N-able adds AI detections for stealthier cyber attacks
N-able has added new AI-based detections to its Security Operations Centre through Adlumin Managed Detection and Response, aimed at identifying suspicious activity that may evade traditional monitoring tools.
The new detections target anomalous PowerShell activity, suspicious DNS behaviour and unusual Windows process execution, giving analysts more visibility across endpoint, network and identity activity.
Attackers are increasingly using familiar administrative tools and network services to avoid drawing attention. In that context, N-able cited its 2026 State of the SOC Report, which found that nearly half of observed attacks did not touch the endpoint and instead unfolded across network, perimeter, cloud or identity layers.
One new feature analyses every PowerShell execution across monitored environments to spot misuse that may appear legitimate, including activity associated with so-called living-off-the-land techniques, in which attackers use trusted tools already present in a system.
A second addition uses machine learning to detect suspicious DNS activity, including signs linked to command-and-control traffic, beaconing and distributed denial-of-service behaviour that may not be visible through endpoint monitoring alone.
The third element is a model called Single-Event Process Execution, or SEPE, which examines Windows process behaviour. Each event is assessed across attributes including process name, path, parent process and parent process path to give analysts more behavioural context.
Stealth Attacks
The announcement reflects a broader shift in cyber defence towards monitoring behaviour across multiple layers rather than relying on endpoint signals alone. Security vendors and in-house teams have increasingly focused on spotting low-visibility techniques that blend into normal system and network activity.
In practical terms, that means tracking the use of legitimate tools, network patterns and process chains that would not necessarily trigger older rule-based alerts. The goal is to identify attacks earlier, particularly when threat actors are trying to remain hidden for longer.
Troels Rasmussen, Vice President and General Manager of Security at N-able, said the new detections are designed to address that challenge. "The fastest-growing attacks today don't look malicious, they look like business as usual.
"Threat actors are blending into everyday activity using built-in tools like PowerShell. Our AI-driven approach correlates PowerShell, DNS disruption and process behavior to expose what legacy tools miss, helping teams detect and respond earlier, even when attackers are deliberately trying to disappear," Rasmussen said.
Layered Monitoring
The changes also underscore the growing role of AI models in managed detection and response services. Rather than relying only on fixed signatures or pre-defined rules, these systems aim to identify patterns that differ from expected behaviour, which can help when attackers alter their methods to avoid detection.
For managed security providers, the commercial appeal lies in reducing weak or irrelevant alerts while highlighting incidents that warrant analyst attention. That matters as security teams face pressure to investigate more data across more systems without adding equivalent headcount.
The additions form part of N-able's broader effort to build AI into its security platform and automate parts of the detection process. The company presented the latest changes as a response to the speed and complexity of current attacks, which are exposing the limits of traditional detection methods.
N-able says it serves more than 500,000 organisations worldwide. The new detections are intended to help customers identify malicious activity across multiple layers of their environments rather than through endpoint telemetry alone.
Its 2026 State of the SOC Report found that nearly half of observed attacks never touched the endpoint, instead unfolding across network, perimeter, cloud or identity layers.