We’re too slow at detecting cyberattacks – that’s why it’s costing millions

Pick a random organisation’s cybersecurity strategy out of a hat, and chances are it includes the word ‘proactive.’ Most businesses genuinely believe they are proactively addressing cyber risk and anticipating threats.

Yet nearly all leaders have reported challenges in responding to security incidents over the past 12 months, usually due to a combination of technology limitations and issues with processes and resources. As a result, strategies are rarely as proactive in practice as they are on paper.

The disconnect lies in how we define “proactive.” Too often, it’s equated with preventing every single attack. But that’s not realistic, and it’s not how we approach risk in other areas. We don’t expect the police to prevent every crime. So why do we expect cybersecurity teams to stop every breach?

All security is reactive: the difference is when you react

The reality is that all security is reactive to some extent. The problem is many businesses only react after the damage is done, which is too late and costly. In the case of Jaguar Land Rover, the cost is an eyewatering £1.9 billion.

On top of this, security teams often fall into the trap of focusing solely on the perimeter. We tend to think in binary terms about whether an attacker got in or not, but we often fail to account for what happens afterwards.

At the perimeter, there’s a finite and manageable space where you can stop an attacker. Once they’re inside your environment, it becomes much more challenging to contain them.

When attackers breach the perimeter, they often move laterally across systems, escalating access and causing widespread disruption. The recent attacks on Jaguar Land Rover and several retail companies followed this pattern. Attackers compromised networks, targeted systems critical to services and operations, and exfiltrated sensitive information.

According to the 2025 Global Cloud Detection and Response Report, nearly 90% of organisations experienced a cybersecurity incident involving lateral movement in the past year. That’s a serious issue that businesses are consistently failing to address.

And financial losses from downtime are often just the tip of the iceberg. Cyberattacks also carry hidden costs, such as reputational damage, employee uncertainty, supplier disruption, and erosion of customer trust. These impacts far outweigh the immediate loss of any data.

To strengthen resilience, we need to let go of the idea of total prevention and instead focus on proactive containment, limiting the impact of cyber threats on the business. This will directly combat the way attackers compromise networks.

It’s too easy for attackers right now

The wave of serious breaches in the news gives the impression attacks are becoming more sophisticated. However, that’s not entirely true.

While there are more advanced attacks out there, most groups are happy to rinse and repeat the same tactics, techniques, and procedures (TTPs) because they keep working.

Attackers exploit misconfigurations, missing patches, excessive permissions, and a lack of vulnerability management. They’ve been using the same playbook for over ten years, and it’s still delivering results.

Most attacks exploit common, default-on protocols such as Remote Desktop Protocol (RDP) and Server Message Block (SMB). That’s an easy win for any attacker.

By using a containment strategy, it forces attackers to slow down, making it harder for them to remain hidden and move around different systems. More importantly, it forces them to change their techniques and procedures (and they hate doing that), giving businesses a much better chance of detecting, responding to, and recovering from attacks.

Containment doesn’t replace prevention, it strengthens it

You might wonder if focusing on containment makes your prevention work meaningless. It doesn’t. Containment complements prevention.

Firewalls stop known threats, detection tools catch suspicious activity, and backups enable recovery. Containment, however, ensures that any successful intrusion remains localised. This dramatically reduces what an attacker can do.

At the heart of containment is microsegmentation, which breaks the network into smaller zones. With strict identity and access controls in each zone, it restricts lateral movement – addressing one of security teams’ greatest struggles. Zero Trust principles underpin this approach by verifying every user and device, regardless of location, before granting permission to communicate.

Containment can be proactive and reactive, and organisations require both. Proactive containment establishes a strong foundation, removing unnecessary access risk up front. Reactive containment ensures that, in the case of a successful intrusion by an attacker, its reach can be quickly limited even further. However reactive containment, like any response action, is very much dependent on the speed and accuracy of an organisation's detection capabilities. And this is where organisations struggle

The core issue often comes down to alert fatigue and missing context. Security teams are constantly bombarded with signals, many of which lack the clarity needed to distinguish real threats from background noise. It’s like searching for a needle in a haystack without knowing what the needle looks like. Even highly capable teams can find it difficult to respond quickly when overwhelmed by ambiguity and volume.

How security teams find out what the needle looks like

Security teams need to see the connections between systems, identities, and data flows so they have the context to prioritise security alerts effectively and detect threats faster. This is where AI security graphs come in.

A security graph provides a comprehensive view of the network environment by highlighting the relationship between clouds, users, devices, applications and data. This reveals how environments truly operate and how different workloads communicate in real-time.

AI adds the missing context. It helps teams understand why events happen, trace attacker behaviour, and focus on genuine risks — not just noise.

This is what proactive containment looks like: using an AI to anticipate attacker moves, and segmentation to stop them before they can cause damage.

The pressure to prevent every breach has created unrealistic expectations. But no other profession demands perfection, and cybersecurity shouldn’t.

By focusing on containing attacks and reducing the blast radius, we set a far more achievable goal for defenders, while also providing a more effective way to protect the business during a cyber incident.