After years of cloud-focused attacks during the pandemic era, 2025 marked a dramatic shift in the cybersecurity landscape. Attackers returned to network and perimeter exploitation significantly. According to N-able's 2026 State of the SOC Report, 18% of more than 900,000 alerts observed between March and December 2025 – approximately 162,000 threats, originated from network and perimeter attacks that endpoint-only controls would not have detected on their own.
"What we experienced last year was, with a lot of companies starting to push more back to return to office and hybrid scenarios, that defense-in-depth model once again became very, very important," says Will Ledesma, N-able’s Director of MDR Cybersecurity Operations.
The report supports this shift, showing that organizations relying on single-layer security strategies, including endpoint-only approaches, are leaving critical blind spots in their defenses.
The Perimeter Exploitation Trend
The 2025 attacks followed an effective four-phase pattern. Ledesma explained that attackers used automated tools to scan for vulnerable firewalls, exploited local firewall accounts not tied to centralized identity management. They then stole VPN credentials and password hashes to crack offline – allowing them to remain invisible to SOCs at that stage of the attack – then returned with cracked credentials for rapid lateral movement and ransomware deployment.
The reconnaissance phase happened entirely outside defenders' visibility. These attacks were effective because they exploited common architectural blind spots, such as perimeter accounts not integrated with Active Directory, flat networks providing unrestricted access once connected via VPN, and the absence of network traffic analysis to detect lateral movement.
In many cases, the timing was deliberate. During major security conferences like RSA and Black Hat, attackers launched campaigns while defenders were distracted. Ledesma recalls thinking when attacks occurred, “If the majority of on-site security and IT people are here, for those without 24/7 SOCs, who's back at home protecting?"
More concerning was the democratization of sophisticated exploits. State-level vulnerabilities in well-known firewalls were packaged into tools accessible to lower-skilled attackers. What started as complex, nation-state-level attacks became mass-market weapons that could be deployed without deep technical expertise.
The Single-Layer Fallacy
The data exposes a troubling pattern: Organizations aren't neglecting security, but they are often overconfident in single-layer solutions. While endpoint detection and response caught 86,580 threats, it did not capture all attack stages, particularly those visible only through network and perimeter. EDR and endpoint monitoring agents are effective at detecting endpoint activity, but they don’t cover all attack stages. These include network reconnaissance, lateral movement using legitimate tools like RDP and PowerShell, perimeter exploitation, cloud attacks, identity-based attacks that don't touch endpoints, and offline password cracking. Similarly, while multi-factor authentication prevented 73,401 account takeovers and required 47,656 password resets, attackers bypassed it through push fatigue, token theft, and by exploiting perimeter accounts not tied to centralized identity systems.
Ledesma illustrates the human vulnerability: "Imagine you're at a social event and your phone just keeps getting blown up for MFA, and, tired of the repeated requests, you simply accept it. You've now let the hacker in."
Even with the best technology, the human element remains the weakest link.
"You can have million-dollar systems in place, and a single click will bring it all down," Ledesma adds.
AI Drives the SOC… and the Threat
One of the key findings from the report is that AI now automates 90% of investigations, up from 70% in 2024. This is not just AI augmentation. It’s AI-led investigation with human oversight and decision making. The SOC analyst role has fundamentally shifted from investigator to decision-maker and threat hunter.
"When an analyst gets into an incident and you're staring at a black hole, how do you find the shiny object inside of the black hole?" Ledesma asks.
Adlumin’s AI scours thousands of data points and returns anomalous activities requiring human attention within seconds. This enables faster correlation across endpoint, identity, and network signals, allowing analysts to focus on response rather than triage.
"It literally does it in seconds and returns with the items [SOC analysts] absolutely must pay attention to."
To be fair, the volume alone demands that level of AI intervention. With the frequency of attacks and alerts – the Adlumin MDR SOC observed over 900,000 in nine months, or two per minute – human-driven SOCs cannot scale. Ledesma elaborates that it would be nearly impossible to hire enough people to take on that level of workload.
The Adlumin MDR SOC also saw a 500% year-over-year surge in SOAR (Security Orchestration, Automation, and Response) orchestrated workflows. The volume crisis has made manual playbook execution obsolete, such that organizations without orchestration are drowning while those with SOAR stay ahead of the curve.
But, AI is accelerating both defense and attack capabilities. While it accelerates defense, it also amplifies risk.
"2026 is likely to be one of the biggest years of successful exploits and hacks against the industry," Ledesma predicts. "That is because of the risk that AI is introducing, and people not realizing what true power that carries."
Organizations are deploying AI agents and automation at unprecedented pace without adequate governance or guardrails. The governance frameworks are barely emerging, and most companies generating AI aren't logging AI activity, making it nearly impossible to detect AI-led attacks, except through their speed. In 2024, attackers achieved breakout in eight minutes, but by 2025, that dropped to a mere five minutes.
Does that mean AI is now required for cybersecurity?
Ledesma draws a historical parallel: “The Ottoman Empire fought the printing press for 300 years, and it put them behind in their technology and in terms of their civilization. You will have some that are resistant to AI but, if history proves true, there's been no technology that has ever been introduced that has been fully ever removed and resisted."
In other words, yes.
Minimum Viable Security Resilience
For resource-constrained SMBs, the question becomes, what's the minimum necessary for genuine resilience? Ledesma recommends prioritizing three layers if budget constraints force difficult choices. Those include perimeter, network, and endpoint.
"I would expect that, with defense mechanisms put into place at those three layers, I can stop or see an attack, or if an attack does happen, I have enough information to figure out root cause and not have a full extinction event," he explains.
But this is a floor, not a ceiling, he maintains: “Your security posture is at risk, it is vulnerable, but you're trying to cover as much as possible with what you have in your budget."
True defense in depth requires visibility across six critical layers: Identity (MFA, conditional access, privilege management), perimeter (next-gen firewalls, VPN security, network segmentation), network (traffic analysis, lateral movement detection), endpoints (endpoint agents with behavioral analysis), cloud (CSPM, CASB, API monitoring), and emerging AI systems (agent monitoring, behavioral analysis of AI actions).
The power of correlation across these layers becomes clear in real incidents. The report documents a Thanksgiving morning attack where the SOC detected domain trust discovery and lateral movement tied to a privileged account just minutes after initial access.
"Although each signal alone appeared ambiguous, correlated activity across identity, endpoint, and network layers revealed an active compromise," the report states.
The SOC isolated affected hosts, disabled the account, and reset credentials before sunrise, stopping the attack before data theft or ransomware deployment.
Without correlation, those signals would have been dismissed as potentially legitimate activity.
"When you add SOAR and the automation, you take what we already know with high conviction, with AI giving us that intelligence, and we are able to turn it around and make it move that much faster."
The MSP Challenge
For managed service providers, the findings carry particular weight. MSPs must not only protect their clients but also secure themselves against supply chain attacks.
"Is the MSP also protecting themselves as a part of the defense-in-depth layer?" Ledesma asks. "If they're not monitoring themselves, and they get hacked, now the attacker has access to potentially all their clients."
He emphasizes this was a key motivation for the report's defense-in-depth theme, noting that this level of breach was happening too frequently.
Clients should ask tough questions during due diligence. Beyond asking whether MSPs monitor their own infrastructure, businesses should also inquire about business continuity plans, governance frameworks, and security certifications. For example: Do you have a SOC 2 report? Are you trying to hit any governance? Do you adhere to the National Institute of Standards and Technology SP 800-53? These questions help assess whether an MSP has genuine business resilience.
MSPs should look for partners that can deliver comprehensive protection across multiple layers while keeping costs manageable. Rather than looking for multiple vendors, they may be better served by working with one that provides integrated security capabilities. That allows MSPs to not only fit solutions to their customers’ needs and budgets, but also allows them to optimize costs through a consolidated approach and then pass those savings on to their clients.
Working with a single, end-to-end security vendor also drives the level of correlation Ledesma talks about, which translates to greater resilience and faster recovery in the event of an incident.
The Adlumin MDR SOC demonstrated this resilience during an early-morning attack during the 2025 holiday season. An attack happened at 5:00am. The Adlumin MDR SOC identified it, contacted the customer, and began remediation steps. By 9:00am, the customer was back in full operational capacity.
Ledesma admits he never thought such rapid recovery was possible, "To come under a successful attack and still be in operations an hour into your day. You hear horror stories of environments being down for weeks or months, or you hear the attacker has been inside of the environment for weeks, months, or potentially years."
That resilience comes from layered visibility combined with AI-driven correlation and automated response.
"By feeding information into a single system or a single company, MSPs and their customers get the best bang for their buck," Ledesma believes.
The Path Forward
The stakes are clear. Organizations relying solely on endpoint monitoring would have missed approximately 162,000 network and perimeter threats in 2025. With 145,074 automated SOAR actions executing containment at machine speed, layered security didn't just detect more – it responded faster.
"Organizations and MSPs are not lacking tools,” Ledesma explains. “They're failing because their security models don't match how attacks are actually unfolding today. This is where N-able's resilience comes from – that layered visibility, the continued response, and the ability to absorb that impact without the business grinding to a halt."
The 2026 message is unambiguous: Depth is the new defense. The question is no longer whether organizations can afford defense in depth, but whether they can afford not to implement it. With attackers shifting tactics from endpoints to cloud to perimeter and now potentially to AI systems, single-layer strategies leave organizations perpetually one step behind.
The only way to move away from reactive security approaches and secure all layers at once.
To hear more insights from N-able’s State of the SOC 2026 report, understand why a depth-in-depth strategy is the most effective approach to cybersecurity today, and how to implement a true defense in depth strategy for your business and your clients, join Ledesma and his colleagues Jim Waggoner and Brendan Griffin, for “State of the SOC 2026: What the Data Reveals about Detection and Response,” on Wednesday, May 6, 2026 at 2:00pm ET.
Edited by
Erik Linask
