N-able Report Reveals Why AI-Powered, Layered Cyber Defense Is Essential for Business Resilience

BURLINGTON, Mass.--(BUSINESS WIRE)--N-able, Inc. (NYSE: NABL), a global cybersecurity company delivering business resilience, today released its second annual State of the SOC Report, exposing a fundamental shift in how cyberattacks unfold and why traditional Security Operations Center (SOC) models are no longer sufficient.

Drawing on frontline telemetry and real-world investigations from Adlumin Managed Detection and Response (MDR) provided by the N-able SOC, the 2026 report reveals an attack landscape defined by the resurgence of network-based threats, the limits of endpoint-only strategies, and the rapid operationalization of AI across security operations.

With the N-able SOC processing an average of two alerts per minute between March and December 2025, alert velocity has outpaced the capacity of traditional, human-driven SOCs. At this scale, manual investigation models struggle to move beyond reactive triage. The data signals a clear inflection point for security teams. Escalating alert volumes, faster attack execution, and increasingly sophisticated adversaries are exposing the limits of legacy SOC approaches, accelerating the need for AI-driven operations that can keep pace.

“What we are seeing in 2026 is a return to security fundamentals, with layered defense becoming non-negotiable,” said Will Ledesma, Director of MDR Cybersecurity Operations at N-able. “Attackers are deliberately targeting all business layers, accelerating access to critical assets and compressing response windows. Organizations without depth across the security stack are operating blind, while those built on defense in depth are far more resilient under sustained attack.”

As threat actors diversify tactics and accelerate operations, the advantage increasingly belongs to organizations that can see and act across their entire attack surface. The data underscores a decisive shift toward defense-in-depth, where layered visibility, automated response, and coordinated controls across the security stack are now essential to achieving true business resilience.

Key takeaways from the report include:

• 90% of investigation activity is executed autonomously by AI: Adversaries are leveraging AI to accelerate attacks and bypass defences, raising the stakes for organizations that lag in automation maturity. As a result, the SOC analyst role has fundamentally shifted from investigator to decision-maker and threat hunter.
• 18% of alerts originated from network and perimeter infrastructure (Unified Threat Management): In 2025, perimeter attacks return as blind spots expand, a shift away from the endpoint and cloud attacks the industry is used to. The data reveals that threat activity is increasingly bypassing traditional device-level visibility, with around half of attacks never touching the endpoint.
• SOAR is redefining the response layer with a 500% year-over-year surge in SOAR-orchestrated alert workflows: There has been a fundamental shift in how security teams respond to threats. Alert volume has made manual playbook execution unscalable, too slow to keep pace and too inconsistent to contain risk. Without orchestration, teams are overwhelmed; with SOAR, response becomes automated, coordinated, and fast enough to stay ahead of modern attacks.
• End-to-end resilience is the multiplier of any defense strategy: Layered security has a measurable impact, with each layer reducing the probability of threat success. Organizations relying exclusively on endpoint monitoring would have missed 137,187 network and perimeter threats over the reporting period. Layered detection translates directly into faster action as well. The SOC executed 145,074 automated SOAR containment actions, operating at machine speed to limit disruption and reduce dwell time.

“The data makes it clear that resilience today isn’t defined by what organizations can detect in isolation, but by how effectively they can monitor, coordinate, and respond across their entire environment,” said Vikram Ramesh, Chief Marketing Officer at N‑able. “In a world where downtime has immediate business consequences, an end-to-end, layered security approach is no longer optional; it’s foundational to keeping operations running and the business moving forward.”

The findings are based on aggregated data and investigations conducted by the N-able SOC spanning more than 900,000 alerts between March and December 2025, reflecting evolving attacker behavior and operational best practices observed across live environments. To view the full report, please visit: https://www.n-able.com/resources/state-of-the-soc-report-2026.

N-able will showcase its AI-powered cybersecurity platform at RSA Conference 2026, which will take place March 23-26 at the Moscone Center in San Francisco, California. Attendees can visit N-able at Booth #1449 in the South Hall: https://www.n-able.com/rsa-conference-2026.

About N‑able

N‑able protects businesses from evolving cyberthreats. Our AI-powered cybersecurity platform delivers business resilience to more than 500,000 organizations worldwide, leveraging advanced end-to-end capabilities, simplified workflows, market leading integrations, and flexible deployment options to improve efficiency and drive critical security outcomes. Our partner first approach pairs our technology with experts, training, and peer-led events that empower customers to be secure, resilient, and successful. n-able.com

© 2026 N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

The N‑able trademarks, service marks, and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. All other trademarks are the property of their respective owners.

Category: Company