A lot of organizations have built their security strategy around the endpoint and assumed that’s most of the battle. N-able’s 2026 State of the SOC Report suggests that’s leaving a significant portion of the attack surface unwatched.
The report is based on more than 900,000 alerts processed by N-able’s SOC between March and December 2025. The headline finding: roughly half of the attacks in that dataset never touched the endpoint at all. They moved through network infrastructure, perimeter devices, cloud environments, and identity layers — places endpoint detection tools don’t reach.
N-able puts a specific number on it. Organizations running endpoint-only monitoring would have missed 137,187 network and perimeter threats over that same period.
Perimeter Attacks Are Back
The industry spent years talking almost exclusively about endpoint and cloud threats. The SOC data points somewhere else. Network and perimeter infrastructure — specifically Unified Threat Management (UTM) devices — generated 18% of alerts in the dataset. That’s not a rounding error. It indicates attackers are going after layers that security teams have largely taken their eyes off.
I spoke with N-able CEO John Pagliuca, and he made the case that the entire framing around resilience has been too narrow. “Cyber resilience — the phrase itself is too narrow,” Pagliuca said. “It misses the mark, because it’s all about uptime, it’s all about keeping the lights on.”
N-able’s positioning is around business resilience — before the attack, during the attack, and after. An organization that can catch endpoint threats but has no visibility into network traffic isn’t resilient. It’s just well-covered in one spot.
The Alert Volume Problem
The N-able SOC averaged two alerts per minute across the reporting period. That pace breaks manual investigation models. Human analysts triaging alerts one at a time can’t work at that speed, which is why the report shows AI now handling 90% of investigation activity autonomously.
Pagliuca pushed back on the assumption that automation translates to fewer people. “Our AI SOC is handling over 90% of the logs,” he said. “But guess what? Our humans are just as busy as ever.”
His point was about ratios. The long-standing constraint in managed security has been that adding customers meant adding headcount — roughly one analyst per 200 to 300 devices. AI changes that ratio without removing the need for analysts. It just shifts what they’re doing from alert triage to more actual investigation.
SOAR Workflows Up 500%
The report also shows a 500% year-over-year increase in SOAR-orchestrated alert workflows. The N-able SOC ran 145,074 automated containment actions over the reporting period.
That number tells you something about where SOC operations are heading. When alert volume outpaces what humans can handle manually, automated playbooks stop being a nice-to-have. Teams that aren’t running SOAR are either missing things or burning out their analysts. Probably both.
New Detections Target What Traditional Tools Miss
Alongside the report, N-able announced new detection capabilities for its Adlumin Managed Detection and Response platform. The additions are aimed specifically at attack techniques that blend into normal activity.
Anomalous PowerShell Detection goes after living-off-the-land techniques — attackers using legitimate built-in tools like PowerShell so their activity looks like normal system operation. Signature-based detection can’t flag PowerShell just for running. N-able’s approach applies AI analysis to every PowerShell execution to catch the behavioral indicators of misuse.
DNS Disruption alerting uses machine learning to identify suspicious DNS behavior — command-and-control communications, beaconing — the kind of traffic that rarely shows up on endpoint telemetry. The third addition, the Single-Event Process Execution (SEPE) AI model, looks at anomalous Windows process behavior across multiple attributes simultaneously: process name, path, parent process, parent path. The idea is to give analysts behavioral context rather than just a raw alert.
What the Data Actually Says About Layered Defense
There’s been a lot of vendor talk about defense-in-depth over the years. What’s useful about the N-able report is that it quantifies the gap rather than just arguing for the concept. If you’re only watching the endpoint, you missed 137,187 threats over nine months. That’s the cost of the blind spot.
Security teams that have invested heavily in endpoint protection haven’t made a wrong bet. But the report makes a reasonable case that endpoint-only coverage has become a liability at this point, not a strategy.
