What’s New in N‑able EDR — 2025 Year-in-Review
Explore N‑able EDR’s 2025 innovations, including AI-driven threat detection, extended data retention, Cloud Funnel for real-time telemetry streaming, and advanced forensics—designed to deliver stronger, more resilient security.
2025 marked a wave of innovation for N‑able EDR, powered by SentinelOne, with significant new features and add-ons that enhance how security teams protect endpoints and streamline security operations. From AI-driven threat detection to enhanced data governance, N‑able EDR has advanced on multiple fronts to help partners and customers accelerate threat detection, conduct deeper investigations, and optimize operational efficiency.
Below, are the key capabilities introduced in 2025, including the updated RemoteOps Forensics, newly launched PurpleAI™ Security Analyst, Extended Data Retention, and Cloud Funnel demonstrating how they empower users to stay ahead of ever-evolving cyber threats.
| Purple AI ™ Security Analyst | Generative AI-powered SOC and security assistant (SentinelOne’s Purple AI) embedded in the EDR console. This allows analysts to use natural language to hunt threats, summarize alerts, and get investigative guidance. It also helps to streamline incident responses by delivering actionable insights and guidance in natural language. |
| Extended Data Retention | Flexible log retention add-on allowing storage of EDR telemetry for up to 365 days (beyond the standard 14-day window, which was already offering good advantages). This is ideal for compliance and threat hunting, as it supports comprehensive visibility into all security events by keeping up to a full year of historical data. |
| Cloud Funnel | Real-time telemetry streaming to your own cloud storage. Supports streaming all endpoint events as they occur, enabling long-term data retention, advanced analytics, and seamless integration with SIEM/SOAR tools, helping reduce manual data exports. |
| RemoteOps Forensics | Advanced remote incident response feature combining script orchestration with digital forensics. Security teams can automatically collect in-depth evidence (running processes, memory dumps, etc.) across endpoints in seconds, enabling faster investigations at scale.
See datasheet |
Purple AI™ Security Analyst
One of the most exciting additions in 2025 is that Purple AI™, SentinelOne’s AI-powered security analyst is now integrated into N‑able EDR. Purple AI transforms how teams detect, investigate, and respond to threats by allowing users to interact with the endpoint data through natural language queries across the network. For example, a technician can ask, “Show me all PowerShell scripts executed in the last 24 hours”. Purple AI then analyzes logs and surfaces the answer. By leveraging generative AI, Purple AI streamlines threat hunting and incident analysis, enabling even junior analysts to uncover patterns and insights without writing complex queries. The assistant can summarize alerts, highlight related incidents, and suggest next steps–acting as a digital co-pilot during investigations. Built on the open OCSF schema, PurpleAI can correlate data across the broader security stack providing richer context.
Early adopters report that natural language threat hunting accelerates identification by approximately 63% i compared to manual methods. For MSPs and IT professionals, this translates to faster resolution times and stronger capabilities without adding headcount.
Early adopters report that natural language threat hunting accelerates identification by approximately 63% compared to manual methods. For MSPs and IT professionals, this translates to faster resolution times and stronger capabilities without increasing headcount.
365-Day Data Retention: No More Blind Spots
Context is everything, and sometimes that context resides in an event that happened months ago. To address this, N‑able has introduced an Extended Data Retention option for EDR Complete.
Organizations can now retain Deep Visibility data for 30, 90, 180, or 365 days. This ensures that whether investigating a slow-moving intrusion or conducting a year-end security review, teams have access to a full year of historical endpoint telemetry. Longer retention significantly enhances proactive threat hunting as attackers often leave traces in logs long before detection allowing hunters to trace activities across several months. It also supports compliance and digital forensics by simplifying audits and breach reconstruction.
The feature is flexible; you choose the retention tier that fits your needs (and budget). All extended data is stored in the SentinelOne Data Lake and remains seamlessly accessible through the console’s Deep Visibility interface.
With this feature, N‑able EDR moves closer to SIEM-like telemetry depth, eliminating blind spots that can hinder investigations.
Cloud Funnel: Your Data, Your Cloud
Another major enhancement this year is Cloud Funnel, which addresses long-term data retention and integration needs. Cloud Funnel lets you stream all your endpoint event data in real time to your own cloud storage – whether Azure, AWS, or Google Cloud. This means every security event, benign or malicious, can be piped into an S3 bucket or Azure Blob container as it happens, in an open format (compressed JSON).
This enables organizations to retain months or years of raw EDR data, correlate endpoint activity with other security and SaaS logs, and build a broader XDR view of threats. By maintaining ownership of their data and eliminating manual exports, teams can apply advanced analytics or machine learning to full-fidelity telemetry.
For example, you could stream EDR logs to Azure, then use Azure Synapse or SentinelOne to run custom anomaly detection across all endpoints. Cloud Funnel is easily enabled via the EDR settings and billed per protected endpoint, with customers managing their own cloud storage costs.
RemoteOps Forensics: Deep Incident Investigations at Scale
To complement its prevention and EDR capabilities, N‑able introduced RemoteOps Forensics in 2025 to expand the existing Remote Script Orchestration (RemoteOps) module and support faster, more autonomous incident response.
With RemoteOps Forensics, security teams can trigger a predefined forensic capture across hundreds of endpoints at once, collecting data like running processes, open ports, Master File Table (MFT) entries, registry hives, browser artifacts, and even full memory dumps. Evidence is gathered in a forensically sound manner and centralized in the Singularity Data Lake for analysis, painting a comprehensive picture of an attack.
All this is achieved within the same EDR console and agent, eliminating the need for separate DFIR tools. RemoteOps Forensics bridges a gap by combining “blue team” automation (remote remediation scripts) with “digital forensics” rigor. Security teams can define custom forensic profiles and even set automatic triggers (e.g., run a memory capture if a ransomware alert occurs) for consistent, rapid response. RemoteOps Forensics empowers teams to conduct in-depth investigations rapidly, across many endpoints. reducing the mean time to resolution and helping pinpoint root cause without delay.
Bonus: Existing users of RemoteOps received this forensic upgrade at no additional cost.
2025 Was a Leap, but the Groundwork Was Already Rock Solid
These innovations build on an already robust foundation. N‑able EDR continues to deliver machine-speed detection and threat prevention with its behavioral AI, static AI, and Storyline™ context) which have been proven in real-world environments.
By the end of 2025, N‑able EDR has evolved into a comprehensive endpoint security platform with autonomous protection, rich forensic insight, open integration, and operational alignment for MSPs and IT professionals. Customers can fine-tune how they use the product, from what data they keep and where, to how they integrate it into business workflows. This year’s advancements underscore N‑able’s commitment to delivering enterprise-grade innovation—such as generative AI and advanced DFIR—to organizations of all sizes.
As cyber threats grow more sophisticated and IT environments more complex, these enhancements ensure N‑able EDR remains ahead of the curve. Whether detecting novel attacks with AI analysis, or investigating an incident with comprehensive data, the 2025 feature set enables teams to respond faster and more efficiently.
We look forward to seeing how our user community leverages these capabilities in 2026 and beyond.
Stay secure, and here’s to an even more innovative year ahead.
Discover more: download the N‑able EDR Datasheet, or speak with a pro.
Editor’s Note: Beginning in 2025, with the introduction of Adlumin Warranties, MSPs and IT professionals using N‑able EDR may be eligible for coverage at no additional cost:
- Managed Service Providers: Up to $100K with the Adlumin Advanced Warranty.
- IT Professionals: Up to $500K with Adlumin Protection Plus Suite.
Ovidiu Cobzaru is Senior Product Marketing Manager at N‑able
i https://www.sentinelone.com/lp/idc-business-value-purple-report/