N-able's Case for a Defence-in-Depth Strategy in the AI Age

The AI age has ushered in a new phase of cybersecurity. One that is shaped by escalating alert volumes and increasingly rapid attacks that has put immense pressure on legacy Security Operations Centre (SOC) models.

Traditional SOCs – once designed to manage predictable threats – are now under pressure as modern environments become more complex and distributed.

At the same time, organisations are being forced to rethink how they approach visibility, response and risk across their entire attack surface.

N-able’s recent State of the SOC Report revealed that attackers are revisiting older tactics, with network and perimeter-based attacks making a strong comeback.

This marks a departure from the heavy focus on endpoint and cloud threats seen in recent years, towards a world where defender success may be found in adopting AI, automation and layered defence. 

The wind of this transformation has not only changed the tools used within the SOC but also redefines the role of the analyst, the importance of defence-in-depth strategies and the need for automation at scale.

Against this backdrop, Robert Johnston, Chief Innovation Officer at N-able, explores these topics in conversation with Cyber Magazine.  

Are legacy SOC models failing to keep pace with escalating alert volumes and increasingly rapid cyber-attacks?

Legacy, human-driven, SOC models are struggling to keep up with the scale, speed and sophistication of modern cyberthreats.

We have passed a tipping point where alert volumes and attack velocity have surpassed what traditional, human-led approaches were designed to manage.

At N-able, we are seeing alerts now arrive at an average rate of two per minute, making manual triage no longer viable.

Threat actors are also accelerating their operations, weaponising automation and AI to help bypass traditional defences and by moving at machine speed, reduce the window for intervention.

Legacy SOCs, which were often designed around endpoint-centric monitoring, are therefore ill-equipped to provide comprehensive coverage.

The failure of legacy SOC models is not simply about inefficiency but about structural inadequacy.

They lack the scalability, automation and cross-layer visibility required to address today’s threats effectively.

As a result, organisations that continue to rely on these outdated approaches risk slower response times, increased attacker dwell time and greater exposure to breaches.

As AI takes on the bulk of threat investigation, how is the SOC analyst's role changing?

As AI assumes responsibility for the majority of threat investigation, the role of the SOC analyst is undergoing a significant transformation.

Approximately 90% of investigation activity is now executed autonomously by AI, and we expect this to rise to 99% in the coming years.

This shift fundamentally repositions analysts away from labour-intensive tasks such as manual triage and initial investigation.

Instead, their role is becoming more strategic, focused on oversight, decision-making and handling those complex or ambiguous threats that require human judgement.

Rather than processing large volumes of alerts, analysts are increasingly tasked with validating AI-driven findings, refining detection logic and ensuring that automated responses align with organisational risk tolerance.

The evolution of the analyst role also reflects a broader operational shift towards efficiency and resilience.

By offloading repetitive tasks to AI, SOC teams can operate at machine speed while maintaining human oversight where it matters most.

This hybrid model, AI and humans working together, enhances performance and accuracy, allowing organisations to respond more rapidly without sacrificing control.

Does an over-reliance on endpoint security leave organisations exposed to rising network and perimeter-based threats?

Yes, an over-reliance on endpoint security can leave organisations significantly exposed, particularly as network and perimeter-based threats resurge.

As reported in N-able's 2026 State of the SOC report, in 2025, 18% of alerts originated from network and perimeter infrastructure, which is a notable shift away from the endpoint and cloud focused attack patterns seen in previous years.

More critically however, around half of all attacks never touch the endpoint at all. This means that organisations relying primarily on endpoint detection and response (EDR) solutions are effectively blind to a substantial portion of malicious activity.

Attackers are exploiting these blind spots, targeting network infrastructure and perimeter defences where visibility and monitoring may be weaker.

Organisations must rethink their security strategies to include comprehensive visibility across the entire attack surface. Endpoint security remains important but it is no longer sufficient on its own.

Without integrated monitoring of network and perimeter layers, organisations risk missing critical signals and failing to detect threats until it is too late.

In an era of multi-layered attacks, how has a defence-in-depth strategy become essential?

Organisations must prepare for multi-layered attacks with multi-layered security. Multi-layered security has a measurable and compounding impact on reducing risk, with each additional layer of detection and protection decreases the probability of a successful attack.

This is particularly important given that many threats now bypass traditional endpoint controls altogether, exploiting gaps in visibility across other parts of the environment.

By monitoring multiple layers simultaneously, security teams can identify anomalies earlier in the attack chain and correlate signals across different systems. This integrated visibility enables faster decision-making and more effective containment.

Ideally, an organisations security defence should cover six layers:

1. Identity
2. Perimeter
3. Network
4. Endpoints
5. Cloud
6. Automation and AI.

A multi-layered defence ensures that even if one control fails, others remain in place to detect and mitigate the threat.

This is essential because it reflects the reality of modern cyber risk: complex, dynamic and distributed across the entire attack surface.

How has security orchestration automation and response (SOAR) become critical for modern incident response at scale?

Security orchestration, automation and response (SOAR) has become a critical component of modern incident response thanks to the scale and speed at which today’s threats operate.

Traditional, manual response processes cannot keep pace with either the volume of alerts or the rapid progression of attacks.

SOAR addresses this challenge by enabling automated, coordinated responses across multiple systems and layers of the security environment.

As alert volumes grow, organisations need systems that can handle increasing workloads without a proportional increase in staff. Automation enables SOCs to scale their operations efficiently, maintaining performance even as demand rises.

The integration aspect of SOAR is equally important. By orchestrating actions across different tools and layers, it enables a unified and coordinated response, improving overall effectiveness.

The organisations using SOAR are ahead of the curve, whereas those who are not will soon find themselves drowning.

As AI accelerates both cyber-attacks and defences, which side is gaining the advantage in today’s threat landscape?

This is the double-edged sword of innovation. On one hand, threat actors are using AI to accelerate attacks, enhance evasion techniques and bypass traditional defences.

This raises the stakes for organisations that rely on outdated or manual approaches, as they are less able to keep up with the speed and sophistication of AI-driven threats.

On the other hand, defenders are also harnessing AI to transform their operations.

With AI now executing 90% of investigation activity, SOCs can process alerts, detect patterns and initiate responses at a scale and speed that far exceeds human capability.

The key differentiator is not access to AI, but how effectively it is integrated into security operations.

Organisations that combine AI-driven automation with the human expertise that exists within their teams are better positioned to gain the upper hand.

This hybrid model enables rapid detection and response while maintaining the contextual understanding and judgement that only humans can provide.

AI is not inherently tilting the balance towards either side; rather, it is amplifying the capabilities of those who use it effectively.

The advantage belongs to organisations that can operationalise AI at scale while maintaining strong human oversight.