Google Mandiant report spots faster, stealthier cyberattacks

Google has published Mandiant's M-Trends 2026 report, drawing on more than 500,000 hours of incident investigations.

The report accompanies a broader set of security product updates from Google, including new automation tools in Google Security Operations, dark web intelligence in Google Threat Intelligence, and additions to its cloud and browser security products.

Mandiant's latest research describes a threat landscape shaped by both speed and persistence. Investigators are seeing rapid hand-offs in the early stages of attacks, as well as intrusions that can remain hidden for years.

Criminal groups are also increasingly operating like organised businesses, using partnerships to shrink the time defenders have to respond. In one example from the research, the intervention window fell from hours to 22 seconds.

Attack speed

The report argues that attackers are moving beyond data theft alone. Many groups now aim to disrupt an organisation's ability to recover operations while increasing pressure for extortion payments.

The findings form part of Google's broader push to position AI as a tool for defenders as cyber attacks become more automated. It has introduced what it calls agentic automation in Google Security Operations, now in preview, allowing security teams to add AI agents to existing workflows.

Google said its Triage and Investigation agent can investigate alerts, gather evidence, and produce verdicts with explanations. The goal is to cut time spent on false positives and routine analysis so analysts can focus on higher-priority threats.

Customers of Google Security Operations will also be able to build their own security agents with support for remote model context protocol servers, removing the need to host their own server client, the company said.

Industry analysts are seeing growing interest from security leaders in this kind of automation. "Few would argue that the progress made in the past 12 to 18 months to put AI to work to improve security operations is remarkable. New research from Omdia shows that 89% of CISOs are pushing to accelerate the adoption of agentic security," said David Gruber, Principal Analyst, Cybersecurity, Omdia.

"Not only does this commitment reflect the urgency in combating an AI-enabled adversary, but our data also show that over half of cybersecurity practitioners believe that agentic AI offers a bigger advantage to cybersecurity defenders over the adversary. With the promise of significant improvement to security outcomes, Google Cloud is well-positioned to help organizations transform their SOCs with this powerful new technology," Gruber added.

Dark web focus

Another part of the update is a new dark web intelligence feature in Google Threat Intelligence. The service combines work by Google's threat analysts with Gemini models to build a profile of an organisation and identify relevant threats from large volumes of external data.

Internal tests showed the system could analyse millions of daily external events with 98% accuracy, though Google did not provide further detail on the test conditions. The feature is intended to reduce false positives and provide more context on why a threat may matter.

One customer cited by Google described the tool as a marked change from existing products. "In previous roles, I've leveraged several dark web tools and found they averaged over 90% false positives. The new dark web intelligence flips this, filtering noise and connecting dots that no human analyst could see in time. It's the difference between reacting to a fire and putting it out before the match is struck," said Michael Kosak, Director, Threat Intelligence, LastPass.

AI security

Google also used the announcement to outline security additions for organisations deploying AI systems. Security Command Centre now integrates with Vertex AI Agent Engine to detect threats involving agents, including unauthorised access and data exfiltration attempts.

Model Armour now works with Google MCP servers, extending coverage to risks such as prompt injection, sensitive data leakage, and tool poisoning. Sensitive Data Protection has also been updated with AI-based context classifications covering fields such as medical and finance, alongside object detection for items including faces and passports.

A survey conducted with the Cloud Security Alliance found that 72% of organisations lacked confidence in their ability to execute a secure AI strategy. Google said this reflects a broader gap between AI deployment ambitions and practical security controls.

Cloud portfolio

Elsewhere, Google outlined updates across its network security tools. These include in-band mode in Network Security Integration, regional firewall policies in Cloud NGFW, and expanded controls in Cloud Armour for hierarchical security policies and organisation-scoped address groups.

It also announced a forthcoming external exposure management feature in preview for Security Command Centre. This is intended to give users an outside-in view of their Google Cloud attack surface and identify exploitable vulnerabilities and network paths.

In browser security, Chrome Enterprise Premium is adding browser cache encryption for non-corporate devices and extending clipboard protections across Citrix virtual applications and web-based apps.

Alongside the M-Trends findings, Google also pointed to separate Mandiant research on AI risk and resilience, based on consulting engagements and Google Threat Intelligence Group research. It said that work found adversaries had moved from experimental use of AI to adaptive tools and autonomous agents capable of rewriting their own code in real time.