Countering the 22-second ransomware hand-off: Why the first alert now determines the entire incident | TechCabal

The cyber-attack lifecycle has entered a new, unforgiving phase, which was underscored at the recent Google Cloud Next 2026 event, where leaders highlighted how AI-driven security operations are reshaping both attack and defence.

The event showcased how autonomous security operations (SecOps) tooling is accelerating detection, correlation, and response across cloud and hybrid environments, reflecting a world in which machine-speed threats now dominate.

This shift is further quantified in the Mandiant M-Trends 2026 report, produced with Google Cloud Security, which showed that the median ‘time to hand-off’ between an initial access broker and a secondary ransomware group has collapsed from more than eight hours in 2022 to just 22 seconds in 2025. Adversaries are no longer relying on slow, forum-based access sales. Instead, they are pre-staging malware and working directly with partners, enabling near-instant activation once access is obtained.

Twenty-two seconds is not a response window but a warning shot, states Wessel Pieterse, Cybersecurity Practice Lead at Accelera Digital Group (ADG). “By the time a Security Operations Centre (SOC) analyst has finished reading the alert, the ransomware crew may already be inside the environment. The only viable defence is to treat every minor anomaly as a potential precursor to a catastrophic breach.”