Network Security , AI benefits/risks How AI can help networks develop ‘pocket presence’ April 20, 2026 Share By Nelson Silva (Adobe Stock) COMMENTARY: Telecommunication networks are built to keep going. Core services are monitored continuously, traffic gets rerouted automatically, and reliability governs day‑to‑day decisions. These systems are designed to absorb constant change without drawing attention to themselves. Over the past few years, the most serious campaigns against telecoms have used that resilience to their advantage. They’ve gone after infrastructure layers (network devices, management planes, virtualization stacks) and then stayed there quietly, often for months or longer. That’s the through‑line in public reporting on Salt Typhoon , which authorities continue to describe as still active even after it touched operators across more than 80 countries. [ SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here . ] A similar pattern appears in UNC3886, a China-nexus actor that has specialized in attacking edge devices and virtualized environments, such as Fortinet and VMware. Singapore’s response took about 11 months because pulling systems offline to rebuild or conduct full forensic teardown wasn’t on the table. Malware families like BPFDoor are engineered for exactly this setting with activation on “magic” packets, kernel‑level stealth, and long dwell in Linux‑based environments common to telcos. What these cases share isn’t a particular technique so much as a detection problem. The most consequential intrusions live inside normal network operations, quietly collecting signaling, routing, configuration, topology and mobility data that underpin enterprise, government and cross‑border communications. The challenge: learn how to see that embedded presence early, before time turns it into leverage. Why visibility lags Configuration updates in telecom networks propagate across regions, administrative access spans time zones, and systems are tuned and patched while traffic flows. In that environment, the management surfaces operators rely on to keep networks healthy are the same places long‑dwell actors prefer to sit, because their actions remain plausible for extended periods. This challenge gets amplified by scale and layering. Telecom providers aren’t defending a single system, but thousands of interconnected network functions, management systems and compute environments deployed across multiple data centers and regions. Persistence can hide across layers, where individual systems behave as expected while the environment as a whole quietly gets traversed. Regulators are also expecting early actions, before anything visibly breaks. In Singapore, critical infrastructure providers are now required to report suspected advanced persistent threat (APT) activity to prevent quiet intrusions having national impact. Guidance from U.S. agencies and requirements under Europe’s NIS2 Directive similarly emphasize earlier reporting and deeper visibility into management and configuration activity, even when services remain stable. Built for telecom Against that backdrop, three factors distinguish telecom visibility from generic monitoring: Placement: Decisions and telemetry need to originate inside the network elements where services run, with visibility into the surrounding management and control-plane traffic, so teams can interpret behavior in its full operational context. Salt Typhoon made clear how infrastructure‑level footholds turn into long‑term adversary presence when this isn’t in place. Context: Activity in the system gets interpreted against maintenance windows, regional rhythms, interconnect behavior, intercept workflows, and expected sequences, so individually valid actions are flagged when the sequence, actor or timing goes sideways. Singapore’s months‑long cleanup showed how exact and context‑aware eviction has to be when the country keeps making calls. Control at the point of action: Access, change and control operations need real-time visibility and evaluation as they occur, because that’s where persistence forms. Once decisioning shifts to periodic or off‑band checks, implants like BPFDoor gain the space they need to persist. From detection to decision AI earns its place in telecom security because it can maintain continuous awareness of what “normal” looks like as the network evolves, flagging deviations early while everything still appears to work. AI models interpret patterns across endpoint behavior, control‑plane signaling and live network traffic, connecting actions that appear legitimate in isolation into a coherent signal of malicious presence. That capability directly addresses the blind spots long‑dwell campaigns rely on. AI also shortens the distance between activity and understanding, surfacing context early enough to act without destabilizing service. Threat hunting becomes a continuous practice that actively challenges activities that look legitimate in isolation but don’t hold up once full network context is applied. In American football, “pocket presence” consists of the quarterback sensing pressure and choosing to run or throw before the space collapses. Telecom security needs the same mindset. Most threats show up while services still look healthy, and they do so while traffic must keep flowing. Detection has the most impact when it arrives in that live window, preserving decision space. It’s when security moves from post-incident explanation to real‑time control, deciding what continues and what gets cut off, without stopping the play and before adversary access turns into leverage. Nelson Silva, senior product manager, cybersecurity, Nokia SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. An In-Depth Guide to Network Security Get essential knowledge and practical strategies to fortify your network security. Learn More Nelson Silva Related Government Regulations Netgear gets FCC exemption from foreign-made router ban SC Staff April 16, 2026 Cybersecurity Dive reports that Netgear has been excluded from the U.S. government's sweeping ban on foreign-made routers. Security Operations DDoS botnet grows to 13.5 million devices, 2 Tbps attacks hit fintech and betting industries SC Staff April 16, 2026 The Qrator Labs report reveals that the primary botnet has grown tenfold in one year, now comprising 13.5 million compromised devices globally, primarily located in the United States, Brazil, and India. Threat Intelligence Middle East-based brute-force cyber intrusions surge SC Staff April 15, 2026 Brute-force authentication attacks aimed at network devices have skyrocketed during the first three months of 2026, with nearly 90% of intrusions stemming from the Middle East, according to Cybersecurity Dive. Related Events Cybercast How to transform your SOC through XDR and MDR On-Demand Event Cybercast AI for network security: Problems and solutions On-Demand Event Virtual Conference Fortifying the Foundation: Tackling Evolving Challenges in Network Security On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms ACK Piggybacking Address Resolution Protocol (ARP) Berkeley Internet Name Domain (BIND) Bridge Broadcast Broadcast Address Computer Network Decapsulation Distance Vector Domain Name You can skip this ad in 5 seconds