As we kicked off the year, our focus remained consistent: helping security teams move faster and with greater confidence. In Q1, that focus translated into concrete gains in coverage, response speed, and visibility into outcomes inside the tools teams already rely on.

Across the quarter, we expanded real‑world threat coverage, tightening response workflows, reducing manual effort, and improved how teams can see and explain the impact of their security operations across the environments they manage.

The result is a set of improvements designed to support stronger, more efficient security operations without adding complexity.

Let’s take a look at the highlights.

Detecting Powershell Abuse that Other Tools Miss

To close out the quarter, we introduced a significant enhancement to PowerShell threat detection that improves visibility into real attacker behavior while keeping alert noise extremely low.

This update applies AI‑driven behavioral analysis across all PowerShell activity in real time, enabling earlier, high‑confidence detection without increasing alert volume. It’s a strong example of the theme we delivered throughout Q1: broader behavioral coverage, delivered with clarity and discipline.

For the full details, see the dedicated post:
https://status.n-able.com/2026/03/30/detecting-powershell-abuse-that-other-tools-miss-advanced-notice/#more-34403

From Alert to Action Inside MSP Manager

In Q1, we closed the gap between detection and response by introducing bidirectional ticketing with MSP Manager, N‑able’s PSA. Validated security incidents and SOC activity now move directly into the workflows teams already use.

What this delivers:

• Security alerts and SOC activity flow directly into MSP Manager tickets
• Ticket updates, comments, and attachments stay synchronized between Adlumin and MSP Manager
• Less context switching for technicians during active incidents

The result is clearer ownership, better collaboration with the SOC, and fewer manual steps during incident handling all without changing how your team works day to day.

Broader threat visibility without extra configuration

In Q1, we expanded high‑signal threat coverage across firewall, endpoint, and cloud telemetry with out‑of‑the‑box detections designed to deliver value quickly using the logs teams already collect.

What this means in plain terms: broader built‑in coverage for real attacker behaviors such as policy changes, privileged access, outbound control channels, and exploitation signals, without requiring additional configuration or tuning.

New detection packs delivered in Q1 included:

• ESET: Endpoint threat and security‑relevant activity visibility.
• Palo Alto: External CLI access, SMB threat activity, malware signals, hacktool traffic, and cryptomining traffic.
• Microsoft 365: New detections tied to Global Administrator privilege assignment behavior.
• SonicWall: Proxy and evasion behavior, firewall NAT rule modification, anti‑spyware alerts, and outbound FTP/SSH traffic.
• Fortinet: Wireless intrusion activity, high‑risk application misuse, rogue access point signals, and unusual outbound archive transmission patterns.
• Sophos Firewall: Firewall policy modifications (local and remote), management interface access, admin login success and failure, outbound FTP/SSH activity, command-and-control indicators, Kali activity, and IPS severity alerts
• FortiGate: Administrative account creation and deletion signals.

Targeted Automation, Total Clarity.

In Q1, SOAR improvements focused on making automated response actions more precise, dependable, and easier to understand after the fact. The goal was to ensure automation acts exactly where intended, especially in complex, multi‑account environments.

Improvements delivered this quarter included:
• Clearer account targeting for identity‑based SOAR actions, making it easier to select the right account
• More accurate exemptions using the same improved account selection experience
• Smarter password reset logic that drives one targeted action per breach, reducing duplicate actions while improving clarity and auditability

Net effect: fewer “why did it do that?” moments, and greater confidence that automation is working as expected.

Clearer reporting that shows impact, not just activity

In Q1, we improved reporting to help teams more clearly show the outcomes of their security operations, not just the volume of activity. The MDR Summary Report now includes a dedicated section for SOAR Actions Cleared by Automation, bringing critical events and response actions into a single, consolidated view.

This was paired with a new SOAR playbook setting that lets teams control whether automated actions appear in the MDR report, making it easier to tailor reporting to what different stakeholders need to see.

Smoother day-to-day operations across your existing tools

In Q1, we continued to strengthen the integrations and operational touchpoints that security teams rely on every day, focusing on signal consistency and alignment with evolving standards.

Improvements this quarter included:
• ESET integration to bring endpoint security telemetry into the same operational view
• Duo SDK upgrade (5.5.0) to stay aligned with current identity standards and telemetry expectations

Stronger endpoint signal continuity

In Q1, we improved endpoint reliability to ensure security signals remain consistent and trustworthy from initial deployment onward. Windows Agent v1.6.3.2 updates added monitoring for system time changes and smoothed initial check‑in behavior during installation.

The result: more reliable endpoint telemetry and a more predictable setup experience for teams rolling out agents at scale.

Wrapping up

Q1 was about turning security investment into visible outcomes. Over the quarter, Adlumin expanded real‑world threat coverage, tightened the path from alert to action, reduced manual effort through smarter automation, and made it easier to clearly show the impact of security operations.

From broader out‑of‑the‑box detections to cleaner response workflows, clearer reporting, and advanced PowerShell threat detection, Q1 focused on helping teams detect what matters, act faster, and trust the results.

As always, be sure to review the full Release Notes for a deeper dive.