Techniques for coordinated and device-distributed detection of abnormal network device operation are provided. In some embodiments, a method may include identifying a suspicious activity condition associated with a suspect network device. The suspicious activity condition may also be associated with the device itself. Activity of the network device may be detected and analyzed, including additional data corresponding to the activity from one or more other network devices in the same network. In response to determining that the suspicious activity condition is satisfied, an alert communication can be transmitted that identifies the suspect network device. When the activity is associated with the device itself, a local operation at the network device may be changed.