Agents
Mandiant M-Trends 2026: Adversary Hand-Off Collapsed from 8 Hours to 22 Seconds, PROMPTFLUX Malware Queries LLMs Mid-Execution
Mandiant's M-Trends 2026 report, grounded in 500,000+ hours of frontline incident investigations, reveals the median time between initial access and hand-off to a secondary threat group collapsed from 8 hours in 2022 to 22 seconds in 2025. New malware families PROMPTFLUX and PROMPTSTEAL actively query LLMs during execution to evade detection, and distillation attacks now extract proprietary ML model logic. Despite these advances, 2025 was not the year breaches were the direct result of AI — attackers primarily use LLMs for phishing, recon, and evasion efficiency rather than autonomous exploitation.
↳ Follow the thread