N-able report flags rise in network perimeter threats

N-able has published its second annual State of the SOC report, which says network and perimeter threats increased in 2025.

The findings are based on more than 900,000 alerts handled by the company's security operations centre between March and December 2025, using telemetry and investigations from its Adlumin managed detection and response service.

Over the past three years, the main sources of detected attacks have shifted. Endpoint activity dominated in 2023, cloud detections rose in 2024, and network and perimeter infrastructure moved up in 2025, the data shows.

In 2025, 18% of alerts came from network and perimeter infrastructure, which N-able categorised as unified threat management. About half of attacks did not touch the endpoint, highlighting the limits of security strategies focused mainly on devices.

According to N-able, organisations relying only on endpoint monitoring would have missed 137,187 network and perimeter threats during the reporting period. Its security operations centre also carried out 145,074 automated containment actions through security orchestration, automation and response tools.

AI role

The report also highlights the growing use of artificial intelligence in security operations. N-able said 90% of investigation activity is now executed autonomously by AI, reflecting both the volume of alerts and the pressure on analysts to shift from manual review to decision-making and threat hunting.

During the period covered, the security operations centre processed an average of two alerts a minute. The report argues that this pace has outstripped the capacity of manual investigation models and driven greater use of automated workflows.

In response operations, N-able reported a 500% year-on-year rise in alert workflows orchestrated through SOAR systems. It said the increase reflects a broader move away from manual playbooks as teams face higher alert volumes and shorter response times.

New attack paths

The report also highlighted what it described as a cloud orchestrator attack risk linked to AI systems. It warned that if a primary orchestrator were compromised, an attacker could gain broad control over connected AI agents and workflows.

Examples in the findings included orchestrator hijacking, in which malicious commands are presented as legitimate instructions to AI agents; poisoning of training data, so attacks are treated as normal behaviour; exploitation of agent-to-agent protocols through man-in-the-middle techniques; and behavioural camouflage, where AI-generated attacks resemble legitimate AI activity.

These scenarios reflect a wider concern in the cyber sector that AI systems may create new control points for attackers even as they are adopted to improve detection and response.

"What we are seeing in 2026 is a return to security fundamentals, with layered defense becoming non-negotiable," said Will Ledesma, Director of MDR Cybersecurity Operations at N-able.

"Attackers are deliberately targeting all business layers, accelerating access to critical assets and compressing response windows. Organisations without depth across the security stack are operating blind, while those built on defense in depth are far more resilient under sustained attack."

N-able said the findings show attack activity is becoming harder to detect through any single control point. That includes endpoint tools, cloud monitoring and network defences, each of which may capture only part of a broader intrusion pattern.

"The data makes it clear that resilience today isn't defined by what organizations can detect in isolation, but by how effectively they can monitor, coordinate, and respond across their entire environment," said Vikram Ramesh, Chief Marketing Officer at N‐able.

"In a world where downtime has immediate business consequences, an end-to-end, layered security approach is no longer optional; it's foundational to keeping operations running and the business moving forward."