Mandiant Says Dwell Time Is 14 Days. UNMC's Was 858.

The Mandiant M-Trends 2026 report, published in March, pegs the global median dwell time at 14 days — up from 11 the prior year, with espionage and DPRK IT-worker operations dragging the long tail toward four-month averages. That 14-day number is the figure CISOs quote in board decks.

On April 17, the University of Nebraska Medical Center disclosed that its REDCap instance had been subject to unauthorized access between September 20, 2023 and February 3, 2026 — 858 days. 26,937 individuals had personal and clinical data potentially exposed, per the May 2026 HIPAA Journal round-up. The investigation could not determine whether anything was actually exfiltrated; it could only determine that the door was open.

UNMC's number is sixty-one times the industry median. That gap is not a story about medians being wrong. It's a story about which sensors you have on the wire.

What the M-Trends 14-day figure actually measures

The Mandiant baseline is computed over investigated incidents — a population skewed toward organizations with mature SOCs, working EDR fleets, and an existing relationship with an IR firm. Help Net Security's read of the report is worth quoting in full:

Organizations discovering intrusions through their own monitoring achieved detection in approximately nine days. Cases where organizations learned of breaches from outside sources took substantially longer — a median of 25 days in 2025, compared to 11 days in 2024.

So the headline 14-day number masks a bimodal distribution: internal monitoring catches at ~9 days; external notification catches at 25. And the 25-day externally-notified bucket has been getting worse, more than doubling year-over-year. Mandiant attributes the swing to longer-running espionage and supply-chain campaigns that no internal sensor was looking for.

UNMC's incident fell into that second bucket and then off the chart. The detection trigger was not internal: it was a vendor advisory in February 2026 announcing that a remote-access vulnerability existed in REDCap. UNMC pulled the application offline and only then learned, via forensic reconstruction, that the door had been open for 28 months.

The structural reason healthcare keeps showing up here

REDCap is research-grade software used by thousands of academic medical centers to capture survey and clinical-trial data. It runs in a research enclave, talks to a research database, and is rarely covered by the security telemetry that monitors the clinical EHR. UNMC's notice is specific on this point: "Nebraska Medicine's clinical systems operate independently from the REDCap application and were unaffected."

That isolation cuts both ways. The research enclave's separation from clinical systems limited blast radius — but the separation also means the research environment runs with thinner monitoring, no SOC playbooks tuned to its egress patterns, and no behavioural baseline for what its outbound TLS traffic should look like at 03:00 UTC. Adversaries are well aware. Of the 9 HIPAA-regulated entities the journal logged in May 2026, several show similar profiles: a peripheral system, a multi-month window, and an external trigger.

The same pattern shows up elsewhere this month — Aligned Orthopedic Partners, ~1 month of unauthorized access; LHC Group, ~2.5 weeks. Those are shorter, but they share the discovery pathway: third-party notification or forensic reconstruction, not real-time detection.

What an EDR cannot see, and what the wire can

A breach that lives in an application's data layer for 28 months is invisible to traditional host-based detection for a few specific reasons:

• No new binary lands. REDCap-class vulnerabilities — the disclosed XSS, HTML-injection, and CSRF chains documented by Trustwave SpiderLabs (CVE-2024-37394 / -37395 / -37396) and the larger 10-CVE batch disclosed by Swiss Post Cybersecurity — abuse the web application's own permissions. Nothing executes on disk. AV / EDR have nothing to fingerprint.
• No lateral movement. The intruder is reading the database through the legitimate application path. No SMB, no PsExec, no kerberoasting. Nothing for a SIEM correlation rule to fire on.
• Patient, slow exfiltration. Long-dwell intruders learned years ago not to spike the egress graph. A few hundred records a day over HTTPS to a never-seen ASN looks like ordinary research collaboration traffic to anyone reading destination IP and port.

The thing those three failure modes share is that they all happen on the wire, and the wire is observable. The application's HTTP request stream has a behavioural signature — request rate, query depth, session duration, referrer chain. The outbound TLS sessions have a destination, an ASN, a JA3 fingerprint, a timing pattern. None of that requires the attacker to do anything visible to the host.

Signal class	Visible to EDR?	Visible to wire-side ML?
New executable on disk	Yes	No
Privilege escalation via known LOLBin	Yes	Partially
Web app abuse via existing session	No	Yes
Beaconing to never-seen ASN	No	Yes
Slow exfiltration via legitimate HTTPS	No	Yes
Anomalous query depth on app DB layer	No	Yes

The reason median dwell time keeps drifting upward in Mandiant's data is that more intrusions look like the third row down. The reason UNMC's number was 858 days is that nothing in their stack was looking at the wire from that angle.

"We had logs"

UNMC almost certainly had logs. Most organizations in this situation do. The logs UNMC migrated to — in their words, "an updated version of REDCap [...] with enhanced logging and security controls enabled" — are a tacit admission that the previous logging was insufficient to surface what was happening at the time it was happening.

Logs are forensic. They prove, after the fact, what an investigator can already see. They are not detective unless something is reading them in flight and comparing them to a behavioural baseline. The 25-day externally-notified-dwell number from Mandiant is the median outcome of "we had logs." The 858-day UNMC number is the outlier of "we had logs and a peripheral application no one was watching."

Where the wire-side ML pillar fits

This is the canonical case the Zero Hunt traffic-analysis pillar was built around. Concretely, what would have been different at UNMC if the appliance had been on the research-network egress span:

• The proprietary deep-learning model — running locally on the appliance GPU at 2.7+ Gbit/s — feeds four parallel inference heads: suspicious traffic, malware classification, attack type identification, application fingerprinting. The relevant head here is the first one, but the fingerprinting head matters too: REDCap's outbound TLS sessions have a profile, and a sustained deviation from that profile (new destination ASN, abnormal session duration, off-hours volume) does not require any malware classification to flag.
• The model is trained on billions of PCAP sequences, not signatures. A novel attacker behaviour does not need a Snort rule, a Suricata signature, or a Sigma rule. It needs to deviate from what the model has seen on this network — which is a baseline that builds itself.
• Detection happens while the activity is happening, on the wire, in the appliance — not in tomorrow morning's SIEM digest, and not after the vendor publishes an advisory two years later.
• Because the appliance is 100% on-premises, with no cloud callbacks, the research network's air-gap posture is preserved. Healthcare research enclaves do not have to choose between monitoring and isolation.

Pillar 2 doesn't replace EDR. The host-based stack catches the things the host-based stack catches — known binaries, known LOLBin chains, known credential-theft patterns. The wire is the layer that catches what the host doesn't see by design: web-app abuse against a legitimate session, slow exfiltration that never spikes, beacons to ASNs no one on the network has ever talked to.

The honest takeaway

The 14-day median in M-Trends 2026 is a number for the population Mandiant investigates. It is not the experience of a research enclave at a university medical center, a peripheral SaaS app at a regional hospital, or any environment where the security telemetry is tuned to the clinical core and stops at the perimeter of the research zone. For those environments, the realistic dwell time is whatever interval falls between today and the next vendor advisory — and at UNMC that interval was 858 days.

Closing that gap doesn't require buying another EDR. It requires putting a sensor on the wire that doesn't depend on signatures, doesn't depend on cloud telemetry, and doesn't depend on someone outside the organization eventually telling you. Until that sensor is there, the median lies — and the long tail eats the organization.