M-Trends 2026, released this morning, contains one finding that the speed-focused commentary will undervalue: the median time between initial system access and handoff to a secondary threat group dropped to 22 seconds in 2025. That number is not primarily a detection challenge. It is an epistemological one. The “threat actor” as an analytical unit is becoming structurally incoherent, and attribution methodology has not caught up.

The fiction we have been operating on

Threat intelligence is built on a coherent fiction. The fiction is this: behind every intrusion sits an organization with consistent goals, shared tooling, trained personnel, and traceable behavioral habits. We name them. FANCY BEAR. LAZARUS. Scattered Spider. We build profiles, map their TTPs to ATT&CK, track their infrastructure, and publish attribution assessments that policymakers use to justify sanctions, indictments, and in some cases the consideration of military response. The entire apparatus of geopolitical cyber attribution rests on the assumption that the intrusion reflects a coherent organizational actor whose behavior we can fingerprint and track across time.

M-Trends 2026, drawing on over 500,000 hours of Mandiant incident investigations conducted in 2025, contains a finding that should unsettle that assumption at its foundation. Mandiant attributes the 22-second acceleration to automated pipelines in which initial access brokers deploy malware directly on behalf of downstream groups, bypassing the forum-based markets that previously mediated those transactions. The operational implication is well understood: defenders now have seconds, not hours, to intervene. The analytical implication has received almost no attention, and it is more consequential for the long-term health of threat intelligence as a discipline.

What the 22-second handoff actually means

When a breach involves an initial access broker, an automated handoff pipeline, a ransomware-as-a-service operator for execution, and a separate data extortion group managing victim negotiation, the question “who did this?” no longer has a clean answer. Each participant contributed a discrete operational function. None of them conducted the full intrusion. The behavioral artifacts left in the environment are distributed across multiple organizational profiles that may share no infrastructure, no tooling lineage, and no persistent relationship beyond a transaction conducted in under half a minute. An analyst trying to attribute that breach to a single named actor is not doing intelligence work. They are imposing an organizational coherence on the intrusion that the intrusion itself does not possess. The “threat actor” is a retroactive construct, assembled after the fact to satisfy a downstream need for accountable attribution, not a description of how the operation actually functioned.

This is not a new problem, but it has reached a threshold that changes its category. Initial access brokerage and ransomware-as-a-service have existed for years. What has changed is the degree of automation and the compression of the transaction window. When handoffs took hours, there was at least a detectable seam between operational phases, a moment where the intrusion paused, changed character, and gave analysts something to work with when reconstructing who did what. At 22 seconds, through an automated pipeline, that seam disappears. The intrusion arrives as a functionally continuous event even though it represents the output of multiple distinct organizational actors who may have never communicated directly. The analytical tools that threat intelligence developed for a world of slower, more legible handoffs are being applied to a world that no longer fits their assumptions.

Two adversary profiles, one analytical discipline

M-Trends 2026 documents a second divergence that sharpens this problem further. While criminal groups are optimizing for speed and what the report calls “recovery denial,” sophisticated espionage clusters are moving in the opposite direction, targeting edge devices and core network infrastructure specifically because those environments lack standard EDR telemetry, and achieving dwell times approaching 400 days. The BRICKSTORM backdoor cases documented in the report are emblematic: persistent, invisible, operating in environments where most organizations retain only 90 days of logs, meaning the initial access vector is structurally unrecoverable by the time the intrusion is detected. These two adversary profiles, the speed-optimized criminal ecosystem and the patience-optimized espionage cluster, are producing breach environments with radically different forensic textures. Attribution frameworks designed around one profile misread the other systematically. The analyst who assumes criminal TTPs and speed is looking for the wrong artifacts entirely when the intruder is a nation-state cluster that spent fourteen months in a router.

Attribution anchoring under institutional pressure

The deeper cognitive trap is attribution anchoring: the tendency to assign an intrusion to the named actor whose behavioral profile most closely matches the observed evidence, without adequately accounting for the fact that the observed evidence may reflect a transaction ecosystem rather than a single actor. Attribution anchoring is a documented failure mode in intelligence analysis generally. In threat intelligence specifically, it is structurally incentivized. Vendors build reputations on named actor tracking. Governments need attributable entities for legal and policy action. The institutional pressure to produce a named attribution, even when the evidentiary basis is a distributed transaction ecosystem, is significant. That pressure does not disappear when the underlying methodology becomes less reliable. It just produces confident conclusions on weaker foundations.

What distributed attribution would require

What the intelligence community actually needs is an explicit methodology for distributed attribution: frameworks that can assign responsibility across a transaction chain rather than collapsing it to a single actor, that can distinguish between the organization that directed an operation and the organizations that executed discrete phases of it, and that can communicate uncertainty in ways that policymakers can work with rather than dismiss. None of that is easy. Some of it requires renegotiating the evidentiary standards that currently govern attribution-based policy action. But the alternative is a discipline that continues producing named actor attributions with diminishing correspondence to the organizational reality of how intrusions are actually conducted, while the gap between analytical confidence and evidentiary validity quietly widens.

Key takeaways

  • The 22-second handoff is a coherence problem, not a speed problem. When automated pipelines eliminate the operational seam between initial access and downstream execution, the intrusion no longer reflects a single coherent organizational actor. Attributing the resulting breach to a named group assigns unified organizational identity to what was functionally a distributed transaction. The evidentiary chain threat intelligence produces in those cases is not wrong about the individual actors involved. It is wrong about the organizational structure it implicitly assumes.

  • Adversary divergence is creating incompatible attribution contexts within the same analytical discipline. M-Trends 2026 documents two threat profiles moving in opposite directions simultaneously: criminal groups optimizing for 22-second handoffs and recovery denial, and espionage clusters optimizing for 400-day dwell times in unmonitored edge infrastructure. Attribution frameworks calibrated to one profile will systematically misread the other, and the same analytical team is frequently asked to work across both contexts without explicit methodology for distinguishing them.

  • Attribution anchoring is structurally incentivized and increasingly dangerous. The institutional pressure to produce a named actor attribution, from vendor reputation to legal and policy downstream requirements, does not diminish when the evidentiary foundation weakens. It produces confident conclusions on thinner grounds. This is a known failure mode in intelligence analysis, and the threat intelligence community has not developed explicit countermeasures to it. As the transactional complexity of intrusions increases, the gap between attribution confidence and attribution validity will widen unless the institutional incentive structure changes.

  • Distributed attribution methodology is not optional. What the discipline needs are frameworks capable of assigning responsibility across an intrusion’s transaction chain, distinguishing the directing organization from the executing ones, and communicating graduated confidence in ways policymakers can use without defaulting to false certainty. The current practice of collapsing distributed intrusions to a single named actor satisfies a short-term institutional need at the cost of long-term analytical credibility. The M-Trends 2026 data makes the scale of that debt visible. The question is whether the field addresses it before attribution-based policy action produces a consequential error.