TL;DR
Mandiant outlines a threat-informed approach to protecting privileged accounts as cloud migration and non-human identities expand the attack surface. The guidance centers on three pillars—prevention, detection and response—and recommends controls such as Zero Trust verification, multifactor authentication, privileged access management, segmented privileged workstations, and tuned SIEM detections.
What happened
In a October 28, 2025 threat-intelligence post authored by Mandiant analysts Bhavesh Dhake, Will Silverstone, Matthew Hitchcock and Aaron Fletcher, the firm lays out a framework for monitoring and defending privileged accounts. The post argues that privileged access is now the primary pathway attackers use to compromise sensitive systems, a trend driven by cloud migration and a growing volume of human and non-human identities (service accounts, API keys, workloads and control planes). Mandiant cites M-Trends 2025 findings showing stolen credentials accounted for 16% of observed initial access in 2024 and highlights rising infostealer campaigns and social-engineering techniques, including criminal use of generative AI. The guidance recommends assuming breach, adopting layered controls and instituting a comprehensive privileged access management (PAM) program that inventories and tiers accounts, enforces least privilege, rotates credentials, records sessions and monitors privileged activity from segmented privileged access workstations.
Why it matters
- Compromised privileged credentials enable internal reconnaissance, lateral movement and fast escalation to high-impact assets.
- Cloud migration and the proliferation of non-human identities have meaningfully expanded organizations' attack surface.
- Stolen credentials and session tokens remain a common initial access vector—M-Trends 2025 attributes 16% of intrusions in 2024 to stolen credentials.
- An assume-breach, defense-in-depth posture reduces dwell time and limits blast radius when privileged access is abused.
Key facts
- Source: Mandiant threat intelligence blog post published October 28, 2025, authored by Bhavesh Dhake, Will Silverstone, Matthew Hitchcock and Aaron Fletcher.
- Mandiant groups defenses into three interdependent pillars: Prevention, Detection and Response.
- M-Trends 2025 reported stolen credentials accounted for 16% of observed initial access in 2024.
- Median global dwell time reported for 2024 was 11 days; broken down as 5 days when the adversary notifies, 26 days when an external entity notifies, and 10 days when detected internally.
- Recommended preventive controls include Zero Trust verification of every request and multifactor authentication (MFA) for all administrative paths.
- Privileged Access Management (PAM) controls advised include credential rotation, session recording and building a single inventory classifying human and non-human accounts by impact and role.
- Mandiant emphasizes administering only from Privileged Access Workstations (PAWs) on a segmented management network and tuning SIEM for privileged-account anomalies.
- The guidance stresses extending PAM beyond traditional admins to include developers, service accounts, API keys, CI/CD pipelines and infrastructure dependencies.
What to watch next
- The prevalence and evolution of infostealer malware campaigns that harvest credentials and session tokens.
- Criminal use of generative AI to automate and scale credential-stealing social-engineering (noted by ENISA in the source).
- Adoption and maturation of enterprise PAM programs that inventory and tier both human and non-human privileged identities.
Quick glossary
- Privileged Account: Any human or non-human identity whose entitlements can change system state, alter security policy or access sensitive data beyond normal roles.
- Privileged Access Management (PAM): A set of policies and tools to control, monitor and audit access to privileged accounts, including credential rotation and session recording.
- Privileged Access Workstation (PAW): A dedicated, segmented workstation used exclusively for administrative tasks to reduce exposure of privileged credentials.
- Zero Trust: A security model that assumes no implicit trust and requires verification for every access request, regardless of network location.
- Multifactor Authentication (MFA): An authentication method that requires two or more verification factors to grant access, reducing reliance on passwords alone.
Reader FAQ
What is the core recommendation of Mandiant's guide?
Adopt a layered approach across Prevention, Detection and Response to secure privileged accounts, with controls such as Zero Trust, MFA, PAM, PAWs and SIEM tuning.
How common are stolen credentials as an initial access method?
According to M-Trends 2025 cited in the post, stolen credentials accounted for 16% of observed initial access events in 2024.
Which account types should be included in a PAM program?
Both human and non-human identities—domain and local admins, developers, service and application accounts, API keys and CI/CD pipeline credentials should be inventoried and tiered.
How long do intrusions typically remain undetected?
The post cites a global median dwell time of 11 days in 2024, with 5 days when the adversary notifies, 26 days when an external entity notifies, and 10 days when detected internally.
Written by: Bhavesh Dhake, Will Silverstone, Matthew Hitchcock, Aaron Fletcher The Criticality of Privileged Access in Today's Threat Landscape Privileged access stands as the most critical pathway for adversaries seeking…
Sources
- Keys to the Kingdom: A Defender's Guide to Privileged Account Monitoring
- Top Strategies and Best Practices for Privileged Access …
- Developing a privileged access strategy
- Navigating PAM Challenges in Modern IT Landscapes
Related posts
- Cybersecurity Forecast 2026: Preparing Organizations for Emerging Threats
- GTIG AI Threat Tracker: Threat Actors Deploy AI-Enabled Malware in 2025
- Triofox Vulnerability CVE-2025-12480: Unauthenticated Host-Header Bypass Enables RCE