N-able’s Anomaly Detection feature identifies credential-based threats

N-able expanded its Anomaly Detection capabilities in Cove Data Protection to combat the surge in identity-driven cyberattacks targeting backup environments.

The new functionality delivers real-time alerts when suspicious or unauthorized changes to backup policies are detected, giving customers an early warning system against the credential-based tactics attackers use to disable or corrupt backups before deploying ransomware.

Identity-based attacks have become a major driver of successful cyberattacks, with AI making these schemes even more convincing. With stolen or phished credentials, attackers can gain access to backup software and weaken backup policies.

The 2025 Verizon Data Breach Investigations Report found that roughly 88% of basic web application breaches involved stolen credentials, making it clear how widespread this tactic has become. Once inside, attackers – and sometimes well-intentioned employees – can alter retention policies, exclude critical data from backups, and delete protected devices. These are subtle changes that can go unnoticed for weeks or even months before the attacker triggers the final ransomware event.

To give IT teams real-time visibility, Anomaly Detection introduces a vital layer of protection through event-based notifications that highlight these indicators of compromise. This capability notifies users of potential cyberattack signals or misconfigurations before they escalate, allowing organizations to take just-in-time action to safeguard their recovery posture and maintain data resilience. This new capability builds on last year’s Anomaly Detection feature, Honeypots, an always-on defense mechanism designed to detect brute-force attacks on backup infrastructure.

“It’s no longer just active systems under attack – backups are firmly in the crosshairs. If attackers gain access to the backup platform, they don’t always strike immediately. They can quietly manipulate backups, alter retention policies, or delete servers, then sit undetected for weeks or even months. When they finally launch their attack, recovery can be impossible,” said Neil Douglas, CIO at Network ROI, a UK-based managed IT services provider.

“In the past, we had no visibility into those subtle changes happening behind the scenes. Now, with real-time, event-based alerts for even the smallest alteration, we know the moment something suspicious occurs. That not only protects us from malicious actors but also guards against accidental misconfigurations. It’s a powerful step forward in strengthening our overall data resilience,” added Douglas.

“A new wave of threats is targeting businesses through stolen identities,” said Chris Groot, GM of Cove Data Protection. “Real-time alerts to backup policy changes give customers peace of mind by protecting them from risky changes that could affect recovery, whether that change was caused by attackers or employees. By catching these changes as they happen, organizations can stop identity-driven attacks and misconfigurations before recovery is compromised.”