Exploits continue to be the most common initial infection vector (33%).
MandiantM-Trends 2025 Report·Apr 24, 2025
Initial infection vectorExploits
8% of threat groups were motivated by espionage.
MandiantM-Trends 2025 Report·Apr 24, 2025
Threat groupEspionage
55% of threat groups active in 2024 were financially motivated, showing a steady increase.
MandiantM-Trends 2025 Report·Apr 24, 2025
Threat group
Global median dwell time was 5 days when adversaries notified (notably in ransomware cases).
MandiantM-Trends 2025 Report·Apr 24, 2025
Dwell timeSecurity incidentRansomware
High tech (10.6%) was the 3rd most targeted industry.
MandiantM-Trends 2025 Report·Apr 24, 2025
High techSecurity incident
Healthcare (9.3%) was the 5th most targeted industry.
MandiantM-Trends 2025 Report·Apr 24, 2025
HealthcareSecurity incident
Financial (17.4%) was the #1 targeted industry.
MandiantM-Trends 2025 Report·Apr 24, 2025
FinancialSecurity incident
Global median dwell time was 26 days when external entities notified.
MandiantM-Trends 2025 Report·Apr 24, 2025
Dwell timeSecurity incident
Government (9.5%) was the 4th most targeted industry.
MandiantM-Trends 2025 Report·Apr 24, 2025
GovernmentSecurity incident
Business and professional services (11.1%) was the 2nd most targeted industry.
MandiantM-Trends 2025 Report·Apr 24, 2025
Business and professional servicesSecurity incident
Global median dwell time was 10 days when organizations discovered malicious activity internally
MandiantM-Trends 2025 Report·Apr 24, 2025
Dwell timeSecurity incident
The Global median dwell time rose to 11 days in 2024, up from 10 days in 2023.
MandiantM-Trends 2025 Report·Apr 24, 2025
Dwell timeSecurity incident
Stolen credentials are the second highest initial infection vector, making up 16% of investigations. This rise means stolen credentials were the second most common initial infection vector for the first time in 2024.