EventUS

M-Trends 2026

Mandiant's 2026 annual threat intelligence report documenting 393-day BRICKSTORM dwell time and Recovery Denial ransomware tactics.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

What did Mandiant learn from 500,000 hours of real cyberattack response work in 2025?

Timeline for M-Trends 2026

#117 Apr

Mentioned in: Handala wipes 200,000 devices at Stryker

Cybersecurity: Threats and Defences

#117 Apr

Mentioned in: BRICKSTORM dwell hits 393 days, Mandiant

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What are the key findings of Mandiant M-Trends 2026?: M-Trends 2026 documented a 393-day average dwell time for UNC5221 BRICKSTORM intrusions targeting US and UK legal services and technology firms, and identified Recovery Denial (ransomware attacks on backup infrastructure) as a growing tactic.Source: Mandiant M-Trends 2026
How long do hackers stay hidden inside company networks on average?: Mandiant's M-Trends 2026 report found a 393-day average dwell time for UNC5221's BRICKSTORM campaign, meaning attackers remained undetected in enterprise networks for over a year on average before discovery or remediation.Source: Mandiant M-Trends 2026

Background

Mandiant and Google Cloud published M-Trends 2026 based on over 500,000 hours of Incident Response engagement data, with two central findings for this update: the 393-day average dwell time for UNC5221 BRICKSTORM intrusions targeting US and UK legal services, BPOs, SaaS providers and technology firms ; and the emergence of Recovery Denial tactics, in which ransomware operators specifically target backup and disaster-recovery infrastructure to extend the remediation window and increase negotiating leverage.

M-Trends is Mandiant's flagship annual intelligence report, now in its 17th year and produced under Google's ownership since the 2022 acquisition. The report aggregates findings from Mandiant's global incident-response practice, making it one of the largest dwell-time and attacker-behaviour datasets available in the public domain. Prior M-Trends reports have been cited by CISA, NCSC and the European Commission in regulatory guidance.

For enterprise security and board audiences, M-Trends 2026's 393-day benchmark is the primary data point for assessing the adequacy of detection and response capability against nation-state-calibre threat actors. The Recovery Denial finding has direct implications for backup-infrastructure architecture: if attackers are systematically targeting backup and DR systems, an organisation's recovery timeline is only as reliable as its offline or immutable backup posture.

How the World Sees Them

CISA / NCSC

M-Trends is frequently cited in regulatory guidance; the BRICKSTORM dwell figure is expected to appear in 2026 CNI advisories from both agencies.

Ransomware negotiators

Recovery Denial is a direct attack on the negotiator's leverage: if backup infrastructure is compromised, the victim's recovery alternative to payment is degraded.

Enterprise security teams

M-Trends 2026's 393-day dwell benchmark and Recovery Denial findings are the two data points that justify budget for vCenter/ESXi logging, offline backups and sub-annual DR test cycles.