Skip to content
Mandiant
OrganisationUS

Mandiant

Google-owned threat intelligence and incident response firm; published M-Trends 2026 documenting 393-day UNC5221 BRICKSTORM dwell time.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

How did Mandiant track an attack that hid for 393 days inside enterprise servers?

Timeline for Mandiant

#117 Apr

Mentioned in: Handala wipes 200,000 devices at Stryker

Cybersecurity: Threats and Defences
#117 Apr

Mentioned in: CitrixBleed 3 lands on SAML broker

Cybersecurity: Threats and Defences
#117 Apr

Published M-Trends 2026 report disclosing UNC5221 BRICKSTORM campaign with 393-day average dwell time

Cybersecurity: Threats and Defences: BRICKSTORM dwell hits 393 days, Mandiant
View full timeline →
Follow Cybersecurity: Threats and Defences
Common Questions
What did Mandiant find in its 2026 security report?
Mandiant's M-Trends 2026 documented a 393-day average dwell time for UNC5221's BRICKSTORM campaign targeting US and UK legal services, BPOs and tech firms. It also flagged Recovery Denial tactics (ransomware attacks on backup infrastructure) as a growing trend.Source: Mandiant M-Trends 2026
Does Google own Mandiant?
Yes. Google acquired Mandiant in 2022 for $5.4 billion and integrated it into Google Cloud. Mandiant continues to publish independent threat intelligence reports including the annual M-Trends series.

Background

Mandiant, now part of Google Cloud following the 2022 acquisition, published M-Trends 2026 based on over 500,000 Incident Response hours, with the central findings for this update being the 393-day average dwell time for UNC5221 BRICKSTORM intrusions and the emergence of Recovery Denial as a ransomware tactic targeting backup infrastructure. Mandiant's original Incident Response on CitrixBleed 2023 is also cited as the authoritative technical account of the exploit path that CitrixBleed 3 reproduces.

Mandiant is one of the most-cited threat intelligence and Incident Response firms globally, with a reputation built on attribution of advanced persistent threat groups and large-scale breach investigations. Its M-Trends annual report is the largest single synthesis of real-world incident-response data in the public domain. Google's acquisition in 2022 for $5.4 billion integrated Mandiant into Google Cloud's Chronicle security platform.

For the wider security market, Mandiant's BRICKSTORM reporting is the definitive technical account of UNC5221's tradecraft. The 393-day dwell benchmark has immediate implications for enterprise detection and response posture: any IR programme that does not account for vCenter/ESXi telemetry gaps and legitimate-Cloud C2 relay patterns is missing the specific attack class Mandiant documented at scale.