Cyberattacks today are stealthy, surgical, and often unfold over days, weeks, or even months. Adversaries quietly escalate privileges, move laterally through hybrid environments, and strike when the impact will be highest. Recent breaches — such as the attack on Singapore-based DataPost and the 300 million GBP incident affecting Marks & Spencer and other UK retailers — underscore how prevention-only security tools are no longer sufficient. In Singapore alone, reported scam and cybercrime losses reached over SG$385.6 million in the first half of 2024, a 24.6% increase from the same period in 2023, according to the Singapore Police Force’s Mid-Year Scams and Cybercrime Brief 2024.
As threat actors increasingly weaponise AI to scale reconnaissance, craft convincing phishing campaigns, and exploit vulnerabilities faster than ever, defenders are under pressure to evolve. Mentions of malicious AI tools on cybercrime forums have surged 200%, according to Kela Cyber’s 2025 AI Threat Report, and according to an IDC study, 76.5% of Asia-Pacific enterprises lack confidence in their ability to detect and respond to AI-powered threats, driving greater reliance on AI-driven security solutions.
Rethinking detection at the network layer
As cloud adoption surges and hybrid environments become the norm, traditional perimeter defences and siloed systems such as EDR, SIEM, and cloud security platforms face growing limitations. Attackers are no longer forcing entry from the outside; they are “living off the land,” using legitimate tools and moving laterally within the network to avoid detection.
Network-based threat detection provides visibility into both north–south and east–west traffic, helping identify behaviours that might otherwise go unnoticed. By examining traffic patterns across different layers, these approaches can assist in linking related signs of compromise and support more timely responses to suspicious activity.
Recent industry assessments note that such tools are being more widely integrated into security operations, with a focus on improving detection accuracy and reducing response delays across increasingly complex IT environments.
For high-stakes sectors such as financial services, healthcare, and critical infrastructure, monitoring at the network level is being used to support efforts to detect lateral movement, credential misuse, and early signs of data exfiltration.
AI: Its role in network-level threat detection
AI techniques are increasingly used to analyse large volumes of network traffic, identify anomalies, and assist in prioritising potential threats. This is especially relevant in complex environments, where SOC teams face large volumes of security signals and require more focused insights.
Some tools apply behavioural models and machine learning to flag deviations in real time, adjusting to evolving tactics. When used alongside other components in the security stack, these methods can contribute to visibility, triage, and response.
Beyond prevention: Adjusting to persistent threats
Relying solely on prevention is no longer viable. Breaches are inevitable—the critical question is how quickly you can detect and contain them. Headlines may focus on the initial breach, but the true damage often occurs later, when attackers quietly exfiltrate data or disrupt critical operations.
Endpoint protection remains essential, but it must be part of a broader approach. In hybrid environments with decentralised infrastructure, a layered strategy that includes ongoing monitoring and automated detection is increasingly necessary.
Integrating network signals into extended detection strategies
As detection and response capabilities evolve, security teams are increasingly drawing from multiple data sources — including endpoints, cloud workloads, identity systems, and network activity. This broader approach, sometimes referred to as extended detection and response (XDR), reflects a shift toward more integrated analysis across the enterprise.
Network telemetry plays a role in this effort by helping correlate activity across systems and flag patterns that may indicate lateral movement, credential misuse, or data exfiltration. In complex breaches such as the Salt Typhoon campaign, or the third-party incidents involving DBS and Bank of China, insights across layers (including the network) can contribute to earlier detection and containment.
Identity: The critical battleground
Compromised credentials are a common starting point for threat actors. The breach at Marks & Spencer, for example, demonstrated how access to a single account can escalate into broader disruption.
To reduce risk, many organisations are exploring ways to combine identity-related signals with other telemetry, such as network activity, to help detect unauthorised access, privilege escalation, or account misuse. This integrated view can support more accurate detection and targeted response.
Considerations for network-focused threat detection tools
When evaluating tools that monitor network activity as part of a broader security strategy, organisations may consider the following:
- Coverage across environments: The ability to analyse traffic in hybrid settings, including cloud and on-premises networks.
- Adaptability: Use of behavioural models or machine learning that can adjust to new or evolving attacker techniques.
- Alert correlation: Grouping related alerts into structured incidents to support triage and response.
- Prioritisation and context: Features that help clarify which threats are relevant to the organisation’s environment and support timely decision-making.
- Transparency and measurement: Visibility into how detection models work, including instrumentation and evidence of effectiveness.
These factors can affect how well network-layer data supports detection, investigation, and response when used alongside other telemetry sources.
Looking ahead: Autonomy and integration in network defence
As cyberthreats grow more sophisticated, there is growing interest in using AI to automate aspects of detection and response. Some tools now assist in identifying threats and initiating containment steps with limited human input, reducing the load on security operations teams.
While adoption varies across sectors, the trend points toward increasing autonomy, especially in environments where timely response is critical. As these technologies evolve, the focus is shifting to how well they integrate with other systems, handle diverse environments, and provide measurable outcomes.
Continued developments in this space are likely to shape how organisations approach network-level monitoring, particularly in terms of scale, speed, and alignment with broader security strategies.
