The Shadowserver Foundation is sounding a security alarm bell over a significant surge in botnet-driven brute force attacks targeting edge devices. Since January 2025, researchers have seen over 2.8 million unique IP addresses per day launching credential-stuffing attempts against VPNs, firewalls, and network gateways from vendors like Palo Alto Networks, Ivanti, and SonicWall. More than 1.1 million malicious IPs originate from Brazil, while the rest appear to come from the US, Canada, Turkey, Russia, Argentina, Morocco, and other countries.

Organizations that think they are in the clear because they follow routine patching and update schedules should think again. Weak passwords make for easy targets and devices aren’t safe without multifactor authentication (MFA) or context-aware access controls.

Since every business relies on internet-facing infrastructure, every company is at risk and must take proactive steps to secure every edge device to counter these threats.

The Edge Device Threat Landscape

The January attacks add to a growing body of data from 2024 that highlights how edge devices have become prime targets for threat actors:

• A Cisco warned of credential brute-forcing against VPN and SSH services on Cisco, Fortinet, and Ubiquiti devices.
• A 2024 Elastic report found a 12% increase in brute force cyberattack techniques.
• In May 2024, the US Department of Justice announced it dismantled the “911 S5” botnet, which consisted of 19 million infected devices used to carry out financial fraud, cyberattacks, and other crimes.

Understanding Edge Device Vulnerabilities

Because of the fundamental roles and functions of edge devices, they have inherent risks that can’t be eliminated:

Required Internet Exposure: Edge devices must be accessible from outside the network to enable legitimate business operations.

Service Dependencies: Edge devices depend on VPN and other critical services for remote access, creating multiple potential entry points that attackers can exploit.

Persistent Risks Despite Patching: Even properly patched edge devices remain vulnerable to zero-day exploits, MFA bypass techniques, and credential-stuffing attacks against VPNs lacking strong security measures.

While not unique to edge devices, common security gaps, such as poor password hygiene, a lack of MFA, and improper access controls, are particularly dangerous because of edge devices’ exposure and role as network entry points.

The Evolution of Botnet Attacks

Traditional botnets primarily focused on tasks like Distributed Denial-of-Service (DDoS) attacks, sending spam, and scanning IP ranges and ports to identify potential targets – the latter generated a lot of network activity, which security solutions could easily detect.

Modern botnets, however, use more sophisticated techniques. ML-driven password prioritization, IP rotation, distributed login attempts, and traffic mimicry significantly reduce noise and make detection more challenging. What’s most concerning is that these botnets can stealthily locate and extract valuable data after infiltrating networks.

Why Standard Security Approaches Falter Against Today’s Botnets

Today’s botnet attacks exploit the primary detection limitations of conventional cybersecurity measures:

• Difficulty distinguishing legitimate from malicious traffic since the botnets now operate within normal traffic patterns.
• A limited capacity for real-time threat analysis because they rely on signature-based detection methods and historical pattern matching.
• Insufficient contextual understanding of attack patterns because they operate in isolation, analyzing individual events rather than seeing the complete attack narrative.

Additionally, older solutions are easily overwhelmed by the sheer volume of botnet attacks, and they can’t coordinate responses across multiple attack vectors, making mitigation complicated.

Given that the security marketplace is flooded with new solutions and tools, which provide the best defense against botnet attacks?

The Unique Power of Managed Detection and Response (MDR) Solutions

Although older MDR solutions might not be up to the task, AI-powered MDRs certainly are; these next-gen solutions embrace advanced security frameworks designed to counter known and evolving threats and have key technologies built into the solution.

Essential Capabilities

Security Data Lakes (SDLs): AI-driven SDLs aggregate logs from edge devices, cloud services, identity providers, and other security tools and normalize security telemetry for holistic and real-time analysis.

Enhanced SIEM and SOAR Integration: With these two technologies deeply integrated, MDRs streamline event correlation, automation, and incident response (IR) to tackle large-scale botnet attacks effectively.

Continuous Threat Intelligence: By leveraging global threat intelligence, MDRs can anticipate and counteract emerging threats before they escalate.

How MDRs Counter Botnet Attacks

The newest MDRs rely on a multi-layered defense strategy to combat botnet attacks through:

Real-Time Threat Detection and Correlation: AI and ML models power anomaly detection and behavioral analysis to distinguish genuine activity from malicious attempts.

Automated IR: These MDRs launch automated workflows and predefined playbooks to instantly block malicious IPs, deactivate compromised accounts, and initiate forensic triage.

Continuous Learning: Advanced algorithms refine and dynamically adapt threat detection strategies based on novel attack patterns.

Improving Edge Device Security

Modern MDRs provide comprehensive edge protection by:

Providing Comprehensive Visibility: MDRs monitor all edge device activities, detecting slight anomalies and suspicious behavior in real time.

Rapidly Identifying Compromised Devices: They can automatically and immediately isolate any breached asset to prevent lateral movement within the network.

Proactive Defenses: Automated threat hunting capabilities and predictive analytics can identify and neutralize threats before they exploit vulnerabilities.

Reducing False Positives with AI

One of the biggest challenges cybersecurity teams face is alert fatigue. While traditional solutions deliver an onslaught of alerts, forcing analysts to waste time manually investigating each one, the latest MDRs rely on AI to significantly reduce false positives by:

Utilizing Advanced Behavioral Analysis: By analyzing massive volumes of data, algorithms gain a deep understanding of normal device behavior; this allows them to recognize anomalies with far greater precision than rule-based systems.

Incorporating Contextual Intelligence: This approach uses cross-domain threat analysis to correlate seemingly isolated alerts into a comprehensive attack story, helping teams focus on high-risk incidents such as credential-stuffing campaigns targeting unpatched edge devices while providing a complete view of the threat landscape.

Securing the Future

As the months and years go by, cyber threats will become more sophisticated; AI-powered botnets designed to capitalize on edge device vulnerabilities are just one example. As conventional security tools already fall short in defending against these attacks, now is the time for businesses to adopt forward-thinking.

AI-powered solutions are the answer. By combining autonomous threat detection, adaptive response workflows, and deep visibility into perimeter assets, next-gen MDRs transform edge security from a reactive cost center to a proactive business enabler. Their ability to scale and continuously learn makes them a future-proof solution that will secure not just networks but also an organization’s entire digital infrastructure.