From 8 Hours to 22 Seconds: Cyberattacks Just Got Terrifyingly Fast, Mandiant’s 2025 Report Explains Why
Cyberattacks are moving at machine speed, but the entry point is almost always human error. Here is what the data shows and what organizations need to do about it.
Hackers now hand off compromised networks in 22 seconds, a figure that would have been unthinkable just three years ago and one that fundamentally changes how organisations need to think about cyber defence. That is the headline finding from Mandiant’s annual survey of the enterprise security landscape, published by the US cybersecurity firm now operating as part of Google Cloud. The report, drawn from investigations into major global security breaches in 2025, paints a picture of an attack ecosystem that has industrialised, automated, and accelerated to a degree that traditional security models were never designed to handle.
The central paradox, however, is not about machines at all. Despite all the automation, despite all the AI, despite all the speed, the most reliable entry point into any enterprise network remains the human being sitting at a desk.
From 8 Hours to 22 Seconds
To understand how dramatically the threat landscape has shifted, one number tells the story better than any other.
In 2022, the average time between an initial network compromise and the hand-off to a secondary attack group, the moment when low-level intruders pass access to more sophisticated operators for deeper exploitation, was over eight hours. By 2025, that same hand-off was happening in an average of 22 seconds.
That is not an incremental improvement in attack capability. It is a complete transformation of the operational model. What once required hours of human coordination now happens faster than it takes to read this sentence.
The mechanism driving this acceleration is automation. Cybercriminals have adopted the same division-of-labour model that legitimate enterprises use for software-as-a-service workflows. One group uses low-impact techniques, malicious advertisements, and fake browser updates to gain initial access. The moment that access is confirmed, automated systems hand the compromised target to a secondary group for hands-on exploitation. The entire handshake is machine-managed, machine-timed, and machine-fast.
Attack Speed: Then vs Now
| Metric | 2022 | 2025 |
|---|---|---|
| Average time to hand-off | 8+ hours | 22 seconds |
| Mean time to exploit zero-day vulnerabilities | Weeks | 7 days (before patch issued) |
| Average dwell time — all incidents | — | 14 days |
| Median dwell time — cyber espionage | — | 122 days |
| Internal detection rate | 43% (2024) | 52% (2025) |
Zero-Day Exploits: The Window Is Shrinking Fast
The acceleration is not limited to hand-off times. The window between a vulnerability being discovered and attackers actively exploiting it has collapsed to just seven days, before most vendors have even had time to issue a patch.
This means that the traditional security model of patching vulnerabilities after they are identified is increasingly inadequate. By the time a patch is ready, attackers have already weaponised the exploit at scale. Organizations that are not monitoring for anomalous behaviour in real time, rather than waiting for vendor-issued fixes, are effectively defending yesterday’s perimeter against today’s attack.
Two Types of Attackers, Very Different Timelines
Mandiant’s report draws a sharp distinction between the two primary categories of attackers operating in enterprise networks, and understanding the difference matters for how organisations prioritise their defences.
Cybercriminals are optimised for speed and immediate financial gain. Ransomware is their primary tool, and their objective is to encrypt data, demand payment, and move on. They operate loudly and quickly because time is money.
Cyber espionage groups operate on an entirely different timeline. Their goal is not immediate disruption but long-term, undetected access. The median dwell time for espionage incidents, the period between initial intrusion and detection, is 122 days. These groups move slowly, use native network tools to avoid triggering alerts, and prioritise staying invisible over extracting value quickly.
The 14-day average dwell time across all incidents masks this split. An organization hit by ransomware may discover the intrusion within hours. An organisation targeted by a state-linked espionage group may not know for four months, by which point the damage is already done.
Who Is Being Targeted
| Sector | Share of Targeted Intrusions |
|---|---|
| High-Tech | 17% |
| Financial Services | 14.6% |
| Other industries (16 verticals identified) | Remaining % |
The Human Problem Nobody Has Solved
Here is where Mandiant’s findings cut deepest and where the report’s conclusions will be most uncomfortable for organizations that have been investing heavily in AI-powered security tools.
Despite the rapid technological advancement on the attacker side, Mandiant is explicit: 2025 was not the year AI caused breaches. The report states that the vast majority of successful intrusions still stem from fundamental human and systemic failures.
The most commonly exploited non-technical vector is not a sophisticated zero-day. It is voice-based social engineering, with attackers calling IT help desks, impersonating employees, and manipulating support staff into bypassing multi-factor authentication. One compromised help desk call can render an entire MFA infrastructure irrelevant.
AI is playing a supporting role in these attacks, used for reconnaissance, crafting convincing social engineering scripts, and developing malware. Mandiant identified one credential stealer, QUIETVAULT, that actively scanned compromised machines for AI command-line tools to harvest configuration files and developer tokens. But the initial access almost always begins with a human being tricked, pressured, or manipulated into opening a door.
Ransomware Has Evolved, And the New Version Is Worse
The ransomware threat has undergone a significant and dangerous evolution that organisations running virtualized infrastructure need to understand urgently.
Traditional ransomware encrypted data and demanded payment for the decryption key. The recovery path, while painful and expensive, existed. Modern ransomware groups have closed that escape route deliberately.
Attackers are now actively targeting backup infrastructure, deleting backup objects from cloud storage, encrypting hypervisor datastores, and attacking the virtualisation storage layer directly. By rendering virtual machines inoperable simultaneously, they are not just holding data hostage. They are destroying the organization’s ability to recover at all, removing the leverage that made paying the ransom optional.
For organizations that have invested in virtualised infrastructure and cloud-based backups as their recovery strategy, this development requires an immediate rethink.
How to Fight Back, Mandiant’s Recommendations
The report is not without a roadmap. Mandiant’s recommendations are structural rather than cosmetic changes to how networks are designed and monitored, not just what software is installed.
The most critical defensive shifts include treating virtualization and management platforms as Tier-0 assets with the strictest possible access constraints. Backup environments must be decoupled from the corporate Active Directory domain and stored using immutable storage, making them impossible to delete even if attackers gain administrative access.
Log retention policies need to extend well beyond the standard 90-day window, because espionage groups operating over 122-day dwell periods will have long since aged out of short retention logs by the time they are discovered. SaaS integrations require regular auditing, with all applications routed through a central identity provider.
Employee training, particularly for IT help desk staff, must evolve to address voice-based social engineering and unauthorised MFA reset requests specifically. Generic security awareness training is no longer sufficient.
Defensive Priorities at a Glance
| Priority | Action Required |
|---|---|
| Virtualisation security | Treat as Tier-0 — strictest access controls |
| Backup protection | Decouple from Active Directory, use immutable storage |
| Log retention | Extend well beyond 90-day standard window |
| SaaS security | Route all apps through central identity provider (IdP) |
| Threat detection | Behaviour-based models flagging anomalous activity |
| Employee training | Voice social engineering and MFA reset awareness |
| Identity verification | Continuous verification, especially third-party vendors |
Identity Is the New Perimeter
Mandiant’s closing conclusion is the one that should reshape how every organization thinks about its security architecture going into 2026.
The traditional network perimeter, firewalls, VPNs, and passwords no longer exist in any meaningful sense. Distributed networks, SaaS platforms, remote workforces, and third-party integrations have dissolved the boundary between inside and outside. The new perimeter is identity. Every user, every device, every application accessing the network is either a verified entity or a potential threat vector.
Simply rotating passwords and enforcing MFA is no longer enough. Continuous identity verification, particularly for third-party vendors who often operate with elevated access and minimal oversight, is the structural shift Mandiant identifies as most critical.
PTA Taxes Portal
Find PTA Taxes on All Phones on a Single Page using the PhoneWorld PTA Taxes Portal
Explore NowFollow us on Google News!