The cybersecurity industry has spent years debating whether endpoint detection and response (EDR) is sufficient. Lumen Technologies is now making the case that the question itself is outdated. Its 2026 Defender Threatscape Report argues that the decisive signals in modern attacks no longer appear on endpoints at all. They appear upstream, in the network infrastructure that attackers build, test and activate long before a breach is detected inside the enterprise.
The report is authored by Black Lotus Labs, Lumen’s threat research and operations arm. The company operates one of the world’s largest internet backbone networks and claims transit visibility into 99% of all public IPv4 addresses. Black Lotus Labs monitors more than 200 billion NetFlow sessions and 1 billion DNS sessions daily, tracks 2.3 million unique threats and 46,000 C2 (command and control) servers per day, and executed more than 5,000 C2 disruptions in 2025 alone.
Top findings from the report:
- Generative AI is enabling threat actors to iterate and regenerate malicious infrastructure at machine speed, compressing the window between exposure and impact.
- Attackers shifted to internet-exposed edge devices including routers, VPN gateways and firewalls, which offer limited forensic capabilities and operate outside traditional endpoint security visibility.
- Criminal and nation-state crews are industrializing proxy networks using compromised SOHO (small office/home office) devices, hijacking residential IP space to bypass Zero Trust and geolocation controls.
- The Kimwolf botnet launched DDoS attacks reaching 30 Tbps, roughly 30 times the record observed just one year earlier.
Above all, the report highlights the critical role the network plays in detecting attacks.
“The network is a critical detection layer,” Michelle Lee, senior director of threat intelligence, Black Lotus Labs at Lumen, told Network World. “We can see adversaries build their networks long before they use them in a breach, and so [we have] the network as detection, as the adversaries spin up highly professionalized and intentional ways to traverse the internet. Using that to give us clues into where threat actors are going on their targets, and where they may be covering their tracks elsewhere, is a key piece of the puzzle.”
Why the network layer is critical
Traditional security operations rely on post-infection signals. An endpoint alerts, then an analyst investigates. The problem is timing. By the time an alert triggers on an endpoint, the attacker’s preparation, including scanning, infrastructure rotation and proxy formation, is already complete.
Lumen’s position on the internet backbone changes that equation. The focus is on backbone-level telemetry, where the largest ISPs interconnect.
At backbone scale, NetFlow metadata reveals patterns that enterprise deployments cannot surface. Lee explained that the structure of networks that adversaries have to create in order to have uptime and cover their tracks are patternable, often in NetFlow with other third-party telemetry.
“This is not packet information, this is all NetFlow metadata,” she said. “We have a large cluster where we process this information and run machine learning and other heuristic models over that data to detect adversary behavior.”
The Raptor Train botnet illustrates the detection advantage. Raptor Train was a People’s Republic of China state-sponsored botnet that, at its peak, managed more than 200,000 compromised IoT and SOHO devices through a three-tier command structure. Lee noted that the backbone-level NetFlow data showed how the adversary was standing up this network across the internet. That includes command and control, malware deployment, and uptime verification.
“You could really see the structure of how this network was connecting across the backbone and through IoT devices in residential networks around the world,” she said. “That’s the kind of visibility you can get through NetFlow.”
The edge is a primary target
According to the report, EDR solutions were deployed by 91% of organizations in 2025, covering 72% of in-scope devices on average. That coverage pushed attackers toward infrastructure that sits outside endpoint visibility entirely.
CISA, the UK’s National Cyber Security Centre, and the Australian Signals Directorate have each published guidance in the past year documenting the shift toward edge device targeting. Fortinet and Cisco ASA devices were the top targets for brute force activity in Q4 2025, followed by exposed VPN concentrators, SonicWall appliances, and Palo Alto devices.
The J-magic campaign illustrates how far this targeting has evolved. Attackers planted a passive listener directly onto enterprise-grade Juniper routers using a custom malware variant, executed entirely in memory with no firmware modification and no persistent disk artifacts. Using eBPF, the malware passively inspects all inbound TCP traffic on a specified interface and port. When a packet matches one of five predefined conditions, it forks a child process and establishes an encrypted reverse shell. No suspicious process ever appears on a user machine. Endpoint-based detection sees nothing.
“We watch some creative threat activity at the edge, especially when paired with highly skilled obfuscation networks,” Lee said. “Threat actors traverse the internet to appear to be coming from a work-from-home router or network, and then potentially perform a live-off-the-land attack.”
Attackers are hiding in home networks
Compromised home routers, IoT devices, and VPS hosts have become foundational to how modern attacks are staged and executed. By routing malicious traffic through residential IP space, attackers bypass geofencing, ASN-based blocking, and zero-trust location signals. The traffic looks like it originates from a legitimate home or small business, not a threat actor.
Lee described the issue as a double-edged problem for defenders. One edge is the home network devices, and the other is the edge of enterprises. She noted that attackers exploit both. They compromise SOHO devices to build proxy networks, then use those networks to attack enterprise edge infrastructure.
The scale of vulnerable hardware makes this tractable for attackers. Lee noted that there are enough devices on the market today that have exposed identity management vulnerabilities to the internet, or are vulnerable to known CVEs, that adversaries are able to roll those into networks pretty quickly. For example, the NSOCKS proxy service maintained a daily average of 35,000 active bots across 180 countries in 2025, with two-thirds of proxies based in the US.
“Threat actors can, for pennies, cycle through IP addresses to get fresh positive-reputation IP addresses minute to minute and use them for their wares at various parts of the attack lifecycle, whether it’s brute forcing, whether it’s leveraging known positive credentials, or whether it’s exfiltrating information at the end of the attack chain,” she said.
Kimwolf: How a botnet scaled to 30 Tbps
The Kimwolf botnet is the clearest illustration of what residential proxy exploitation looks like at operational scale. Kimwolf emerged in late 2025 as a breakaway from Aisuru, at the time the most powerful DDoS botnet on the internet, and ultimately launched attacks reaching 30 Tbps, roughly 30 times the largest DDoS attack observed one year earlier.
Using the network layer was critical to understanding how Kimwolf was constructed.
“We were able to identify a net new network stemming out of IPIDEA and other residential proxy networks,” Lee explained. “The Kimwolf operators were exploiting a vulnerability in IPIDEA which allowed for LAN pivoting, so a threat actor could essentially buy residential proxy access, jailbreak it, pivot out into the LAN, and recruit other devices in the LAN into their botnet.”
The architecture reflects a logistics-first approach to botnet management. C2 nodes are designed to burn quickly. When null-routing disrupts a node, operators react within hours, sometimes minutes, standing up replacements and triggering mass malware re-downloads across the botnet. Through coordinated null-routing, more than 550 Aisuru and Kimwolf C2 nodes were disrupted in four months. The speed and scale of Kimwolf’s recovery cycles show how future large-scale botnets will evolve under pressure, rebuilding faster than defenders can respond.
What defenders should do differently
The threat data tells a consistent story. Attackers are operating in spaces defenders are not watching. Edge devices go unmonitored, residential IP space is trusted by default, and indicator of compromise (IOC) lists lag weeks behind infrastructure that rotates in minutes. Closing those gaps does not require replacing existing security investments. It requires extending visibility into the parts of the network where attacks are actually staged.
Network security professionals should consider the following best practices:
- Treat edge devices as crown jewels. VPN gateways, routers, and firewalls warrant the same patching discipline and access controls applied to domain controllers.
- Replace IOC-to-IOC blocking with network-level pattern detection. Static indicator lists cannot keep pace with infrastructure that rotates continuously.
- Flag residential and SOHO IP space as a threat signal, not a trust signal. The threat data clearly shows the risk from SOHO networks.
“It’s really important that defenders are preparing themselves with a rich understanding of where residential proxy networks or a specific nation-state network is coming in contact with their network, so that an IP address that looks to be a legitimate SOHO router probing an important asset, that flag can go: this may be part of a malicious network,” she said.