See the Edge from the Edge: Why Centralized EDR Isn’t Enough Anymore

This guest blog was contributed by Brad Reinboldt, Cybersecurity Product Manager at NetAlly

The growth of network edge devices marches on. Estimates range from 18.8 billion devices to 46 billion globally at the end of 2024, with some projections that it will climb to 77 billion by 2030. Everything is Wi-Fi now - even the torque wrenches used in some manufacturing lines are Wi-Fi connected so that the exact specifications of every bolt can be tracked. 

With growth comes problems; Operational Technology (OT) and IoT devices in the last 100 meters of the network are a favorite target of attackers trying to get initial network access. Most organizations try to control this risk with centralized security tools or agent-based solutions like Endpoint Detection and Response (EDR) products. But these tools do a poor job of monitoring the network edge, meaning many organizations are much more vulnerable that they believe they are.  

The Network Edge in the Crosshairs

Attackers target edge devices because they’re easy targets. They typically lack security controls present in traditional endpoints like laptops and are rarely designed with security in mind. Older edge devices often run outdated operating systems and software that are no longer supported by their manufacturers. But many of these devices are so important that replacing them is difficult or impossible. For example, in January 2025, CISA announced the discovery of a backdoor vulnerability in the Contec CMS8000 medical monitor. Hospitals can’t just disconnect these monitors while they’re waiting for a fix.   

Attackers know this and they take advantage of it. Research from Rapid7 found that large-scale attacks exploiting vulnerabilities in network edge devices made up 36% of all cyberattacks from mid-2023 to 2024. Of those 36%, 60% were never-before-seen “zero days” that defenders don’t have detection or remediations for. There seems to be no shortage of vulnerabilities out there to be abused. According to the Common Vulnerabilities and Exposures list, the number of CVEs discovered in edge devices is increasing rapidly. The average CVSS score for edge CVEs is also getting higher and has outpaced the average scores for vulnerabilities not located in the network edge. In short, more dangerous vulnerabilities are being found in edge devices at increasing rates, and attackers are using them regularly. 

EDR Falls Short at the Edge

This explosion of new endpoints and increasingly complex wireless networks means EDR is no longer sufficient to protect against network intrusion at the edge. It may not detect certain devices (making them invisible to the security team), it may not be able to protect certain devices, and it may miss rogue devices. Edge devices are often invisible “unknown unknowns” to the security team. The attacks don’t stop at the edge; they’re often the first step to more complex hacks that can deploy malware or steal sensitive data. Attackers are quite adept at moving laterally and avoiding detection once they have access to an edge device. 

Even EDR vendors acknowledge that they miss things at the edge. The 2025 CrowdStrike Global Threat Report said “In 2024, threat actors continued to target devices in the network periphery, where traditional EDR visibility is often limited. Exploiting unmanaged internet-exposed hosts, particularly network appliances, remained a popular initial access vector throughout 2024.” 

Edge Network Vulnerability Assessments

The only way to get full visibility into the network edge is to conduct on-site assessments with handheld security vulnerability scanners. These connect directly at the network perimeter and can discover the devices that EDRs miss to give defenders a complete picture. While the logistics of this can be complex (visiting each site in person, which IT team is responsible, etc.) and will vary from between organizations, the effort is essential and with careful planning and processes can be optimized. There are four ways these assessments can supplement an EDR tool.

1. Edge Network Inventory. This will reveal the network infrastructure and topology in detail, exposing all endpoints and devices connected via wired, Wi-Fi or Bluetooth and map how they are connected. This gives the complete picture of the attack surface, including devices that central tools missed. This assessment can also find devices reaching end-of-life that need to be replaced. 

2. Vulnerability Assessments. Open-source tools like Nmap can be used to get details on edge devices (like the operating system they are running and what firewalls are in place) that show what security issues they may face. Some commercial products can also test CVE device susceptibility.

3. Validate Access Segmentation. Proper network segmentation and provisioning isolates different network functions, making it more difficult for malicious actors to move laterally from a compromised edge device serving as a gateway to your entire network. Checking the actual endpoints on-site validates that the desired configurations and segmentation is actually in place. 

4. Wireless and Radio Frequency Mapping. Wireless networks extend the attack surface beyond the physical building. Mapping Wi-Fi devices – access points, clients and BT/BLE devices tells security teams which Wi-Fi exploits and sites they need to be concerned about. 

To get a complete picture of their attack surface, defenders must go to the edge. This is the first step to better securing these devices - and it’s guaranteed that attackers will target them. It’s only a matter of time.