SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Story 302078
#
Firewalls
#
Network Security
#
Cloud Security

N-able sees network attacks surge as AI boosts SOCs

Tue, 24th Mar 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

N-able has published research pointing to a shift in cyberattack patterns, with network and perimeter threats regaining prominence and security teams leaning more heavily on automation in the security operations centre (SOC).

The company's second annual State of the SOC report draws on telemetry and investigations from Adlumin Managed Detection and Response, delivered through the N-able SOC. It covers activity across more than 900,000 alerts recorded between March and December 2025.

During that period, the SOC processed an average of two alerts per minute, underscoring the strain on human-led investigations when teams rely on manual triage.

Network returns

The report points to a return of perimeter attacks after a period when cloud and endpoint threats dominated industry attention. It found that 18% of alerts originated from network and perimeter infrastructure, including Unified Threat Management devices.

N-able also said threat activity is increasingly bypassing device-level visibility. Around half of attacks did not touch the endpoint, creating risk for organisations that focus monitoring and detection mainly on end-user devices.

Based on its analysis, organisations relying exclusively on endpoint monitoring would have missed 137,187 network and perimeter threats over the reporting period.

As work patterns shifted and SaaS adoption grew, many teams expanded tooling around endpoints and cloud services. The findings suggest attackers are still using traditional routes into corporate environments, such as exposed perimeter services and network infrastructure between users and applications.

Will Ledesma, Director of MDR Cybersecurity Operations at N-able, said organisations now face pressure across more of their environments.

"What we are seeing in 2026 is a return to security fundamentals, with layered defence becoming non-negotiable," Ledesma said.

"Attackers are deliberately targeting all business layers, accelerating access to critical assets and compressing response windows. Organisations without depth across the security stack are operating blind, while those built on defence in depth are far more resilient under sustained attack," he said.

AI in the SOC

The report also outlines the level of automation applied to investigations, stating that 90% of investigation activity is executed autonomously by AI.

It argues that adversaries are also using AI, raising the stakes for organisations with limited automation. The report describes a shift in the SOC analyst role, with staff spending less time on initial investigation and more on decision-making and threat hunting.

Alert fatigue has long been a challenge as data volumes rise and attack techniques evolve. The report frames this as a scaling issue, warning that processes built around manual review and case-by-case investigation can leave gaps during fast-moving incidents.

Orchestration surge

N-able also reported increased use of security orchestration, automation and response (SOAR), recording a 500% year-over-year surge in SOAR-orchestrated alert workflows.

It described manual playbook execution as unscalable at higher alert volumes, positioning orchestration as a way to apply consistent steps quickly across more events.

In its SOC operations, the report says the team executed 145,074 automated SOAR containment actions during the reporting period.

Layered controls

Throughout the report, N-able emphasises layered security controls, arguing that each additional layer reduces the likelihood of a threat succeeding. It also says layered detection speeds response by linking signals across multiple parts of the environment.

Vikram Ramesh, Chief Marketing Officer at N-able, said resilience depends on coordination across the full environment rather than isolated detections.

"The data makes it clear that resilience today isn't defined by what organizations can detect in isolation, but by how effectively they can monitor, coordinate, and respond across their entire environment," Ramesh said.

"In a world where downtime has immediate business consequences, an end-to-end, layered security approach is no longer optional; it's foundational to keeping operations running and the business moving forward," he said.

Related stories
OpenAI launches Trusted Access for Cyber with major names
Cyber insurance now common among North American SMBs
Emerson & OPSWAT strike global reseller deal for OT patching
Cork Cyber adds automated mapping to Vantage platform
How Atomgate uses education and partnership to drive successful SonicWall upgrades

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
Autonomize launches healthcare AI platform version 3
CERN joins OpenSearch foundation as associate member