In 2018, the average time between a CVE disclosure and confirmed exploitation in the wild was 63 days. By 2024, Mandiant measured that number at negative one day. In 2025, it reached negative seven days, meaning exploitation is routinely beginning before a vendor issues a patch. The report drawing on this data, Mandiant’s M-Trends 2026, was published on March 23 and covers more than 500,000 hours of frontline incident investigations. Chainguard republished an analysis of its findings today, giving the report a second wave of attention. Most coverage has treated the negative mean-time-to-exploit as a shocking number. It is, but the more instructive part of the report is the mechanism: how AI is being embedded not just as an attacker’s accelerant but as a component of the malware itself.
What Negative Time-to-Exploit Means in Practice
The traditional vulnerability lifecycle runs as follows: a researcher discovers a flaw, notifies the vendor, the vendor develops and tests a patch, the patch ships in a coordinated disclosure, and defenders have a window to apply it before attackers weaponize the vulnerability. The window was once measured in weeks to months. CrowdStrike’s 2026 Global Threat Report puts the average eCrime breakout time (initial compromise to lateral movement) at 29 minutes. The exploitation window has effectively inverted.
When mean time-to-exploit is negative seven days, exploitation is beginning before patches exist for a material fraction of high-value vulnerabilities. Mandiant’s data shows 28.3% of CVEs being exploited within 24 hours of disclosure. Attackers are doing binary analysis and patch diffing on vendor advisories to reverse-engineer where the vulnerability sits before the patch is available. AI tools that can analyze compiled binaries, compare execution paths, and generate proof-of-concept exploits have accelerated this process from weeks of specialist work to hours of automated analysis.
In 2025, published research showed AI agent swarms found over 100 exploitable vulnerabilities across major manufacturers at $4 per bug. A separate experiment showed AI agents generated more than 40 working exploits for a single vulnerability for $50 total. The skill floor for exploit development has dropped by roughly an order of magnitude. The barrier that kept the overlap between “willing to attack” and “technically capable of attacking” narrow is dissolving.
The AI Components Inside the Malware Itself
This is the part of M-Trends 2026 that received almost no coverage in the initial wave of reporting. Mandiant documented two malware families that query large language models during execution, not as a development tool but as a runtime component.
PROMPTFLUX and PROMPTSTEAL were both observed actively querying LLMs mid-execution to evade detection. The mechanism: as the malware runs and encounters security controls, logging frameworks, or behavioral detection signatures, it calls an external LLM to generate evasion code or modify its own execution approach in real time. This is not static malware that was written with AI assistance. This is malware with an AI API call built into its operational loop.
QUIETVAULT, a credential stealer also documented in M-Trends 2026, took a different approach. It checked targeted machines for locally installed AI command-line tools on the victim’s system, then executed predefined prompts using those tools to search for configuration files, credentials, and secrets. The attacker weaponized the victim’s own AI infrastructure against them. If a developer has Claude Code or a local model installed, QUIETVAULT treats that as an available tool for exfiltration.
Mandiant also documented what it calls distillation attacks: attacks designed to extract the proprietary logic and specialized training data of high-value machine learning models. A company that has spent months fine-tuning a model on proprietary data is now a target not just for the data the model was trained on, but for the model weights themselves. The weights encode the training data in compressed form and can be probed systematically to reconstruct protected information.
The 22-Second Handoff Collapse
One of the most operationally significant findings in M-Trends 2026 is the collapse of the initial access handoff window. In 2022, the median time between an initial access partner gaining a foothold and handing that access to a secondary threat group (typically ransomware operators) was more than 8 hours. By 2025, that window collapsed to 22 seconds.
The mechanism is pre-staging. Initial access partners are now loading the secondary operator’s preferred malware, tunnels, and credential harvesting tools during the initial infection sequence itself. By the time the secondary group first connects to the compromised network, everything they need is already in place. The handoff is a checkout process rather than a setup process.
This operational shift is reflected in Mandiant’s initial infection vector data. Prior compromise ranked as the third-most common initial infection vector globally (10% of intrusions) and the top vector in ransomware operations at 30%, doubling from 15% in 2024. Attackers are buying access that was compromised in prior incidents, often through dark-web marketplaces, rather than running their own initial access operations. The attack chain has been industrialized at the division-of-labor level.
Voice phishing rose to the second-most common initial infection vector at 11%. Email phishing, once the dominant social engineering vector, dropped to 6% of intrusions. Automated technical controls have made email-based attacks less reliable. Interactive voice-based social engineering, which targets IT help desks to bypass MFA and gain access to SaaS environments, is significantly more resistant to automation-based defenses. A human on a phone call is harder to filter than a malicious attachment.
GOLDVEIN.JAVA Replaced Cobalt Strike at the Top
One of the most telling structural shifts in M-Trends 2026 is the malware family rankings. Cobalt Strike BEACON held the top position in Mandiant investigations for five consecutive years. In 2025, it fell to fourth, with its share of observed malware families shrinking from more than a quarter of all investigations in 2021 to just 2% in 2025. Its displacement reflects improved vendor detection and attacker migration to alternatives without BEACON’s signature detection profile.
GOLDVEIN.JAVA took the top spot. The Java-based downloader is associated with the CL0P cybercrime group and was central to the Oracle EBS campaign. CVE-2025-61882, an improper authentication vulnerability in Oracle E-Business Suite, allowed unauthenticated remote code execution. A threat cluster claiming CL0P affiliation sent extortion emails in September 2025 claiming document theft from Oracle EBS customers. Mandiant identified evidence of successful exploitation as early as August 2025 and attributed the activity to a suspected FIN11 cluster. GOLDVEIN.JAVA’s position as the most frequently observed malware across all 2025 investigations reflects CL0P’s operational scale and the Oracle EBS campaign’s broad reach across enterprise customers.
Google’s Threat Intelligence Group identified 714 new malware families in 2025, up from 632 in 2024. Of the newly documented families, 146 targeted Linux and 55 targeted macOS. The Linux-heavy distribution reflects the growing importance of Linux in enterprise server, cloud, and container environments as attacker targets. Akira ransomware, deployed using REDBIKE, ranked second behind GOLDVEIN.JAVA in frequency.
BRICKSTORM: In-Memory Malware That Survives Reboots
Among the edge device threats documented in M-Trends 2026, the BRICKSTORM backdoor requires specific attention. Deployed by threat clusters including UNC6201, BRICKSTORM is placed directly onto non-traditional network appliances and resides primarily in memory, on devices that cannot support traditional security tooling. Standard remediation efforts and system reboots do not clear it, because the persistence mechanism operates at a level below where enterprise security tools have visibility.
Once established, BRICKSTORM uses native packet-capturing functions on the compromised device to intercept sensitive data and plaintext credentials in transit. Attackers can gather intelligence across network traffic for hundreds of days without moving deeper into heavily monitored workstations. The edge device becomes a long-term tap on the network rather than a stepping stone to further compromise.
The BRICKSTORM threat pattern illustrates why edge device security requires a fundamentally different approach than endpoint security. EDR tools work by running monitoring agents on operating systems that support them. Network appliances running proprietary firmware do not support those agents. The security gap is architectural: the monitoring infrastructure required to detect BRICKSTORM-style threats simply does not exist at the edge device layer for most organizations. The six-consecutive-year streak of exploits being the leading initial infection vector (32% of intrusions) is partly sustained by this visibility gap.
Ransomware Has Become a Resilience Problem
Ransomware groups are no longer primarily encrypting data. The 2025 shift, documented extensively in M-Trends 2026, is recovery denial: systematically destroying the ability to restore operations even after paying a ransom.
The targets are backup infrastructure, identity services, and virtualization management planes. Ransomware groups including those using REDBIKE (Akira) and AGENDA (Qilin) actively delete backup objects from cloud storage, exploit misconfigured Active Directory Certificate Services templates to create admin accounts that survive password rotation, and target the “Tier-0” nature of hypervisors to encrypt VMware datastores directly, rendering all associated virtual machines inoperable simultaneously. Paying the ransom decrypts files. It does not rebuild Active Directory, restore hypervisor configuration, or recover deleted backup objects. Recovery denial converts ransomware from a data problem into a fundamental infrastructure problem.
Global median dwell time rose to 14 days from 11 days in 2024. For cyber espionage and North Korean IT worker incidents specifically, the median dwell time was 122 days. These threat categories are optimizing for extreme persistence rather than speed. The 14-day median is pulled up by these long-dwell operations while ransomware groups are operating inside 22-second handoff windows.
Cloud Attacks Run on Different Rules
Within the overall M-Trends 2026 data, cloud-environment intrusions show a divergent attack profile from on-premise incidents. Voice phishing accounted for 23% of cloud-environment intrusions, more than double its 11% share across all investigations. Exploits, which dominate the all-environment picture at 32%, account for only 6% of cloud attacks.
The difference reflects where the attack surface sits. Cloud environments authenticate through identity services, OAuth tokens, and session cookies rather than through on-premise network boundaries. The perimeter is the identity layer. Groups like UNC6040 used voice phishing to convince targets to authorize malicious connected applications in SaaS platforms, including walking victims through approving a rebranded data-loading tool that granted persistent, privileged access without MFA. Once inside, exfiltration could proceed quietly over extended periods.
UNC3944, the financially motivated cluster with overlap with publicly reported Scattered Spider activity, targeted IT help desks by impersonating employees requesting password resets and MFA changes. Mandiant documented escalation from a single help desk call to full domain admin access in under 40 minutes, using no malware. By compromising third-party SaaS vendors, attackers steal hard-coded keys and personal access tokens, using those secrets to pivot into downstream customer environments at scale. A single compromised OAuth token can provide access across an entire customer’s interconnected SaaS stack. This attack chain is significantly harder to detect than a traditional exploit chain because the actions look like legitimate user behavior at every step.
What High-Tech Replaced Financial Services as the Top Target
For the first time since Mandiant began tracking targeted industries, the high-tech sector (17% of incidents) displaced financial services (14.6%) from the top position. This is not primarily about the value of high-tech companies’ financial assets. It is about their position in software supply chains.
A single compromised developer tool, package registry, or CI/CD platform is a force multiplier. The Checkmarx supply chain breach that reached Bitwarden’s CLI earlier this year took 93 minutes from initial compromise to credential theft deployment. North Korea’s Contagious Interview operation accumulated more than 1,700 packages across five package ecosystems from a single threat actor cluster. Compromising technology infrastructure gives attackers leverage across the downstream users of that infrastructure, which makes tech companies worth more as targets than their individual financial exposure suggests.
The Internal Detection Improvement and Why It Is Not Enough
M-Trends 2026 documents one genuine improvement: 52% of incidents were first detected internally by the affected organizations in 2025, up from 43% in 2024. Organizations are getting better at catching intrusions before external parties notify them.
The counterpoint is the nature of what they are detecting. A 14-day median dwell time means most incidents are caught well after initial compromise. A 22-second handoff window means the most destructive phase of a ransomware operation can complete before any SOC alert triggers. Better internal detection is valuable, but the speed asymmetry between attack and defense has not narrowed. Attackers operating on AI-accelerated timelines are still outrunning detection and response cycles designed for human-speed operations.
The shift from email phishing to voice phishing as the second-most common initial vector illustrates the adaptive dynamic clearly. As defenders automated email filtering, attackers moved to a channel that resists automation. As EDR coverage expanded, attackers targeted edge devices outside EDR visibility. As patch cycles improved, attackers weaponized vulnerabilities before patches existed. The same adaptive pressure is now hitting agentic AI traffic, where 48.9% of organizations have zero visibility into agent-generated API requests.
What Defenders Can Actually Do
M-Trends 2026 does not prescribe a simple solution, and none exists. Three operational priorities emerge from the data.
First, the patch window assumption needs revision. Security operations built around a 30-day patch cycle are operating on a timeline that the threat environment abandoned years ago. For high-severity vulnerabilities on internet-facing systems, the operational question is no longer “when do we patch?” but “was this exploited in the window before we patched it?” Post-patch forensics on exposed systems is now a standard phase of incident response, not an optional investigation.
Second, backup and recovery infrastructure needs to be treated as Tier-0 infrastructure with the same protection posture as domain controllers. Recovery denial is now a deliberate attacker objective. Backups that are accessible from compromised infrastructure are not backups. Air-gapped or immutable backups with verified restore procedures are the minimum bar. The VMware hypervisor layer requires specific attention: encrypting the datastore renders all hosted VMs inoperable simultaneously and is not recoverable by restoring individual guest files.
Third, the discovery of AI API calls as a runtime malware component changes the threat model for defenders who monitor outbound traffic. PROMPTFLUX and PROMPTSTEAL treating LLM APIs as operational infrastructure means LLM API traffic from production systems needs the same scrutiny as any other outbound connection to external services. QUIETVAULT turning victim AI tools into exfiltration instruments means locally installed AI tooling needs to be included in the asset inventory and monitored for anomalous command execution. These are new threat surface categories that security tooling was not built to address. The gap needs to close before the next generation of AI-native malware makes PROMPTFLUX look primitive.
The 2026 threat environment is the product of a decade of incremental attacker improvement compressing into a short window as AI tooling hit a capability inflection point. Chainguard’s analysis frames the lesson correctly: the smart move is to eliminate entire vulnerability categories rather than trying to outrun attackers on individual vulnerabilities. Categories that have been eliminated cannot be weaponized regardless of how fast the exploit pipeline runs. For the categories that remain, negative seven days is not a target. It is the maximum available time before the question shifts from prevention to forensics.