The Defender's Advantage Podcast

Episode: Takeaways from the 2026 M-Trends Report

Date: April 15, 2026
Host: Luke McNamara (Google Threat Intelligence Group)
Guest: Chris Linklider (Practice Leader, Mandiant)

Episode Overview

In this episode, host Luke McNamara sits down with Chris Linklider to discuss the key findings and themes in the 2026 M-Trends Report—a comprehensive annual analysis from Mandiant detailing the latest in cybersecurity threats, attacker behaviors, and defensive best practices. Together, they explore shifting entry vectors, technological evolutions in ransomware, the persistent relevance of perimeter exploits, and the growing challenges around identity (both human and non-human) in organizational security programs. Practical guidance and reflections on security fundamentals weave throughout, offering listeners concrete takeaways for both strategy and operations.

Key Discussion Points & Insights

1. Shifts in Initial Access Methods

• Voice Phishing (Vishing) Overtakes Email Phishing

  • For the first time, vishing has surpassed traditional phishing as the most common initial access vector in breaches.

    “...for the first time ever, voice phishing or vishing has sort of surpassed regular phishing or email phishing as a point of of entry in terms of a vector.”
    —Chris Linklider [02:47]

  • This pivot is a result of years of investments in email security and user awareness, making traditional phishing harder for threat actors.

• Decline in Email-Based Phishing

  • The report indicates a continuous, multi-year decline in the effectiveness of email phishing, attributed to increased investment in awareness training and stronger MFA mechanisms.

    “...we’ve invested in a lot of user awareness training…we’ve rolled out MFA...I think organizations, even that rolled out MFA four years ago have come back around and really sort of shored up the processes...”
    —Chris Linklider [06:04]

  • As barriers increase, adversaries have shifted to less-defended avenues, such as social engineering via voice or social media channels.

2. Ransomware Evolutions and Extortion Tactics

• More Efficient Ransomware Operations

  • Threat actors have progressed from simple automation scripts to targeting hypervisors for rapid, widespread destruction.

    “...threat actors quickly pivoted into the hypervisor...they can just simply go into the console that controls the hypervisor and they can just wipe everything out all at once… we’ve seen organizations lose 10,000 servers in under 30 minutes with these...attacks against hypervisors.”
    —Chris Linklider [10:09]

  • This shift not only maximizes impact but also destroys forensic evidence, complicating investigations and delaying recovery.

• Recovery Denial and Multifaceted Extortion

  • Ransomware attackers are increasingly employing recovery denial techniques, targeting backups and core infrastructure to make restoration—and thus negotiation—much harder for victims.

• Ransomware Remains Prevalent

  • While tradecraft is evolving, ransomware/extortion remains the most dominant threat category witnessed in engagements and incidents, with the added layer of data theft and double/triple extortion.

3. Operational Tempo: The Shrinking 'Handoff Window'

• Rapid Attack Progression

  • The window between initial compromise and full exploitation (handoff between Initial Access Brokers and ransomware actors) is shrinking drastically—from about eight hours to as little as 22 seconds.

    “And we noted at least one example this past year where there was a 22 second handoff...”
    —Luke McNamara [11:36]

• Challenges for Responders

  • Most defenders still struggle to respond within eight hours, let alone seconds. The only way to realistically address such speed is through automation—bringing with it substantial risk of self-inflicted outages.

    “If you automate something that sucks, it’s just going to suck faster.”
    —Chris Linklider [14:57]

  • Cautionary tale: An organization locked themselves out of their entire network by over-zealously containing DNS servers, highlighting the dangers of insufficiently planned automation.

4. The Enduring Relevance & Risk of Perimeter Exploits

• Perimeter and Edge Infrastructure as Persistent Weak Points

  • Exploits against edge infrastructure (e.g., network appliances, hypervisors, VPNs) remain the #1 entry vector for breaches—regardless of vendor or product.

    “...exploits on the outside the edge. The perimeter still remain the number one sort of entry method. It’s by far and away for the last two years the number one method.”
    —Chris Linklider [19:21]

• Vulnerability and Patch Management

  • Quick and efficient patching and vulnerability management on edge devices is crucial.
  • Defenders must recognize that all products, even top-tier solutions, contain vulnerabilities.

5. EDR Blind Spots and Advanced Persistency Tactics

• Limitations of EDR (Endpoint Detection & Response)

  • EDR is vital but has blind spots, particularly in environments like hypervisors, network appliances, and other infrastructure where EDR isn’t deployable.
  • APT and financially motivated actors are adapting malware and persistence strategies to evade traditional endpoint detection.

• Novelty and Basics: Balancing Priorities

  • While novel and advanced threats draw attention, Chris underscores that fundamental security hygiene—asset management, well-documented processes, and visibility—is often what determines whether an incident is catastrophic or containable.

    “Some of those very basic technology and security operational things are the things that may take a major incident and make it something minor.”
    —Chris Linklider [16:42, 16:57]

6. Emerging Focus: Identity and Lifecycle Management

• Human and Non-Human Identity Abuse

  • With the drop in phishing, adversaries are increasingly exploiting non-human identities (service accounts, automation bots) alongside traditional human identity attacks.

    “We’re starting to see threat actors abuse non human identity as much or more as we’re seeing them abuse human identity. And I think that’s a problem that we’re going to be solving well into 2026 and 2027 and, and probably beyond that.”
    —Chris Linklider [25:28]

• Employee Lifecycle Weaknesses

  • Many compromises stem from weaknesses in onboarding/offboarding, device provisioning (especially with third-party outsourcers), and identity verification.

    “I would encourage anybody...to really sort of think about it from an end to end life cycle of how do we onboard and even offboard people...”
    —Chris Linklider [24:02]

Notable Quotes & Memorable Moments

• On the shift to vishing:

  “I sort of suspected that, but...it was really good to see that all of the data...backs that up.”
  —Chris Linklider [02:47]

• On declining phishing (positive note):

  “...it’s so rare that we have something positive to talk about in security. But we’ll start with that.”
  —Luke McNamara [04:56]

• On the risks of automation in incident response:

  “If you automate something that sucks, it’s just going to suck faster.”
  —Chris Linklider [14:57]

• On importance of basic security operations:

  “In some organizations, they can tell you the number [of servers] and...do that in under 10 minutes. And in some organizations, we spend weeks trying to solve that problem.”
  —Chris Linklider [16:57]

Timestamps for Key Segments

• [02:47] – Vishing surpasses email phishing as initial breach vector
• [04:56] – Multi-year decline in email phishing and payoff of investments
• [09:15] – Evolution of ransomware attacks: from basic scripts to hypervisor-level destruction
• [11:36] – Hand-off window between adversaries dramatically shortens (22 seconds)
• [13:05] – Perils and risks of overly aggressive/automated incident response
• [16:42] – The enduring value of core security basics and asset management
• [19:21] – Continued dominance of perimeter/edge exploits, patch management urgency
• [22:00] – EDR limitations and advanced actor tactics (living off non-traditional infrastructure)
• [24:02] – Identity lifecycle management and vishing resilience
• [25:28] – Rising concern: non-human (machine/service) identity exploitation

Final Takeaways

• The threat landscape in 2026 is rapidly evolving, with attackers shifting entry points in response to defender investments and controls.
• Automation and speed in both attacks and defenses are on the rise—but “speed for speed’s sake” without strong fundamentals introduces catastrophic risks.
• Organizations must be vigilant about both their cutting-edge defenses and the “basics”: solid asset inventories, careful lifecycle management, and rapid patch/vulnerability management, especially at the perimeter.
• Identity—both human and non-human—has emerged as a focal point for attackers and requires comprehensive policy, process, and control consideration for effective defense.

For further insights, listeners are encouraged to read the full M-Trends 2026 report [linked in the show notes].