The toughest part of most cyberattacks isn’t the break-in. It’s what happens after. Once an attacker is inside, they move sideways—testing connections, escalating privileges, and spreading until a small crack turns into a gaping wound. I’ve been covering this space for years, and what strikes me is how often we keep relearning the same lesson: prevention is never perfect, and it’s the spread that really does the damage.
Illumio’s 2025 Global Cloud Detection and Response Report reinforces what I’ve seen in my own conversations with security leaders. Most organizations say they’re monitoring hybrid communications and east-west traffic. On paper, that sounds reassuring. But when you ask if they have the context to make sense of it all, confidence drops fast. You can collect logs and flow data until your storage bills make your CFO break into a sweat, but if you can’t tell which workload is talking to which service—or whether that chatter matters—you’re effectively blind.
Andrew Rubin, Illumio’s CEO, calls this one of the industry’s great ironies. As he told me, “Everybody loves to say that we’ve got a data or a telemetry problem. I actually think that may be the biggest fallacy of all. We have more data and telemetry than we’ve ever had. The problem is we haven’t figured out how to use it in a highly efficient, highly effective way.”
Drowning in the firehose
The report shows just how much time teams spend chasing ghosts. Thousands of alerts hit daily. Many are false positives. Teams burn hours each week trying to separate signal from noise, only to still miss the warnings that actually matter. I’ve heard analysts describe the work as “alert triage roulette”—you spin the wheel and hope you land on the one alert that really is the breadcrumb of an attack in progress.
That’s not just inefficient—it’s exhausting. Missed alerts often lead to hours of downtime and major financial impact. Rubin pointed out that this problem hasn’t budged in decades: “Attackers are getting in. They’re literally moving into our house and living with us for months, totally undetected. That means we’re flying blind.”
More tools, same blind spots
Organizations keep layering on more detection tools—CDR, NDR, XDR, SIEM, SOAR—but the blind spots remain. It reminds me of when I first started writing about endpoint detection in the early 2000s. Everyone was adding more dashboards and more agents, but the attackers didn’t seem to be sweating it. Why? Because volume doesn’t equal clarity. Without correlation and context, it’s just noise at scale.
Shifting the conversation
This is where the conversation needs to shift—from “more detection” to “observability and containment.” Observability means enriched context at the point of decision: who, what, where, and how critical, stitched across clouds and data centers, ideally visualized in a way that shows likely attack paths and blast radius. Containment means acting on that context—automatically when appropriate—to block or quarantine before an incident becomes a headline.
Rubin put it in stark terms: “If you want to limit the blast radius of an attack, there are only two things you can do: find it quickly, and segment the environment. They are the only controls that help. The faster you take action and the more segmented the environment is, the more roadblocks an attacker runs into.”
What comes next
Looking to 2026, leaders say their top priorities are increasing AI/ML capabilities, improving cloud detection and response, and reducing time-to-respond. I’ve written before about the rise of autonomous SOCs, and this research feels like another proof point. Teams want fewer raw alerts and more context-rich insight. They want the ability to act before attackers finish their recon.
Rubin is bullish on the role of AI, but he’s realistic too: “AI is going to be a tool in the hands of both the defenders and the attackers forever. In the short term, the advantage probably goes to those who operate outside the rule of law. The one thing we can do to combat that is better observability and finding things faster than we have in the past.”
That’s the takeaway. The spread is the disaster. If you don’t have the context to see lateral movement, you’ll always be a step behind. Organizations that turn visibility into understanding—and understanding into containment—will spend less time chasing false alarms and more time shutting down real attackers.
And if there’s one thing I’ve learned covering this field, it’s that speed and clarity always beat volume and noise.