I’ve been writing about cloud and cybersecurity long enough to remember when “visibility” was the answer to almost every problem.
If something went wrong, the assumption was simple: we didn’t have enough data. Get more logs. Centralize them. Correlate everything. Once we can see what’s happening, we’ll know what to do next.
That thinking gave us SIEM. When SIEM fell short, we layered on SOAR. On paper, the evolution made sense. In practice, it mostly delivered more dashboards, more alerts, and more confidence that security teams were almost in control.
That gap—between seeing activity and understanding it—came into sharper focus for me during a recent conversation with Or Shoshani, CEO of Stream Security. We kept returning to the same idea: visibility matters, but it’s only the starting point. As Or put it, “Visibility is part of the base of the pyramid… but when the base itself isn’t solid, everything you try to build on top of it eventually collapses.”
That framing resonated for me because it explains why cloud security still feels perpetually reactive.
When Visibility Became the Finish Line
Security has chased visibility for decades. And to be clear, you can’t protect what you can’t see. But somewhere along the way, visibility stopped being the foundation and became the goal.
SIEM promised clarity by aggregating logs. SOAR promised action by automating responses. What neither consistently delivered was context. Knowing that something happened isn’t the same as knowing whether it matters.
Most organizations discovered that automation without understanding is risky, while understanding without automation doesn’t scale. So they stalled—leaving humans in the middle, manually interpreting massive volumes of telemetry that were already outpacing them.
The Moment Cloud Security Stopped Making Sense to Me
I’ve covered cloud and DevOps since the early days, and there was a moment—years ago—when I realized our security mental models were already breaking.
It was when containers went mainstream.
We started talking about workloads that might exist for minutes—or seconds. Thousands of them. Maybe millions. They spin up, do a job, and disappear. I remember asking what felt like obvious questions at the time: How do you remediate a vulnerability in something that no longer exists? And if it lived for five minutes, is that even a meaningful threat window?
Fast forward to today, and that challenge has only intensified. Cloud environments now change constantly, often without direct human involvement. Infrastructure scales itself. Configurations shift automatically. AI-driven agents can make legitimate changes that look identical to malicious ones if all you’re staring at is raw logs.
At that point, the idea of taking a “snapshot” of the cloud for security purposes becomes almost absurd. As Or put it bluntly during our conversation, “If I had a full picture of the cloud right now, it would already be wrong.”
The Cloud Isn’t a System—It’s a Living Thing
This is why the metaphor of the cloud as a living, breathing organism resonates so strongly.
Traditional infrastructure behaved like machinery. You could map it, secure it, and defend the perimeter. But the cloud today behaves more like biology. It adapts continuously. It responds automatically to load, policy, and demand. With AI in the mix, that pace only accelerates.
Security models built on static assumptions—fixed assets, predictable configurations, human-paced change—are increasingly misaligned with how cloud environments actually operate.
Where Cloud Security Is Headed
This shift is beginning to show up in how newer cloud security platforms are being designed—and how security leaders are evaluating them.
Rather than relying solely on periodic scans or post-event log analysis, some approaches are focused on continuously modeling the cloud environment as it exists in real time, treating change as the norm rather than the exception. The goal isn’t just to detect anomalies, but to understand how every change fits into the broader system.
Stream Security is one example of this emerging mindset. Instead of treating cloud assets as static objects to be inventoried and checked, its approach centers on observing the cloud as a dynamic system—one where relationships, behavior, and change patterns matter as much as individual events.
That perspective resonates with practitioners running large, complex environments. “At The Auto Club Group, a static security model simply isn’t viable for a cloud environment of our scale,” explained Gopal Padinjaruveetil, CISO of AAA. “Stream Security was the first platform that allowed us to see our cloud as a living system in which every change was reflected in real time. That level of real-time visibility is what immediately set Stream apart as we evaluated CDR tools.”
AI Didn’t Break Cloud Security—It Exposed the Cracks
Machine learning has been part of security for years. But generative and agentic AI change the equation because they don’t just analyze—they act. They provision infrastructure. Modify configurations. Execute workflows at machine speed.
Defenders are now protecting environments where:
- Change is constant
- Legitimate behavior can look suspicious
- Suspicious behavior can look legitimate
- And everything happens faster than human review cycles
In that world, more alerts don’t help. Better dashboards don’t help. You can’t review your way out of the problem.
Context Is the Missing Layer in Modern Cloud Defense
The real shift that needs to happen is moving from security as inspection to security as understanding.
Logs tell you what happened.
Understanding tells you whether it makes sense.
Security teams don’t just need events—they need context: how resources relate to one another, how behavior evolves over time, and what “normal” looks like right now, not last week.
This is a fundamentally different challenge than traditional detection. And it’s why simply automating legacy security models won’t solve the problem. Automation applied to broken assumptions just lets organizations fail faster.
This Is a Leadership Shift, Not a Tooling Upgrade
Organizations need to rethink what it means to defend something that never stops changing.
The cloud is not infrastructure you lock down. It’s an organism you continuously observe, interpret, and adapt to.
Security in that world isn’t a destination—it’s a condition.
Organizations that accept this reality will move beyond visibility toward understanding. Those that don’t will continue drowning in data while feeling increasingly blind.