By Raghu Nandakumara
Cyberattacks are inevitable, but the real damage occurs when attackers move laterally across networks undetected. As alert volumes overwhelm teams, prevention-first strategies falter. Raghu Nandakumara argues true resilience depends on rapid detection, contextual visibility, and effective containment. By assuming compromise and limiting attacker reach, organisations can minimise disruption, reduce dwell time, and strengthen operational continuity.
When a cyberattack strikes, every minute an attacker moves undetected inside a network is a minute of lost productivity, trust, and money.
The costs really start to skyrocket when attackers achieve lateral movement – the ability to traverse the network to reach high-value systems and data. This is the point when a single breach turns into a company-wide operational blackout or a large-scale data heist. Our latest research found that each incident involving lateral movement results in an average of seven hours of downtime.
While it’s impossible to guard against every breach, organisations must be able to identify and shut down these incursions as soon as possible to avoid costly losses – but detection and response largely remain too slow.
Cybersecurity priorities have changed. The benchmark is no longer how many attacks are prevented, but how well the company can weather the ones that get through. The ability to quickly and reliably detect, respond and contain incoming threats is what defines true cyber resilience.
The illusion of proactivity
Cybersecurity is a top business priority, with Gartner estimating global spending will hit $213 billion this year, up 10.36% from 2024. Buoyed by that spending, most organisations consider themselves to have a proactive approach to tackling cyber risk.
Yet when incidents occur, that confidence quickly evaporates. Our analysis revealed that nine in ten organisations still experienced disruptive incidents in the past year. It’s a clear sign that most strategies are proactive in name only.
Part of this disconnect between cyber investment and resilience comes from prevention-first thinking, creating an illusion of control. Organisations have become fixated on trying to block every possible intrusion instead of preparing to contain the inevitable. As a result, breaches are still happening – only now they catch teams unprepared for what comes next.
While proactivity is an admirable goal, the reality is that all security is reactive to some extent. True proactivity lies in anticipating that attacks will get in and being ready to respond effectively when they do. That means shifting focus from building higher walls to reducing the damage when those walls are breached.
Why detection still fails
The number of breaches occurring every year despite record spending on cybersecurity make it clear that a prevention-centric approach to security isn’t working. Part of the issue is that prevention relies heavily on swift and effective detection, but this is an increasingly difficult challenge.
According to our research, security teams now face an average of more than 2,000 alerts every day, and two-thirds of leaders say their teams simply can’t keep up. Each alert that slips through the cracks and goes uninvestigated risks becoming the spark that ignites a full-scale incident.
False positives compound the problem. Teams lose over 14 hours each week chasing alerts that lead nowhere, while 38% of network traffic lacks the context needed for confident investigation. The result is predictable: overworked analysts, delayed responses, and adversaries that thrive on the chaos.
On average, it takes more than 12 hours for teams to even identify a missed alert that’s caused an incident. In that time, attackers can easily move laterally across systems, compromising data and disrupting operations. That time frame means serious delays to remediation and recovery efforts, prolonging the disruption and racking up most costs.
Visibility and context are key to reducing the threat of lateral movement
The increasing size and complexity of IT environments significantly contributes to this detection challenge. Strategies have typically tried to keep up by gathering as much data as possible, but this has only led to exhaustion and alert fatigue for analysts.
Instead, the focus must be on providing clarity: which alerts matter, how they connect, and what they reveal about attacker intent.
AI and machine learning are critical to providing this context and helping security personnel keep up. Our research found that 80% of leaders believe this technology will be critical to detecting lateral movement faster and reducing alert fatigue.
Security graphs are one example where the speed and accuracy of AI can make a powerful difference in threat detection. Graphs provide a detailed view of how the different elements of a network environment connect and interact, revealing potential attack paths and vulnerabilities.
With AI, these graphs become even smarter, correlating thousands of signals across environments to expose relationships between workloads, users, and systems that humans can’t easily see. This context transforms detection from guesswork into insight.
Containment: The new definition of proactivity
While improved detection is crucial, it’s only half the equation. Once a threat is identified, the priority shifts to stopping its spread. This is where visibility and context, already vital for detection, become equally crucial for response.
Once attackers breach the perimeter, the ability to contain lateral movement determines whether an incident becomes a minor disruption or a multimillion-pound crisis. By proactively segmenting networks, isolating workloads, and limiting unnecessary permissions, organisations can force attackers to slow down. That friction exposes their activity sooner, reducing both dwell time and impact. This is the essence of cyber resilience. Instead of assuming every defence will hold, leaders must plan for the opposite: assume compromise and be ready to restrict its reach.
In this way, containment doesn’t replace prevention – it completes it. It’s what turns a breach from a catastrophe into an inconvenience.
What this means for business leaders
Perfection in cybersecurity has never been realistic. Breaches are inevitable, and that reality demands a shift in mindset. True proactivity means measuring success by how fast an organisation detects, contains, and recovers, not the number of attacks prevented.
Business leaders must now treat containment as a strategic resilience investment, not a technical exercise. This means reviewing network segmentation strategies to identify critical assets that need additional isolation, evaluating whether security tools provide sufficient context for rapid decision-making, and shifting security metrics from prevention rates to detection and containment speed.
Organisations that adapt to this reality will experience fewer disruptions, faster recovery, and stronger trust with customers and partners.
Raghu Nandakumara
