Blog

The Edge Is Still Having a Moment: An On-Prem Security Guide for SMBs and Government Orgs

Ted Gruenloh
CEO @ Nomic Networks
July 6, 2026

Time and time again, we’ve heard declarations of the edge’s death. First, it was next-gen firewalls (NGFWs), then “The Cloud,” and then SD-WAN, SASE … The list goes on. And yet, since 2024, firewall and edge device attacks have hit all-time highs.

The edge lives on. It doesn’t always hit the headlines, it doesn’t get all the attention, but the edge, believe it or not, remains one of your most vulnerable attack vectors. 

Here’s why. 

What is the Network Edge Today?

Most organizations today operate in a hybrid cloud environment, running a mix of on-premises infrastructure and cloud services - not the all-cloud model that many thought would materialize. 

Tying these mixed environments together typically relies on some combination of SD-WAN, SASE/SSE, and VPN, with an NGFW sitting at the center managing traffic flow across multiple locations and egress points. On the access control side, most organizations now layer in cloud-based Secure Web Gateways (SWGs) and some form of Zero Trust Network Access (ZTNA) with MFA enforced at the perimeter.

The proliferation of cloud-based SaaS is perhaps the most drastic change from early firewalls, which were designed primarily to split the WAN from the LAN. Many organizations don’t see SaaS apps as part of their attack surface, and learn the hard way. 

In May 2026, for example, the Canvas learning management system was compromised, exposing student data from universities and colleges that had integrated the platform into their core operations.

Try moving this to "The Cloud."

Why Are So Many Organizations Still Operating On-Premises?

As noted, contrary to what many in the tech world expected, few organizations operate entirely in the cloud. There are several reasons for this:

First is simply the cost. Moving servers, resources, or edge infrastructure can be prohibitively expensive; Many smaller organizations simply cannot do it. I once spoke to a CIO who said that it would be cheaper to physically dig up the ground and run fiber to existing data centers than to implement a dedicated SD-WAN solution.

The most obvious reason is simply that some systems can’t move, however much money you throw at them. SCADA systems controlling critical infrastructure like water lines and power grids are anchored to physical infrastructure by design. Public libraries, police stations, and other civic institutions have the same problem. And some legacy operating systems and software platforms simply have no cloud equivalent to migrate to.

Why is the Edge Under More Pressure than Ever?

Attackers are targeting the edge with more ferocity than ever. 

In 2024, compromised network edge devices accounted for initial compromise in 30% of incidents impacting SMBs. The Verizon DBIR 2025 documented an 8x increase in edge device exploitation. Mandiant M-Trends 2025 even found that the top four most frequently exploited vulnerabilities were all in edge devices.

Several factors are driving this resurgence.

First, organizations ask an enormous amount of their NGFWs. They use them to terminate VPNs, enable remote desktop access, open ports for FTP servers and SaaS applications, handle deep packet inspection, route network traffic, and more … Often all at once. That complexity creates fertile ground for misconfiguration, and performance compromises are common.

Moreover, decrypting traffic for inspection, ramping up signatures, and complex networking involves tradeoffs on CPU and throughput that many organizations lack the capacity to manage effectively.

Finally, firewalls themselves are rife with vulnerabilities. Palo Alto's CVE-2024-3400, Ivanti’s CVE-2025-0282, and numerous Fortinet CVEs are just a few examples across all the major firewall vendors that were exploited before patches were even available, and up to half of these firewalls remain unpatched. Clearly, a firewall alone isn’t enough to stop this trend.

Why is EDR Alone Not Enough? 

Neither does an EDR tool. Endpoint security kicks in once you’ve already received a malicious email and possibly downloaded ransomware or given away credentials, and is blind to the actual traffic between network devices.

This would be bad enough if we were facing less sophisticated ransomware attacks of ten (or even five) years ago. But we’re not. Ransomware is constantly evolving, and bad actors don’t use “lightweight” ransomware on SMBs. 

Ransomware as a Service (RaaS) is out there, and it’s cheap and easy to launch. This means APT-like attacks are easily bought, sold and paid for as-a-service on the dark web. More accessible than ever, script kiddies (those with low technical skills) can get a hold of this stuff and do as much damage as the big guys.

So, the point here is that bad actors with access to the good stuff (for cheap) won’t pull punches when attacking your small to medium-sized business. They’re not just sending phishing emails; they’re launching months-long attacks, sneaking into your network in increasingly furtive ways, evading typical defenses and protections, and lying low until they can strike.

Attacks are coming for you, they’re now more advanced and accessible than ever, and if your enterprise security strategy is only protecting at the endpoint, you’re not keeping up.                                     

How Can I Strengthen My Network Edge?

Strengthening the edge starts with accepting that no single control does the whole job. 

A dedicated protection layer, independent and outside the firewall, adds security that a firewall alone can’t provide, and can stop the reconnaissance, scans, and exploits constantly lobbed at your public-facing attack surface that makes up 70% of the traffic inbound to your network.

Threat intelligence feeds then sharpens detection and response. A feed like CINS Army - which aggregates data based on known malicious IPs and attack infrastructure - will mean you can block threat actors before they get a foothold, rather than acting after the fact. 

Finally, vulnerability scanning and periodic penetration testing round out the picture. They surface weaknesses before attackers find them. When something does happen, pre-built alerting playbooks are what separate organizations that contain incidents quickly from those that don’t.

Of course, running all of this internally is a serious heavy lift, especially for smaller organizations. It costs money, resources, and time that many readers will not have spare. That’s where managed network detection and response comes in. 

Nomic’s MNDR combines threat protection, visibility, and managed support, so any organization, regardless of size, can close the gaps without adding headcount or buying more hardware.

Schedule a demo today to find out more.

Ted Gruenloh
CEO @ Nomic Networks

Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.

Subscribe to our newsletter
By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.