**
Attackers Get Access in as Little as 22 Seconds: Mandiant's M-Trends 2025 Report Reveals Alarming Trends
**The cybersecurity landscape continues to evolve at an alarming rate, with attackers becoming increasingly sophisticated and brazen. According to Mandiant's M-Trends 2025 report, which draws on over 500,000 hours of incident response work conducted in 2025, the time between initial compromise and hand-off has collapsed to just 22 seconds.
**The Exploits Remain the Leading Entry Point**
For the sixth consecutive year, exploits remained the leading entry point for attackers, accounting for 32% of all incidents. This is a concerning trend that highlights the need for organizations to prioritize vulnerability management and patching. Email phishing, once a dominant social engineering vector, has seen a sustained decline, but voice phishing has surged to become the second-most common initial infection vector.
**The Division-of-Labor Model: A New Era of Attack**
A growing share of Mandiant investigations have revealed a division-of-labor model, where one threat cluster gains initial access and transfers it to a separate group for follow-on operations. This pattern appeared in 9% of 2025 investigations, up from 4% in 2022. The time between initial compromise and hand-off has collapsed, with the median time falling to just 22 seconds.
**Ransomware and Backup Targets**
The report reveals that ransomware-related intrusions accounted for 13% of Mandiant investigations in 2025. Operators have moved beyond dual-threat encryption-and-theft operations toward systematically denying organizations the ability to recover, targeting identity services, virtualization management planes, and backup infrastructure. In one documented case, attackers compromised backup management servers, extracted credentials from configuration databases, and wiped millions of backup objects from cloud storage alongside dozens of local system backups.
**The Most Frequently Exploited Vulnerabilities**
Mandiant's report highlights the most frequently exploited vulnerabilities in 2025 investigations as zero-days targeting internet-facing enterprise application servers. The CVE-2025-31324 vulnerability allowed unauthenticated file uploads and was exploited by multiple threat clusters before being patched in April 2025.
**Edge and Core Network Devices: A Growing Target**
The mean time to exploit vulnerabilities has turned negative, with exploitation beginning on average before a patch is available. Edge and core network devices have become primary targets for sustained campaigns, often running proprietary operating systems incompatible with enterprise endpoint detection and response tools.
**AI Tools Used by Threat Actors**
Mandiant investigated a supply chain compromise involving the QUIETVAULT credential stealer, which checks for AI command-line tools on compromised machines and executes prompts to locate configuration files and harvest developer tokens. Malware families including PROMPTFLUX and PROMPTSTEAL actively query large language models during execution to support evasion.
**Conclusion**
The M-Trends 2025 report paints a concerning picture of the current cybersecurity landscape. Attackers are becoming increasingly sophisticated, exploiting vulnerabilities before patches are available, and using AI tools to accelerate reconnaissance and social engineering efforts. Organizations must prioritize vulnerability management, patching, and incident response to stay ahead of these threats.
**Recommendations**
* Prioritize vulnerability management and patching * Implement robust incident response and detection capabilities * Monitor for suspicious activity on edge and core network devices * Stay up-to-date with the latest threat intelligence and research
By understanding the trends and tactics outlined in Mandiant's M-Trends 2025 report, organizations can better prepare themselves to defend against these emerging threats.