22-second ransomware handoffs make human triage obsolete
Key Takeaways
- Median time from initial access to ransomware handoff has compressed to 22 seconds, rendering traditional triage useless
- State-sponsored actors now maintain persistence for 5+ years, far exceeding standard 90-day log retention policies
- Voice phishing (vishing) accounts for 11% of global infections, with help desks as primary targets
Google's 2026 Public Sector M-Trends report delivers a sobering number: 22 seconds. That's the median time between an initial access broker establishing a foothold and handing off to a ransomware operator. By the time your analyst opens a ticket, the network is already encrypted. The report, distilled from 500,000 hours of Mandiant incident investigations in 2025, makes clear that public sector organizations face adversaries operating at machine speed while defenders remain stuck in human time.
Why 90-day log retention fails against 5-year persistence
The report identifies what it calls the "persistence paradox." State-sponsored espionage actors are maintaining access to compromised networks for more than five years. Most agencies retain telemetry for 90 days. The math is brutal: when an incident finally surfaces, investigators cannot reconstruct the full attack timeline or quantify the damage. Years of exfiltrated data become unknowable.
This mismatch between attacker patience and defender visibility has practical consequences. Compliance frameworks that mandate specific retention periods were designed for a different threat environment. They assume breaches will be detected within quarters, not half-decades.
Attackers are moving below your security tools
The report documents a shift "down the stack" to the virtualization management plane. Attackers now create snapshots of domain controllers, mount them offline, and extract credential databases without triggering guest-level security tools. Your endpoint detection sees nothing because the attack happens at the hypervisor layer.
This technique, called snapshot mounting, exploits a fundamental architectural assumption: that security monitoring within a virtual machine can detect threats to that machine. When the attacker controls the hypervisor, that assumption collapses.
Third-party integrations as attack vectors
State and local agencies increasingly rely on SaaS tools, and those integrations create what the report terms the "SaaS domino effect." Attackers target non-human identities: service accounts, API keys, OAuth tokens. A single compromised service account can trigger access across an entire agency network because these credentials are designed to connect systems without human intervention.
The problem compounds because non-human identities often have broader permissions than human accounts. A developer might configure a service account with administrative rights to "make it work" during integration, then never revisit those permissions.
Voice phishing now accounts for 11% of infections
The human element remains the weakest link, but the attack vector has shifted. Vishing, or voice phishing, has surged to 11% of global infections. Attackers call government help desks, impersonate employees, and convince staff to reset passwords or enroll unauthorized devices. The trust placed in help desk personnel has become an attack surface.
Training alone cannot fix this. Help desks are designed to help, and social engineering exploits that design. The report suggests the solution lies in verification procedures that remove human discretion from sensitive operations like password resets.
Google's response: continuous verification architecture
The report positions Google's security stack as the answer to machine-speed attacks. Chrome Enterprise Premium replaces traditional VPNs with context-aware access, verifying both user identity and device security posture for every application request. Google Security Operations ingests telemetry and automates detection, aiming to spot adversaries within that 22-second window.
At Google Cloud Next '26, the company announced three AI-powered autonomous agents for Google Security Operations: a Threat Hunting agent to find hidden attack patterns, a Detection Engineering agent to close telemetry gaps automatically, and a Third-Party Context agent to enrich analyst workflows. These agents embed Google Threat Intelligence directly into operational workflows.
For infrastructure-level visibility, Google points to Security Command Center and its partnership with Wiz for continuous verification of hypervisor integrity and cloud configurations. The pitch: detect snapshot mounting or configuration drift before attackers can exploit it.
Logicity's Take
The 22-second figure is striking, but the real insight is architectural. Google is essentially arguing that perimeter-based security has failed and that identity must become the new control plane. For engineering teams, this means rethinking how service accounts are provisioned and monitored. Google's stack is one option; alternatives include CrowdStrike Falcon for endpoint detection (starting around $8.99/endpoint/month), Microsoft Defender for Cloud for Azure-native shops, and Wiz as a standalone CSPM regardless of your SIEM choice. The broader shift toward agentic security, where AI handles triage at machine speed, is real and coming to every major vendor.
What this means for DevOps and engineering teams
The report's findings translate into specific operational changes. Log retention policies need review against actual threat timelines, not compliance minimums. Non-human identities require the same governance as human accounts, including regular credential rotation and least-privilege enforcement. Hypervisor security cannot be delegated to guest-level tools alone.
The vishing data suggests that any process relying on help desk discretion for sensitive operations is a vulnerability. Automated verification, whether through hardware tokens, out-of-band confirmation, or identity proofing services, removes the human judgment that attackers exploit.
Frequently Asked Questions
What is the 22-second ransomware handoff?
The median time between an initial access broker establishing network access and transferring control to a ransomware operator. This compression means traditional human-speed incident response cannot intervene before encryption begins.
How long do state-sponsored attackers maintain persistence?
The 2026 M-Trends report documents cases exceeding five years of undetected access, far beyond typical 90-day log retention windows.
What is snapshot mounting in cybersecurity?
An attack technique where adversaries create a snapshot of a virtual machine at the hypervisor level, mount it offline, and extract sensitive data like credential databases without triggering guest-level security tools.
Why are non-human identities a security risk?
Service accounts, API keys, and OAuth tokens often have excessive permissions and connect multiple systems. A single compromised NHI can provide access across an entire network without human authentication.
What is continuous verification in cybersecurity?
A security doctrine where trust is never assumed and must be constantly re-validated. Every access request verifies identity, device posture, and context rather than relying on network location or prior authentication.
The 2026 M-Trends report reframes public sector cybersecurity as a speed problem. Defenders cannot match attacker velocity with human analysts. Whether agencies adopt Google's stack or build alternatives, the strategic direction is clear: automate detection and response, extend telemetry retention, and treat every identity as a potential attack vector.
Need Help Implementing This?
If your organization needs guidance on machine-speed defense, continuous verification architecture, or non-human identity governance, contact Logicity's advisory team for tailored recommendations based on your infrastructure and compliance requirements.
Source: Cloud Blog
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.





