In 2026, the public sector is no longer defending a traditional perimeter. Instead, they are defending a complex web of interconnected trust relationships against adversaries that now operate at machine speed. We recently published the 2026 Public Sector Threat Landscape: M-Trends and Beyond report, which distills more than 500,000 hours of frontline incident investigations conducted by Mandiant in 2025, specifically tailored to the mission-critical needs of public sector leaders.
Key findings from the report and what they mean for the public sector
The most alarming trend in this year’s M-Trends data is the 22-second hand-off: the median time between an initial access broker establishing a foothold and the hand-off to a ransomware operator. This extreme compression of the attack cycle renders traditional, human-speed triage obsolete. When an infection on a municipal workstation can move to an encrypted network before a human analyst can even open a ticket, the strategic mandate for resilience must pivot toward machine-speed defense.
Additionally, the report uncovered several emerging “boundaries of trust” that adversaries are systematically exploiting:
- The persistence paradox: State-sponsored espionage actors are pursuing multi-year persistence, with some remaining undetected for over five years. This “persistence paradox” directly challenges standard 90-day telemetry retention policies, often leaving agencies unable to quantify the full impact of a breach.
- The virtualization stack: Attackers are moving “down the stack” to target the virtualization management plane. Techniques like “snapshot mounting” allow attackers to bypass guest-level security tools, creating snapshots of domain controllers to steal databases offline.
- The SaaS domino effect: At the state and local levels, the reliance on third-party cloud tools has turned integrations into threat vectors. Exploiting non-human identities (NHIs) like service accounts and OAuth tokens allows a single compromise to trigger a chain reaction across an entire agency network.
- The vishing surge: Voice phishing (vishing) has surged to 11% of global infections. These highly effective social engineering attacks target government help desks to reset passwords or enroll unauthorized devices. This proves that the ‘human element’—the administrative trust placed in help desk staff and IT administrators—is now a primary vector for establishing initial access.
A mandate for continuous verification
Looking ahead, resilience in the public sector will require more than a compliance checklist; it demands a cultural pivot to continuous verification—a security doctrine where trust is never assumed and must be constantly re-validated. Success is no longer just defined by the absence of a breach, but also by an agency’s ability to remain operational while under active attack. At Google, we provide the technical architecture to make continuous verification a reality through three core capabilities.
Identity as the new perimeter: Through Chrome Enterprise Premium, we replace traditional VPNs with context-aware access. We verify the user’s identity and the security posture of their device for every single application request, ensuring that access is only granted under the right conditions.
Agentic defense: We enable agencies to ingest and analyze massive telemetry datasets in real-time using Google Security Operations, which includes threat-centric case management, interactive, context-rich alert graphing, and automatic stitching together of entities. This allows for the “Machine-Speed” detection required to spot an adversary within the 22-second hand-off window, turning manual triage into automated, continuous monitoring. To stay ahead of these rapid shifts, this operational stack is directly infused with Google Threat Intelligence, exposing global actor infrastructure and matching internal telemetry with Mandiant’s frontline incident insights in real time.
At Google Cloud Next ‘26, we announced three new AI-powered autonomous agents within Google Security Operations: a Threat Hunting agent to proactively unearth hidden attack patterns, a Detection Engineering agent to automatically close telemetry coverage gaps, and a Third-Party Context agent to seamlessly enrich analyst workflows.
Hardened infrastructure: By moving “down the stack” with Security Command Center and leveraging our strategic partnership with Wiz, we offer deep visibility into the virtualization and cloud layers. This allows agencies to continuously verify the integrity of their hypervisors and cloud configurations, automatically detecting unauthorized “Snapshot Mounting” or configuration drifts that adversaries exploit for persistence. By hardening the administrative fabric—including identity and virtualization—and modernizing log retention to close the visibility gap, government leaders can move from a state of reactive triage to a future of context-aware resilience.
Google security in action
Google’s security technology comes to life across the public sector, where agencies are successfully shifting from manual triage to agentic defense, and accelerating their security transformation. The Pasco Sheriff’s Office transformed its security and operations, unifying siloed tools with Google Security Operations to boost efficiency, improve community safety, and champion secure AI for law enforcement. Meanwhile, the State of Connecticut moved from a fragmented operating model to a unified, proactive security posture using Google Security Operations to reduce forensic investigation times from months to mere hours and create a secure-by-design digital infrastructure for the future of public service.
Secure your future
Download the 2026 Public Sector Threat Landscape: M-Trends and Beyond report to explore the data and strategic recommendations for the latest insights and trends and what they mean for the public sector. Catch the replay of our Gemini for Government webinar to dive deeper into securing and governing an agent.






