John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Twenty-two seconds. That number is everywhere right now, and almost every headline is getting it wrong.
Mandiant’s M-Trends 2026 report is based on 500,000-plus hours of incident response work across 2025. The 22-second figure is real. But it’s not how fast attackers go from initial access to ransomware in a typical case. It’s how quickly an initial access broker can hand off already-compromised access to a ransomware operator. The hard work of getting in is already done. The clock starts after.
That’s a meaningful distinction. And it’s getting buried.
What isn’t getting buried but should be getting more attention: median dwell time went up. From 11 days to 14 days year-over-year. Organizations aren’t getting faster at detecting attackers. They’re getting marginally slower. Put that alongside a 22-second handoff and you have the actual picture: by the time your team identifies a compromise, the ransomware operator has had the keys for two weeks and the transaction that gave them those keys took less time than a cup of coffee.
The long-run trend is still positive – dwell time was 146 days in 2015. But the year-over-year move is a warning sign.
The most significant finding in the report isn’t the speed stats. It’s what Mandiant calls “recovery denial.” Ransomware operators aren’t just encrypting data. They’re systematically targeting backup infrastructure, identity services, and virtualization management planes before they pull the trigger. The goal is to close off every exit before they announce themselves. Pay the ransom or rebuild from nothing.
One more note: high-tech companies have overtaken financial services as the top targeted sector. If you’re in tech, you’re the primary target.
The 22-second number will get all the clicks. The 14-day dwell time and the recovery denial trend are the things that should actually change how you operate.