Blogpost

Compromised Routers and VPNs: Why Endpoint Detection Is Too Late

Recent attacks on Cisco, Citrix and Fortinet show adversaries compromise routers and VPNs before endpoints. EDR can’t see unagentable backbone devices. NANO detects malicious pivots at the router before endpoints ever alert.

February 19, 2026
Share
LinkedIn LogoX logo

For years, security strategy has revolved around one assumption: if something bad happens, the endpoint agent will tell us.

That model made sense when the endpoint was the primary battleground. Install EDR everywhere, centralize logs, hunt anomalies. Clean, contained, measurable.

But recent campaigns should have killed that comfort.

Actors like Salt Typhoon have exploited Cisco IOS XE vulnerabilities to compromise infrastructure devices directly, gaining control over routers that sit in the critical path of enterprise and telecom networks. Not endpoints. Routers.

Meanwhile Volt Typhoon has been documented leveraging Fortinet, Citrix and other edge appliances as entry points, abusing VPN and gateway devices to establish footholds before moving deeper.

These are not edge cases. They are architectural attacks.

And here’s the uncomfortable gap: you cannot deploy an EDR agent on most of those devices.

Routers, firewalls, VPN concentrators, SD-WAN appliances. They forward traffic. They don’t host agents. They are the backbone of the infrastructure and, paradoxically, some of the least instrumented components in modern security stacks.

So what happens in practice?

The attacker lands on a gateway.
They manipulate routing.
They observe credentials.
They establish tunnels.
They pivot.

And your SOC waits for a workstation alert.

That’s backwards.

If the first signal you get is from an endpoint, you are detecting the attack after it has already crossed your perimeter and interacted with something you consider “critical.”

Why wait for the attacker to touch an agentable device when you could see him at the router?

This is precisely where NANO Corp operates.

Instead of relying on software agents installed on hosts, NANO extracts structured L2–L7 metadata directly from network traffic. Not sampled flows. Not summaries stripped of context. Full, normalized metadata across MAC addresses, IP flows, sessions and protocols.

When a compromised router starts behaving differently, the network tells you.

Unusual control-plane traffic.
Unexpected management access.
Strange outbound sessions.
New tunnels forming.
Protocol shifts that don’t match baseline behavior.

Because the probe sits passively on the wire, it doesn’t need to run on the router to observe what the router is doing. It sees the conversations around it and through it.

And once that structured data is in place, MAIA steps in.

MAIA doesn’t wait for a malware signature. It correlates relationships. It can trace an anomalous management session back to its initiator. It can identify when a VPN gateway starts communicating in patterns inconsistent with historical baselines. It can reconstruct pivot paths across hybrid environments without relying on host agents that were never present on the backbone.

The difference is strategic.

Endpoint detection assumes compromise eventually surfaces on a device you instrumented.

Network truth assumes compromise leaves traces in traffic immediately.

The backbone of your infrastructure is not neutral plumbing. It is a high-value target. Recent Cisco, Citrix and Fortinet exploitation waves proved that attackers understand this perfectly.

If your visibility starts at the endpoint, you are reacting to the second phase of the attack.

If your visibility starts at the network layer, you see the first move.

And in modern intrusions, the first move is often the router.

February 19, 2026
Share
LinkedIn LogoX logo

Ready to Unlock
Full Network Visibility?

Partner with usBook a demo ->

More blog posts

Go to the blog

Rethinking FPGA: challenges in zero trust network packet analysis

November 10, 2022
Read more ->

Surveillance: the bedrock of cybersecurity observability

June 15, 2023
Read more ->

Some of the limitations we hit with DPDK

October 11, 2022
Read more ->
You have successfully subscribed to the newsletter.
Oops! Something went wrong, please try again.
By subscribing to the newsletter, you agree to receive the latest company news from NANO Corp. Read the Privacy Policy.
Platform
Deep Network ObservationAI Driven Smart AlertLive ForensicIntegrationsSIEM / SOAR RationalizationIDS ReplacementOT threat detectionFull network visibilityAutomated packet capture
Resources
BlogDocumentationCost of downtime calculatorTechnical sheetsPrivacy PolicyTerms of Service
Company
AboutContactEventsPress
LinkedIn LogoX logoYoutube logo
Copyright © 2025 NANO Corp.