Cyber Threat Trends 2025: Key Findings from the Mandiant M-Trends Report

Initial Attack Vectors: How Cyber Threats Gain Their First Foothold

Understanding how adversaries gain initial access is fundamental to effective defense prioritization. The Mandiant M-Trends 2025 data reveals clear patterns that should shape every organization’s security investment decisions.

Exploits remain the dominant initial access vector at 33% of all investigated incidents, maintaining this position for the fifth consecutive year. The most frequently exploited vulnerabilities targeted edge and network access devices—specifically CVE-2024-3400 in Palo Alto PAN-OS GlobalProtect (command injection), CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure (authentication bypass and command injection exploited as zero-days), and CVE-2023-48788 in Fortinet FortiClient EMS (SQL injection). This concentration on edge devices represents a critical trend: attackers are systematically targeting the security infrastructure itself.

Stolen credentials rose to second place at 16% of incidents, up significantly from previous years. This increase reflects the growing sophistication and scale of infostealer malware operations that harvest credentials from browsers, password managers, and session tokens, then sell them through access broker marketplaces.

Email phishing dropped to third place at 14%, suggesting that while phishing remains a persistent threat, organizations have improved their email security controls. However, web compromise rose to 9% from 5% in 2023, indicating that adversaries are shifting their social engineering tactics toward browser-based attack surfaces including SEO poisoning and malicious redirects.

Perhaps most concerning, 34% of incidents had an unknown or undetermined initial vector—indicating significant gaps in logging and detection capabilities across the organizations investigated.

Cyber Threat Dwell Time Statistics: Detection Speed in 2024

Dwell time—the duration between initial compromise and detection—serves as one of the most important metrics in incident response. The Mandiant M-Trends 2025 report shows the global median dwell time reached 11 days in 2024, a slight increase from 10 days in 2023 but a dramatic improvement from the 205-day median recorded in 2014.

The data reveals important nuances when broken down by detection source. Adversary-notified incidents—typically ransomware deployments where attackers reveal themselves through ransom demands—had a median dwell time of just 5 days. External partner notifications from law enforcement, security vendors, or peer organizations showed a median of 26 days. Internal discovery showed improvement, with organizations increasingly detecting compromises before external notification.

A significant positive trend: 45.1% of all intrusions were discovered within one week, up from 43.3% in 2023. This acceleration indicates that investments in detection capabilities, particularly endpoint detection and response (EDR) and security operations center (SOC) operations, are producing measurable results. However, the remaining 55% of intrusions that take longer than a week to detect represent ongoing risk, particularly for data exfiltration and lateral movement scenarios.

For organizations benchmarking their detection capabilities, the goal should be clear: achieve consistent sub-7-day detection across all incident types, not just adversary-announced events. Learn more about building effective detection programs in our enterprise threat intelligence guide.

Ransomware and Data Extortion: The Financial Threat Landscape

Financially motivated intrusions accounted for 35% of all investigations in 2024, with ransomware involved in 21% of cases—representing approximately two-thirds of all financially motivated incidents. The data extortion landscape has evolved beyond simple encryption, with multiple attack patterns now in play.

Multifaceted extortion—combining data theft with ransomware encryption—appeared in 6% of cases, representing the most damaging scenario where victims face both operational disruption and data exposure threats simultaneously. Data-theft extortion without encryption accounted for 11% of cases, reflecting a growing trend where attackers skip the encryption step entirely and rely solely on the threat of data publication.

Evidence of data theft was found in 37% of all investigations, regardless of financial motivation. This statistic underscores that data exfiltration is now a standard component of most sophisticated intrusions, whether the goal is financial extortion, espionage, or competitive intelligence.

The financial sector bore the heaviest burden, representing 17.4% of all investigated incidents. Business and professional services, high technology, government, and healthcare rounded out the top five most-targeted industries. The concentration in financial services reflects both the high-value target they represent and the increasingly sophisticated threat actors drawn to monetary gain.

Edge Device Exploitation: The Most Critical Cyber Threat Vector

One of the most significant cyber threat trends in 2025 is the systematic targeting of edge and network access devices. VPN appliances, security gateways, and remote access infrastructure have become primary attack surfaces, with adversaries exploiting zero-day vulnerabilities in these devices to gain initial access to enterprise networks.

The three most exploited vulnerability categories in 2024 all targeted edge infrastructure. The Palo Alto PAN-OS GlobalProtect vulnerability (CVE-2024-3400) enabled command injection and arbitrary file creation, and was rapidly exploited by multiple threat groups after proof-of-concept code became available. The Ivanti Connect Secure vulnerabilities (CVE-2023-46805 and CVE-2024-21887) were exploited as zero-days by UNC5221 and other groups, combining authentication bypass with command injection for complete device compromise. The Fortinet FortiClient EMS SQL injection vulnerability (CVE-2023-48788) was quickly weaponized, with attackers deploying remote access tools and selling access through broker networks.

This trend carries profound implications for security architecture. The devices designed to protect networks are themselves becoming the primary attack surface. Organizations must treat edge devices as high-value targets requiring their own dedicated security monitoring, rapid patching cycles, and anomaly detection. Virtual patching, network isolation, and vendor advisory monitoring should be standard operating procedures for all edge infrastructure.

Infostealer Malware and Credential Theft: The Growing Supply Chain

The rise of stolen credentials as the second most common initial access vector is directly linked to the explosion of infostealer malware. These specialized tools harvest credentials from web browsers, password managers, session tokens, and system keystores, creating a massive supply of compromised credentials that flow into underground access broker marketplaces.

Mandiant tracked 632 net new malware families in 2024, bringing the total tracked families to over 5,500. Among the 205 malware families observed in actual investigations, backdoors remained the dominant category at 35% of observed families, followed by downloaders, droppers, credential stealers, and ransomware. Notably, 83 of the 205 observed families were newly tracked in 2024, indicating rapid innovation in the attacker tooling ecosystem.

The infostealer supply chain operates as a sophisticated economic ecosystem. Malware developers create and sell stealers as a service, operators deploy them at scale through phishing and web compromise campaigns, and access brokers aggregate and resell the harvested credentials to ransomware operators, espionage groups, and other threat actors. This separation of functions makes attribution difficult and the overall threat more resilient.

Defenders must address this threat at multiple points: preventing infostealer execution through EDR and endpoint controls, detecting credential export and exfiltration behaviors, monitoring for compromised credential usage, and implementing phishing-resistant authentication that renders stolen passwords insufficient for access.

North Korean IT Worker Insider Threats: An Emerging Cyber Threat

One of the most unexpected cyber threat trends in the M-Trends 2025 report is the emergence of fraudulent North Korean IT workers as a significant insider threat vector, accounting for 5% of investigated incidents. This represents a fundamentally different attack pattern than traditional external intrusions.

DPRK-affiliated operatives use fabricated identities and credentials to secure remote IT positions at target organizations. Once employed, they gain legitimate access to code repositories, cloud infrastructure, and internal systems. This access can be used for direct espionage, installation of backdoors, or exfiltration of sensitive data—all while appearing as authorized employee activity.

The implications for hiring practices and access management are significant. Organizations must strengthen identity verification during hiring processes, particularly for remote and contract positions. Technical controls should include segmented, least-privilege access for new employees and contractors, mandatory multi-person code review processes, and behavioral monitoring for anomalous access patterns. Rapid credential revocation procedures must be maintained for immediate termination scenarios.

This threat vector also highlights the limitations of perimeter-focused security. An insider with legitimate credentials operating from an authorized location bypasses most traditional detection mechanisms. Only behavioral analytics, access anomaly detection, and strict least-privilege enforcement can identify and contain this type of threat. Explore our cybersecurity workforce security resources for more on insider threat management.

Malware Trends 2025: Platform Diversity and Tool Evolution

The malware landscape in 2024 demonstrated increasing diversity and platform expansion. While Windows-only malware remains dominant, Linux-only malware showed significant growth—representing 12% of newly tracked families and 22% of families observed in actual investigations. This shift reflects the growing importance of Linux in cloud infrastructure, containers, and server environments.

Backdoors continued to dominate at 31% of newly tracked families and 35% of observed families. These persistent access tools remain the attacker’s primary mechanism for maintaining presence within compromised environments. Downloaders and droppers—tools designed to retrieve and install additional payloads—indicate the multi-stage nature of modern attacks where initial access tools are lightweight and subsequent payloads are tailored to the target environment.

A parallel trend is the increasing use of legitimate administration tools by attackers—the Living off the Land (LOTL) technique. Tools like SimpleHelp, AnyDesk, and other remote administration platforms appear in normal IT operations, making them difficult to detect when used maliciously. Mandiant observed attackers deploying SimpleHelp as a persistence mechanism after exploiting FortiClient EMS, then selling the resulting access through broker networks.

Organizations should implement application allowlisting for critical systems, monitor for unauthorized use of remote administration tools, and establish behavioral baselines that flag anomalous tool usage patterns even when the tools themselves are legitimate.

Detection and Response Capabilities: Closing the Visibility Gap

The detection statistics in M-Trends 2025 reveal both progress and persistent challenges. The 57% external notification rate means that most organizations still learn about compromises from external parties rather than their own security operations. While this represents improvement from historical figures, it highlights a fundamental capability gap.

The 34% unknown initial vector rate is equally concerning. When a third of investigated incidents cannot determine how attackers gained initial access, it signals that logging, telemetry, and forensic capabilities remain insufficient across much of the investigated population. Organizations cannot defend against what they cannot see.

Mandiant’s recommendations for closing this gap are specific and actionable. Comprehensive logging across network, endpoint, identity, and cloud environments must be established with sufficient retention periods. Detection engineering should focus on the most common attack patterns: credential theft indicators, lateral movement behaviors, unusual service creation, and one-off administrative tool usage. Automated log review through machine learning and SIEM correlation reduces analyst fatigue and accelerates anomaly detection.

Proactive threat hunting represents the most mature detection capability. Organizations should conduct routine hunts focused on edge device exploitation indicators, infostealer artifacts, and access broker behavioral patterns. The integration of external threat intelligence from frameworks like MITRE ATT&CK with internal telemetry creates the context needed to detect sophisticated adversaries operating at low visibility levels.

Access Cybersecurity Detection Resources

Cloud and SaaS Security: Protecting the Expanding Attack Surface

Cloud migration has expanded the attack surface significantly, and Mandiant’s investigations reveal that unsecured data repositories and SaaS misconfigurations are increasingly exploited by threat actors. The convergence of cloud adoption with inadequate security controls creates opportunities for both financially motivated attackers and espionage operations.

Key cloud security findings include the exploitation of unsecured cloud storage buckets and data repositories, unauthorized SaaS data flows through misconfigured integrations, compromised service accounts with excessive privileges enabling lateral movement across cloud environments, and insufficient monitoring of SaaS application data transfers including OneDrive, Google Drive, and S3.

Defenders should inventory and remediate unsecured data repositories, configure data loss prevention (DLP) controls for cloud storage platforms, apply least-privilege principles to cloud identities with strong authentication for service accounts, and monitor SaaS data flows for unusual patterns that may indicate exfiltration.

The cloud security challenge is compounded by the speed of cloud adoption—many organizations have migrated workloads faster than they have implemented corresponding security controls. A systematic approach to cloud security posture management (CSPM), combined with identity-centric access controls and continuous monitoring, provides the foundation for securing cloud environments against the threats documented in M-Trends 2025.

Actionable Defense Strategy: Your 90-Day Cyber Threat Mitigation Plan

Based on the M-Trends 2025 findings, organizations should prioritize the following actions within the first 90 days to address the most impactful cyber threat trends.

Immediate (Days 1-30):

• Verify patch status and apply hotfixes for PAN-OS GlobalProtect, Ivanti Connect Secure and Policy Secure, FortiClient EMS, and all other exposed VPN and edge systems
• Deploy phishing-resistant MFA (FIDO2/WebAuthn) for all privileged and remote access accounts
• Validate backup integrity and implement immutable, air-gapped backup configurations
• Conduct a focused threat hunt for evidence of infostealers, unknown web shells, and anomalous SaaS data transfers

Short-term (Days 31-60):

• Increase logging retention for endpoints, network edge, and identity systems
• Enable high-fidelity EDR alerts for credential theft, lateral movement, and Living off the Land techniques
• Review and strengthen remote hiring verification processes to address insider threat risks
• Implement application allowlisting for critical infrastructure and monitor LOTL binary usage

Medium-term (Days 61-90):

• Deploy network segmentation to limit lateral movement paths and isolate backup infrastructure
• Establish behavioral baselines for network, user, and administrator activity
• Run tabletop exercises simulating rapid compromise detection and sub-7-day containment
• Integrate external threat intelligence feeds with internal SIEM for real-time correlation

This prioritization reflects the M-Trends data: edge device patching and credential security address 49% of identified initial access vectors, while detection improvements target the 34% of incidents with unknown initial vectors. Explore our incident response planning resources for detailed implementation guidance.