Why Network and Perimeter Security are Back in Cyber Focus

When one door locks, attackers try the window. 

Ever since cyberspace was in existence, threat actors have been coming up with unique ways to exploit weaknesses and digitally "break in". 

This persistent nature of threats is evident in the global cybersecurity company N-able’s State of the SOC Report. 

N-able’s SOC processed an average of two alerts per minute between March and December 2025 – this shocking scale of which is enough to see how alert velocity has now outpaced the capacity of traditional, human-driven SOCs.

Drawing on real-world investigations from its Adlumin Managed Detection and Response (MDR) service, the report paints a picture of an increasingly complex threat landscape. 

Notably, attackers are revisiting older tactics, with network and perimeter-based attacks making a strong comeback. This marks a departure from the heavy focus on endpoint and cloud threats seen in recent years.

Will Ledesma, Director of MDR Cybersecurity Operations at N-able, emphasises the urgency of this evolution: “What we are seeing in 2026 is a return to security fundamentals, with layered defence becoming non-negotiable. 

“Attackers are deliberately targeting all business layers, accelerating access to critical assets and compressing response windows. Organisations without depth across the security stack are operating blind, while those built on defence in depth are far more resilient under sustained attack.”

AI takes centre stage in security operations

One of the most striking revelations is the growing role of artificial intelligence in both attack and defence. 

With the sheer volume of cyber attacks stretching traditional, human-led security models to their limits, which thereby exposes gaps that adversaries are quick to exploit.

This reality is why 90% of investigation activity is now handled autonomously by AI systems, according to the report. 

The shift to AI is fundamentally changing the role of SOC analysts, who are moving away from manual investigation towards higher-level decision-making and threat hunting.

The implications are significant. As cybercriminals increasingly use AI to accelerate their attacks and evade detection, organisations that fail to adopt similar technologies risk falling behind.

The return of perimeter threats

Another notable insight from the report is the resurgence of perimeter attacks. 

These attacks followed a consistent four-phase pattern: automated tools scanning for vulnerable firewalls, which were then exploited; from here, VPN credentials or password hashes were stolen for offline reconnaissance and attackers returned with the cracked credentials for phase four. 

Phase four is driven by rapid execution – ranging from lateral movement, data exfiltration and ransomware deployment. 

The report found that 18% of alerts originated from network and perimeter infrastructure, signalling a shift back to areas that many organisations may have deprioritised.

Perhaps more concerning is the finding that around half of attacks never touch endpoints at all. This exposes a critical weakness in strategies that rely solely on endpoint monitoring. In fact, organisations using only such methods would have missed over 137,187 network and perimeter threats during the reporting period.

This evolution in attacker behaviour highlights the need for broader visibility. Threat actors are diversifying their tactics, exploiting blind spots across the entire IT environment rather than focusing on a single entry point.

Why automation and layered defence wins

To keep pace with this changing threat landscape, automation is proving essential. 

The report notes a 500% year-on-year increase in Security Orchestration, Automation and Response (SOAR) alert workflows. This surge reflects that the manual playbook has run out of charm. 

Automation allows organisations to respond faster and more consistently, reducing the time attackers can remain undetected. 

In the reporting period, the N-able SOC executed over 145,000 automated containment actions – working at machine speed to quell disruption and dwell time.

Vikram Ramesh, Chief Marketing Officer at N‑able, summarises the broader takeaway: “The data makes it clear that resilience today isn’t defined by what organisations can detect in isolation, but by how effectively they can monitor, coordinate and respond across their entire environment. 

“In a world where downtime has immediate business consequences, an end-to-end, layered security approach is no longer optional; it’s foundational to keeping operations running and the business moving forward.”

Ultimately, the report makes one thing clear. Cyber resilience in 2026 depends on a layered, AI-driven approach that spans the entire attack surface.

Organisations that embrace this model will be far better equipped to withstand the growing speed and sophistication of modern cyber threats.