Google Cloud’s Mandiant unit has published a 2026 edition of its destructive-attack hardening guide, updating a framework it first released in January 2022 as the Ukraine crisis escalated.
The post says destructive cyberattacks can include destructive malware, wipers and modified ransomware, and the March 13 update adds guidance on abuse or misuse of endpoint and mobile device management platforms.
What the 2026 edition adds to the 2022 framework
That update broadens the scope of the original guide. In 2022, Mandiant described the problem around external-facing services, critical asset protections, on-premises lateral movement and credential protections.
The 2026 edition keeps those areas, but adds a dedicated section on preventing destructive actions in Kubernetes and CI/CD pipelines, saying adversaries increasingly target those environments because they are centralized hubs with direct access to application deployments and underlying infrastructure.
What attackers can do in Kubernetes and CI/CD environments
The new cloud-native section is specific about what that means in practice. Mandiant warns that attackers can abuse over-permissive role-based access control to delete deployments, wipe persistent volumes or remove critical namespaces, and says defenders should monitor for untrusted or unsigned images and anomalous access to Kubernetes secrets.
Its mitigation guidance calls for mandatory MFA on infrastructure management platforms and code repositories, image signing and provenance controls, strict RBAC, immutable cluster backups and centralized audit logging.
Resilience as a governance and recovery problem, not just a technical one
The guide also pulls resilience out of the purely technical layer and into governance and recovery. Mandiant says organizations should maintain out-of-band incident communications, defined operational contingency and recovery plans, pre-established third-party vendor relationships and recovery exercises that validate end-to-end restoration using isolated, immutable backups and test recovery timelines and data integrity.
That emphasis aligns with CISA’s StopRansomware guidance, which says backups should be maintained offline and tested regularly because many ransomware variants attempt to delete or encrypt accessible backups, and with NCSC guidance that backup systems should be resilient to destructive actions, including malicious editing, overwriting or deletion.
The March 13 addition: device management as a destructive-attack vector
The March 13 addition on endpoint and mobile device management further expands the guide’s scope. Mandiant says those platforms can become “keys to the kingdom” in wiper and destructive-style attacks because privileged access can let an attacker turn an organization’s own management infrastructure against it.
The guide recommends restricting management-plane access, reducing wipe permissions, tightening API token scope and monitoring audit logs for remote wipe, factory reset and bulk script deployment activity.
That management-plane focus also fits broader official guidance around privileged access and identity control. CISA’s Cybersecurity Performance Goals emphasize MFA for high-risk and privileged accounts, and for remotely accessible systems in relevant environments.
Mandiant’s guide similarly places phishing-resistant MFA, privileged account protections and access segmentation around high-control platforms at the center of destructive-attack hardening.
What the guide is and what it is not
Mandiant presents the document as proactive defender guidance derived from frontline response work, just as the 2022 version was published in light of Ukraine-related spillover risk rather than as a standalone incident report.
What has changed is the control surface the guide treats as most exposed: not only endpoints and Active Directory, but also Kubernetes control planes, CI/CD systems, backup environments and device-management consoles that now sit closer to enterprise operations.