SentinelOne's "Edge Decay" research names the threat. Here's how network detection and response closes the visibility gap.

The SentinelOne team today published a compelling piece of threat research titled "Edge Decay: How a Failing Perimeter Is Fueling Modern Intrusions." It's a must-read for any security leader still placing primary trust in perimeter-based defenses. The research pulls no punches: the perimeter isn't failing – it has already failed. Firewalls, VPN concentrators, and legacy edge appliances have become some of the most actively targeted infrastructure in the modern enterprise.

We couldn't agree more. And we think the research points directly to a critical question the security industry needs to answer: once attackers are past the edge – or worse, inside the edge device itself – who is watching?

What Blind Spots Are Attackers Exploiting at the Edge?

SentinelOne’s Edge Decay research identifies something that security practitioners have known for years but leadership often struggles to internalize: many of the most critical devices in the enterprise simply cannot run an EDR agent. Firewalls, VPN concentrators, load balancers, and legacy appliances sit at the intersection of maximum trust and minimum visibility. They control access, handle authentication flows, and pass nearly all east-west and north-south traffic. Yet they operate entirely outside the reach of endpoint-based detection.

SentinelOne's researchers document exactly what attackers do with this blind spot:

• Compromised edge devices become internal pivot points. Once an attacker controls a firewall or VPN appliance, that device effectively becomes a trusted insider — able to monitor traffic, harvest credentials, and move deeper into the environment without raising endpoint-based alerts.
• Firmware-level implants survive everything. The ArcaneDoor campaign described in the research used zero-day vulnerabilities to deploy a firmware bootkit that persisted through reboots and software updates. Alongside it, attackers deployed an in-memory payload to capture authentication traffic and suppress logging. On a device that can't run an EDR agent, this is essentially undetectable without network visibility.
• Operational Relay Box (ORB) networks obscure the origin of attacks. State-sponsored actors are repurposing compromised routers and firewalls to route malicious traffic through legitimate-looking infrastructure – making attribution extremely difficult.

The attack lifecycle now consistently begins at the edge. Edge compromise is increasingly the first step in a chain that leads directly to identity abuse, lateral movement, and full-scale intrusion.

The research concludes that defenders must shift "from device-level alerts to attack lifecycle visibility." That is precisely what Network Detection and Response (NDR) delivers.

What Can Network Detection See That EDR Cannot?

NDR operates at the network layer – monitoring traffic flows, behavioral patterns, and protocol activity across the entire environment. Unlike endpoint agents, NDR sensors are passive observers of the network itself. They don't need to run on the devices they protect. A compromised firewall, an unmanaged IoT device, a legacy industrial controller, or a VPN appliance running decade-old firmware – all of them are visible at the network layer, regardless of what's running on them.

This distinction matters enormously in the context of edge-focused attacks.

When a compromised VPN concentrator begins intercepting authentication flows, the behavioral signature of that interception is visible on the wire. When a firewall is used to pivot deeper into a VMware environment, the lateral movement generates network traffic that NDR can detect and alert on – even if the edge device's own logging has been suppressed. When an implanted bootkit survives a software update and resumes its credential harvesting behavior, it still has to communicate over the network.

The network is the ground truth. Attackers can compromise endpoints, suppress logs, and survive reboots. They cannot operate without using the network, and the network does not lie.

Specifically, in the context of the attack patterns documented in the SentinelOne research, Clear NDR^® from Stamus Networks provides:

Network-layer detection of attacker activity on compromised devices. When an edge device is used as a pivot point – initiating unexpected internal connections, querying unusual external hosts, or relaying traffic through unauthorized paths – that activity generates network-layer signals that Clear NDR's detection engines are built to surface. Deep packet inspection, threat intelligence correlation, protocol anomaly detection, and known attacker TTP signatures all apply at the network layer regardless of what is running on the device itself.

Coverage of unmanaged and infrastructure devices. Clear NDR provides full visibility into the network activity of devices that will never run an agent – not just legacy edge appliances, but OT/ICS devices, printers, building management systems, and every other category of unmanaged endpoint that exists in the modern enterprise. This is the population of devices that the Edge Decay research identifies as the attacker's preferred entry point.

East-west traffic visibility. Once an attacker establishes a beachhead at the edge and begins moving laterally, their activity generates internal traffic that EDR tools – deployed on individual endpoints – often cannot see in full context. NDR observes all east-west traffic across the environment, enabling detection of lateral movement as it happens, not after the fact.

Detection of data staging and exfiltration. The later stages of intrusion – after edge compromise and lateral movement – typically involve aggregating and exfiltrating data. This activity is highly visible at the network layer and is a core detection capability of Clear NDR.

How Do Clear NDR and SentinelOne Work Together?

The Edge Decay research frames its conclusion in terms of lifecycle visibility – the ability to see and connect activity across the full attack chain, from initial edge compromise through identity abuse to broader intrusion. This is where the integration between Clear NDR and the SentinelOne Singularity Platform creates something greater than the sum of its parts.

Singularity provides unmatched depth of visibility at the endpoint, identity, and cloud layers. It knows what processes are running, which credentials have been used, which cloud workloads are active. Clear NDR provides the network intelligence layer that Singularity's agents cannot cover – the east-west traffic, the unmanaged devices, the infrastructure appliances, and the behavioral signals that only the network can reveal.

When these data sources are correlated, a security team gains the ability to trace an attack across its full lifecycle. A suspicious network connection from an unmanaged device can be correlated with endpoint telemetry from the machine it's communicating with. An anomalous authentication pattern detected by Singularity Identity can be cross-referenced with the network-layer traffic that preceded it. The moment a compromised edge device begins behaving differently, both the network signal and the downstream endpoint impact are visible in a unified operational picture.

For SOC teams that want to go beyond detection, Clear NDR's precision threat declarations open the door to automated response. Clear NDR's Declaration of Compromise (DoC) is not an ordinary alert – it is a high-confidence, evidence-backed conclusion that a specific host has been compromised. That level of precision makes automation trustworthy in a way that alert-volume-driven tools cannot support.

When a DoC is issued, SOC teams can optionally trigger a direct response: quarantining the affected endpoint via the SentinelOne Singularity EDR integration, routing the incident into Singularity AI SIEM to initiate a Hyperautomation playbook, or pushing a policy update to a third-party control point – such as a firewall or NAC system – via API to block the offending host at the network level. In each case, the human team retains full control over whether and how automation is engaged. But the option exists, and the confidence required to act on it programmatically is precisely what Clear NDR's DoC framework is built to deliver.

This is what "attack lifecycle visibility" actually looks like in practice.

Why Is Network Visibility Now a Security Essential?

SentinelOne's Edge Decay research is a significant contribution to the industry's understanding of how modern intrusions actually begin. It names a problem that has been quietly growing for years – the structural vulnerability of edge infrastructure. And it makes clear that traditional perimeter-based thinking is no longer an adequate framework for enterprise defense.

The natural next step is to ask what fills the visibility gap that edge decay creates. The answer is network detection and response. Not as a replacement for endpoint or identity security, but as the complementary layer that covers the infrastructure those tools cannot reach, and observes the traffic those tools cannot see.

The perimeter has failed. But the network still tells the truth. That is, if you're listening.

Stamus Networks delivers Clear NDR, a network detection and response solution purpose-built for the AI-powered SOC. Clear NDR integrates with the SentinelOne Singularity Platform to provide unified visibility across network, endpoint, identity, and cloud layers. To learn more about how Clear NDR complements your SentinelOne deployment, visit our SentinelOne page, or contact us directly.