doors first. Patch and mitigate actively exploited bugs before everything else. Disable or isolate end-of-life systems. For internet-facing apps, combine rapid configuration changes, rate limiting, and WAF rules to buy time until code fixes deploy.
Defend developer and machine credentials. Because attackers search for GitHub and NPM tokens, move to workload identity federation and short-lived tokens, rotate secrets automatically, and restrict repo and package publishing rights. Monitor CI/CD pipelines as production infrastructure, not “build tooling.”
Build Recovery That Survives Ransomware
Adopt the 3-2-1-1-0 model: three copies, two media types, one offsite, one offline or immutable, and zero untested restores. Enable object lock and MFA delete for cloud backups. Use separate identity domains and admin workstations for backup platforms, hypervisors, and directory services.
Test full restores under pressure. Run quarterly disaster recovery drills that assume hypervisor and backup consoles are under attack. Pre-stage clean-room environments and golden images, and measure time-to-restore critical business services, not just file recovery.
Measure Speed and Practice Relentlessly to Improve
Track mean time to detect, investigate, and contain across identity, endpoint, and cloud. Codify high-speed playbooks for vishing-led SaaS takeovers, known exploited vulnerabilities, and lateral movement via remote management tools. Automate what you can, but keep humans in the loop for final authorization on high-impact actions.
The takeaway is clear: attackers have shaved their timelines to seconds, while defenders win or lose in minutes. Organizations that prioritize identity resilience, rapid containment, and recovery that cannot be sabotaged will weather this new tempo—and force adversaries to burn time they can’t afford.
