The second annual State of the SOC Report from N-able reveals a return of perimeter attacks and AI is now automating 90% of investigation activity.
N-able released its second annual State of the SOC Report, exposing a fundamental shift in how cyberattacks unfold and why traditional Security Operations Center (SOC) models are no longer sufficient.
Drawing on frontline telemetry and real-world investigations from Adlumin Managed Detection and Response (MDR) provided by the N-able SOC, the 2026 report reveals an attack landscape defined by the resurgence of network-based threats, the limits of endpoint-only strategies, and the rapid operationalisation of AI across security operations.
With the N-able SOC processing an average of two alerts per minute between March and December 2025, alert velocity has outpaced the capacity of traditional, human-driven SOCs. At this scale, manual investigation models struggle to move beyond reactive triage. The data signals a clear inflection point for security teams. Escalating alert volumes, faster attack execution, and increasingly sophisticated adversaries are exposing the limits of legacy SOC approaches, accelerating the need for AI-driven operations that can keep pace.
“What we are seeing in 2026 is a return to security fundamentals, with layered defence becoming non-negotiable,” said Will Ledesma, Director of MDR Cybersecurity Operations at N-able. “Attackers are deliberately targeting all business layers, accelerating access to critical assets and compressing response windows. Organisations without depth across the security stack are operating blind, while those built on defence in depth are far more resilient under sustained attack.”
As threat actors diversify tactics and accelerate operations, the advantage increasingly belongs to organisations that can see and act across their entire attack surface. The data underscores a decisive shift toward defence-in- depth, where layered visibility, automated response, and coordinated controls across the security stack are now essential to achieving true business resilience.
Key takeaways from the report include:
- 90% of investigation activity is executed autonomously by AI: Adversaries are leveraging AI to accelerate attacks and bypass defences, raising the stakes for organisations that lag in automation maturity. As a result, the SOC analyst role has fundamentally shifted from investigator to decision-maker and threat hunter.
- 18% of alerts originated from network and perimeter infrastructure (Unified Threat Management): In 2025, perimeter attacks return as blind spots expand, a shift away from the endpoint and cloud attacks the industry is used to. The data reveals that threat activity is increasingly bypassing traditional device-level visibility, with around half of attacks never touching the endpoint.
- SOAR is redefining the response layer with a 500% year-over-year surge in SOAR-orchestrated alert workflows: There has been a fundamental shift in how security teams respond to threats. Alert volume has made manual playbook execution unscalable, too slow to keep pace and too inconsistent to contain risk. Without orchestration, teams are overwhelmed; with SOAR, response becomes automated, coordinated, and fast enough to stay ahead of modern attacks.
- End-to-end resilience is the multiplier of any defence strategy: Layered security has a measurable impact, with each layer reducing the probability of threat success. Organisations relying exclusively on endpoint monitoring would have missed 137,187 network and perimeter threats over the reporting period. Layered detection translates directly into faster action as well. The SOC executed 145,074 automated SOAR containment actions, operating at machine speed to limit disruption and reduce dwell time.
“The data makes it clear that resilience today isn’t defined by what organisations can detect in isolation, but by how effectively they can monitor, coordinate, and respond across their entire environment,” said Vikram Ramesh, Chief Marketing Officer at N able. “In a world where downtime has immediate business consequences, an end-to-end, layered security approach is no longer optional; it’s foundational to keeping operations running and the business moving forward.”
The findings are based on aggregated data and investigations conducted by the N-able SOC spanning more than 900,000 alerts between March and December 2025, reflecting evolving attacker behaviour and operational best practices observed across live environments.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.
