Mandiant M-Trends 2025: Stolen Credentials Top Initial-Access Vector

Mandiant's M-Trends report draws from actual investigations the firm performs each year, providing a complementary view to vendor telemetry like Verizon's DBIR or Microsoft's Digital Defense. The 2025 edition (covering 2024 investigations) found stolen credentials at the top of initial-access vectors, displacing exploits and prompt-driven phishing.

The dwell-time figure for credential intrusions remained the longest of any vector — typically months from initial access to detection — which is consistent with IBM's 246-day median for credential-initiated breaches. The reason is the same as it has been since 2019: an attacker authenticated with valid credentials produces the same telemetry as a legitimate user, and behavioural detection on identity is harder than detection on malware.

For identity architects the convergence across vendor sources matters. When Mandiant, Verizon, IBM, Sophos, and Microsoft all report the same shape of attack from independent datasets, the conclusion is not that "credentials are a problem" — it is that the architecture, not the platform, has to change.