TL;DR

  • Attackers now transfer access between different threat groups in under 30 seconds
  • Global median dwell time climbed to 14 days — attackers are staying hidden longer
  • Exploits are the #1 infection vector (32%), targeting internet-facing servers
  • Ransomware operators now deliberately attack backup infrastructure to prevent recovery
  • 52% of organizations detected breaches internally in 2025, up from 43%

The Speed Collapse: 22 Seconds to Total Compromise

Mandiant's M-Trends 2026 report reveals a terrifying reality: cyberattackers have industrialized their operations to the point where they can hand off access between different threat groups in under 30 seconds [1]. This isn't about faster malware — it's about attackers coordinating like legitimate businesses, with specialists handling initial access, escalation, data theft, and ransomware deployment as a synchronized operation.​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌​​‌‌​‍​‌‌​​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌

​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​​‌‌​​‌​

For SMBs, this means the traditional "detect and respond" model is broken. By the time your security team investigates an alert, attackers have already moved through multiple stages of their attack chain. The report documents cases where initial access brokers compromise a network, hand off to ransomware operators, and exfiltration specialists — all within minutes [1].

Why this matters: The window between initial compromise and operational disruption has collapsed. Organizations that rely on manual investigation workflows are now operating at a speed disadvantage that cannot be fixed with more analysts.​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌​​‌‌​‍​‌‌​​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​​‌‌​​‌​

Related: AI-Powered Cyberattacks Nearly Doubled in 2025: Here's How SMBs Can Fight Back

Dwell Time is Rising: The Hidden Threat

While attack speed has accelerated, something counterintuitive is happening: attackers are staying hidden longer. Global median dwell time climbed to 14 days in 2025, up from 11 days in 2024 [1]. This increase is driven by:

  • Long-term espionage operations by state-sponsored actors
  • DPRK-linked IT worker schemes where attackers maintain persistent access for months
  • Quiet compromise of legitimate credentials and tools to avoid detection

Longer dwell time means more expensive remediation. Every day an attacker remains undetected increases the complexity of removing them, as they embed themselves in legitimate systems, create backdoors, and establish redundant access paths [1].

The business impact: A 14-day undetected presence gives attackers time to:

  • Map your entire network infrastructure
  • Exfiltrate sensitive data slowly to avoid detection
  • Identify and compromise backup systems
  • Establish persistent access that survives basic remediation

The New Ransomware Playbook: Attack Recovery, Not Just Data

Ransomware tactics have evolved dramatically. Operators are no longer focused primarily on data theft for extortion. Instead, they are deliberately targeting recovery infrastructure [1]. This means:

  • Attacking backup servers directly to delete or encrypt backups
  • Compromising identity services like Active Directory to prevent account recovery
  • Targeting virtualization management (VMware vCenter, Hyper-V) to clone and control VMs
  • Disabling recovery tools before deploying ransomware

Mandiant documented incidents where threat clusters cloned virtual machines containing single sign-on (SSO) identity providers, secret vaults, and domain controllers. By accessing these powered-off clones, attackers could extract credentials and secrets without triggering security alerts on live systems [1].

The business reality: This shift means ransomware payments are more likely because organizations literally cannot recover. When backups are destroyed and identity systems are compromised, the choice isn't about data protection — it's about business survival.

Related: Ransomware Prevention: A Complete Guide for SMBs

The Infection Vector Breakdown: What's Actually Working

Exploits remain the leading initial infection vector, accounting for 32% of attacks in 2025 [1]. But the breakdown reveals important nuances:

  • Exploits: 32% — primarily zero-days affecting internet-facing web application servers
  • Voice phishing: 11% — interactive attacks where live operators steer targets in real-time
  • Prior compromise: 10% — attackers returning through previously established access
  • Stolen credentials: 9% — legitimate credentials bought or stolen on the dark web
  • Web compromise: 8% — supply chain attacks and website hijacking
  • Insider threat: 6% — malicious or negligent employees
  • Email phishing: 6% — traditional mass email campaigns (declining significantly)
  • Third-party compromise: 5% — attacks through vendors and partners

The critical insight: Email phishing is no longer a top-observed intrusion vector. Attackers have shifted toward more sophisticated, interactive methods like voice phishing and exploitation of vulnerabilities in public-facing applications [1].

For SMBs, this means investing heavily in email security is addressing yesterday's threat. The real vulnerabilities are:

  • Unpatched web-facing applications (SharePoint, SAP, Oracle E-Business Suite)
  • Phone-based social engineering (voice phishing)
  • Third-party vendor access
  • Poor credential hygiene

Industry Breakdown: Who's Being Targeted

The M-Trends 2026 data reveals which industries faced the most investigations [1]:

  1. High tech: 17% — software and technology companies
  2. Financial services: 14.6% — banks, insurance, investment firms
  3. Business and professional services: 13.3% — consulting, legal, accounting
  4. Healthcare: 11.9% — hospitals, clinics, medical providers
  5. Retail and hospitality: 7.3% — e-commerce, restaurants, hotels
  6. Government: 5.8% — federal, state, and local agencies
  7. Education: 4.6% — schools and universities
  8. Telecommunications: 4.6% — ISPs and telecom providers

What's missing: Manufacturing, construction, transportation, and other "traditional" industries still face significant risk, but they may be underrepresented because they lack incident response capabilities or don't report breaches publicly.

The lesson for SMBs: industry doesn't protect you. While high-tech and financial services face more attacks, every sector with valuable data or operational technology is a target.

The Detection Gap: 52% Internal Detection is Progress, But Not Enough

Here's a rare positive finding: 52% of organizations detected breaches internally in 2025, up from 43% in 2024 [1]. External notifications (from law enforcement, CERTs, or cybersecurity companies) dropped from 43% to 34%.

This improvement suggests organizations are getting better at detecting malicious activity themselves. But it also means:

  • 48% of organizations still rely on outsiders to tell them they've been breached
  • 14% of breaches are discovered only when attackers send ransom notes
  • Internal detection doesn't mean fast detection — dwell times are still increasing

The SMB challenge: Smaller organizations rarely have 24/7 security monitoring or dedicated incident response teams. This makes internal detection difficult, often relying on lucky discoveries or obvious symptoms like ransomware messages.

Malware Diversity: 714 New Families in 2025

The threat ecosystem is becoming more diverse. Mandiant tracked 714 new malware families in 2025, up from 632 in 2024, bringing the total to over 6,000 families [1]. Key findings:

  • 72% of new malware targets Windows — consistent with previous years
  • 12% targets Linux exclusively — stable from 2024
  • Backdoors remain the most common category at 36% of observed malware
  • Ransomware declined to 10% of observed malware, down from 14% in 2024
  • Credential stealers increased to 9% — reflecting the focus on identity attacks

What this means: Signature-based detection is increasingly ineffective. With over 6,000 malware families and hundreds added yearly, defenders cannot rely on known-bad lists. Behavioral detection and anomaly monitoring are now essential.

Related: Identity Attacks Surge: 67% of SMBs Are Unprepared — Here's How to Defend

How SMBs Can Build Resilience Against Industrialized Attacks

The M-Trends 2026 report makes it clear: speed is now the primary defense. Here's how SMBs can respond without enterprise budgets:

1. Prioritize Detection Speed Over Tool Count

  • Treat every security alert as a potential indicator of deeper intrusion
  • Establish clear escalation paths: who investigates, how fast, and what authority they have
  • Consider managed detection and response (MDR) services for 24/7 monitoring
  • Reduce alert noise by tuning detection rules and focusing on high-fidelity signals

2. Protect Recovery Infrastructure

  • Isolate backups from corporate networks — air-gap critical backups or use immutable storage
  • Secure virtualization management — treat VMware vCenter and Hyper-V as Tier-0 assets
  • Implement identity protection — enforce MFA, least privilege, and continuous authentication
  • Test restoration regularly — verify that backups actually work before you need them

3. Patch What Matters Most

  • Internet-facing applications are the #1 entry point — prioritize patching SharePoint, SAP, Oracle, and web servers
  • Focus on zero-day vulnerabilities in widely used enterprise platforms
  • Establish a patch SLA for critical infrastructure: 48-72 hours maximum
  • Monitor vendor security advisories for CVEs in your software stack

4. Harden Identity and Access

  • Eliminate shared accounts — every user needs unique credentials
  • Enforce MFA everywhere — especially for remote access and admin accounts
  • Implement just-in-time access — grant permissions only when needed
  • Monitor for unusual activity — impossible travel, anomalous logins, bulk data access

5. Prepare for Faster Incident Response

  • Develop and test an incident response plan — tabletop exercises quarterly
  • Establish relationships with incident response providers before you need them
  • Document your critical systems and recovery priorities
  • Consider cyberinsurance to transfer residual risk

The Reality Check: You Can't Out-Spend Attackers, But You Can Out-Smart Them

Mandiant's message is clear: the threat landscape has shifted toward faster, coordinated, and industrialized attacks [1]. Defenders adding more tools to monitor the same telemetry won't close the speed gap.

What works:

  • Focus on the attack pathways that actually succeed — exploits, voice phishing, credential theft
  • Prioritize what attackers are targeting — backups, identity, virtualization
  • Detect and respond faster — treat every alert as a potential early warning
  • Assume compromise — design security around detection, not prevention

The organizations that will thrive in this new threat landscape aren't those with the biggest security budgets — they're the ones that accept that attacks are inevitable, downtime is optional, and resilience is about recovery speed, not perfect prevention [2].

FAQ

Mandiant's M-Trends 2026 report documents attackers transferring access between different threat groups in under 30 seconds [1]. This handoff allows initial access brokers, ransomware operators, and data exfiltration specialists to coordinate attacks like legitimate business operations, dramatically compressing the window for defenders to detect and respond.

Global median dwell time climbed to 14 days in 2025, up from 11 days in 2024 [1]. This increase is driven by long-term espionage operations and DPRK-linked IT worker schemes. Longer dwell time means more expensive remediation and gives attackers more time to embed themselves in systems, steal data, and compromise recovery infrastructure.

Exploits are the #1 infection vector at 32%, primarily zero-days affecting internet-facing web application servers [1]. Voice phishing accounts for 11%, prior compromise 10%, stolen credentials 9%, web compromise 8%, insider threat 6%, and email phishing only 6%. Notably, email phishing is no longer a top-observed intrusion vector.

Ransomware operators have shifted from data theft to attacking recovery infrastructure [1]. They deliberately target backup servers, identity services (Active Directory), and virtualization management platforms (VMware vCenter, Hyper-V) to prevent organizations from recovering. This increases pressure to pay because organizations literally cannot restore operations even if they have backups.

52% of organizations detected breaches internally in 2025, up from 43% in 2024 [1]. While this is progress, it means 48% still rely on external notifications from law enforcement, CERTs, or cybersecurity companies, and 14% only discover breaches when attackers send ransom notes.

References

[1] Mandiant Google Cloud, "M-Trends 2026: A Report on Threat Landscape and Tactics," Mandiant, March 2026. [Online]. Available: https://cloud.google.com/security/resources/m-trends

[2] C. Wyatt, "2026 Resilience Risk Index," Absolute Security, March 2026. [Online]. Available: https://www.absolute.com

[3] Kaspersky Security Services, "Anatomy of a Cyber World Global Report 2026," Kaspersky Securelist, March 2026. [Online]. Available: https://securelist.com/global-report-security-services-2026/119233/

[4] PwC, "Annual Threat Dynamics 2026," PwC, March 2026. [Online]. Available: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/annual-threat-dynamics.html

[5] Cybersecurity Insiders, "2026 Cybersecurity Excellence Awards Winners Announced during RSA Conference," Cybersecurity Insiders, March 2026. [Online]. Available: https://cybersecurity-excellence-awards.com/

[6] Industrial Cyber, "M-Trends 2026 reveals threat landscape shaped by faster, coordinated, and industrialized cyberattacks," Industrial Cyber, March 2026. [Online]. Available: https://industrialcyber.co/reports/m-trends-2026-reveals-threat-landscape-shaped-by-faster-coordinated-and-industrialized-cyberattacks/

[7] Infosecurity Magazine, "Enterprise Cybersecurity Software Fails 20% of the Time, Warns Absolute Security," Infosecurity Magazine, March 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/cybersecurity-software-failure-20/

[8] N-able, "State of the SOC Report 2026," N-able, March 2026. [Online]. Available: https://www.n-able.com/resources/state-of-the-soc-report-2026

Your business doesn't need a enterprise security budget to build resilience. You need smart prioritization, fast detection, and a recovery plan that actually works. At lil.business, we help SMBs implement practical cybersecurity that protects what you've built. Get a free consultation and close your resilience gap.

Your Business's Security Guard Just Had 48 Holes Found in It — And 2 Were Completely Open Doors

TL;DR

  • Cisco (one of the biggest makers of business firewalls) just discovered 48 security flaws in their products [1].
  • Two of those flaws were rated 10 out of 10 for severity — the worst possible score. They basically let strangers walk straight through your front door [1].
  • There's no Band-Aid fix. The only solution is updating the software. Now.
  • If your business uses Cisco firewall equipment, this needs to happen this week.

What's a Firewall, and Why Does It Matter?

Think of a firewall like a security guard at the front door of your office building. Every person (or piece of information) that wants to enter or leave has to pass through that guard first. The guard checks: "Are you allowed in? Are you carrying something dangerous?"

Most businesses have this kind of guard — sometimes as a physical box plugged into their internet connection, sometimes as software running in the cloud. Cisco is one of the companies that makes these guards, and millions of businesses around the world use their products [3].

This week, Cisco announced they found 48 problems with how their security guards work [1]. That'd be a bit like hiring a guard company and then discovering 48 different ways someone could trick, confuse, or bypass your guards.

What Are the Two Worst Problems?

Out of the 48 issues, two are rated the worst possible score — 10 out of 10 [1]. Security researchers use a scoring system called CVSS to measure how bad a flaw is, from 0 to 10. A 10 means: anyone on the internet can exploit this, no special access needed, and the damage is total [9].

Problem 1: The guard completely ignores the ID check

The first flaw (called CVE-2026-20079) means an attacker can knock on your firewall's door and — without a username, without a password, without any credentials — get straight through. Not just into the lobby. Straight to the master control panel with full access to everything [1].

It's like having a security guard who hands over the master key to anyone who knocks on the door in a specific way.

Problem 2: The guard's control room has a secret back entrance

The second flaw (CVE-2026-20131) affects the software used to manage multiple Cisco firewalls from one place — like the security company's control room [1]. An attacker can send a specially crafted message to that control room and use it to run any commands they want on the system.

If your IT provider manages your firewalls with Cisco's management software, that control room is relevant to you too.

Who Does This Affect?

The products affected are Cisco's Secure Firewall ASA, FTD, and FMC — which are used by businesses of all sizes, from small teams to large enterprises [1]. If your business has a Cisco firewall (or if your IT company manages your network with Cisco tools), you need to check this.

Here's a helpful question to ask your IT provider: "Are any of our firewalls running Cisco ASA, FTD, or FMC? If so, have you applied the patches from the March 2026 security advisory?"

If they already have, great. If they don't know what you're talking about — that's useful information about the level of service you're getting.

Is There a Temporary Fix?

No. Cisco has confirmed there are no workarounds for these two critical flaws [1]. You can't adjust a setting, turn off a feature, or add an extra layer of protection to buy time. The only fix is to update the firewall software to the patched version.

This makes it more urgent than most security updates, where businesses can sometimes apply a temporary fix and patch at their next scheduled maintenance window.

What Should Your Business Do Right Now?

Step 1: Ask your IT provider or network manager about this today. Send them a message with the words "CVE-2026-20079" and "CVE-2026-20131" and ask if your Cisco devices are patched. A good IT provider will respond quickly — they should already be on this.

Step 2: If you manage your own network, log into your Cisco device and check the firmware version. Compare it against Cisco's security advisory at tools.cisco.com/security/center.

Step 3: Schedule the update as soon as possible. It takes 1-2 hours during a quiet period. Set it for tonight or early tomorrow morning if you can.

The Bigger Picture: Why Patches Feel Annoying But Save Money

Keeping software up to date on your security equipment feels tedious. It means maintenance windows, potential downtime, someone staying up late or coming in early. It's easy to let it slide.

But according to IBM's research, the average data breach costs $4.88 million globally [10]. For a small business, the financial and reputational damage is often enough to close the doors permanently. The time to apply a patch? A couple of hours. The comparison isn't close.

The businesses that handle this stuff well aren't just reacting to emergencies. They have a system: they know what software versions everything is running, they get alerts when security problems are found, and they have a clear process for testing and applying patches quickly. Building that system is exactly what lil.business helps SMBs do — without needing a full-time IT security team.

FAQ

Not directly — these specific flaws are in Cisco products only. But every major firewall brand has had similar critical vulnerabilities. The lesson applies regardless: know what you're running, subscribe to your vendor's security alerts, and have a patch process that moves quickly on critical updates.

Possibly not long. Security researchers note that AI tools are now helping attackers convert newly disclosed vulnerabilities into working attack code within hours of a public announcement [2]. The window between "Cisco told us about this" and "attackers are exploiting it" is shrinking. Treat this as an emergency, not a scheduled task.

If Cisco no longer supports your device's software version, the patch may not be available for your hardware. This is an important risk conversation to have with your IT provider. Old, unpatched firewalls on the network perimeter are a significant business risk and may need hardware replacement.

Yes. lil.business works with SMBs to build the processes, tools, and monitoring needed to handle patch cycles like this without panic — so that when a CVSS 10 vulnerability drops, you're already ahead of it, not scrambling to catch up. Book a chat here.

References

[1] V. Rao, "Cisco Fixes 48 Firewall Flaws, Including 2 Critical Vulnerabilities with CVSS 10 Scores," News4Hackers, Mar. 2026. [Online]. Available: https://www.news4hackers.com/cisco-fixes-48-firewall-flaws-including-2-critical-vulnerabilities-with-cvss-10-scores/

[2] C. Hilt, "March 2026 Patch Tuesday Forecast: Is AI Security an Oxymoron?" Help Net Security, Mar. 6, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/06/march-2026-patch-tuesday-forecast/

[3] Cisco Systems, "Cisco Security Advisories," Cisco, Mar. 2026. [Online]. Available: https://tools.cisco.com/security/center/publicationListing.x

[4] J. Burt, "CyberProof 2026 Report Warns of Rising Identity and AI Cyberattacks," eSecurity Planet, Mar. 2026. [Online]. Available: https://www.esecurityplanet.com/threats/cyberproof-2026-report-warns-of-rising-identity-and-ai-cyberattacks/

[5] Australian Signals Directorate, "Essential Eight Maturity Model," ASD, 2025. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model

[6] National Vulnerability Database, "CVSS v3.1 Scoring System," NIST NVD, 2023. [Online]. Available: https://nvd.nist.gov/vuln-metrics/cvss

[7] Cybersecurity and Infrastructure Security Agency, "Known Exploited Vulnerabilities Catalog," CISA, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[8] National Institute of Standards and Technology, "SP 800-128: Guide for Security-Focused Configuration Management of Information Systems," NIST, 2019. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-128/final

[9] National Institute of Standards and Technology, "Common Vulnerability Scoring System," NIST, 2023. [Online]. Available: https://nvd.nist.gov/vuln-metrics/cvss

[10] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

Not sure if your business's security equipment is up to date? lil.business helps SMBs build simple, reliable security systems that don't require a full-time IT department. Start with a free consultation.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation