.png)
Global Cloud Detection and Response Report: Q&A on the Human Side of Cloud Security Gaps
Security metrics usually come in percentages, dollar signs, and incident counts.
But behind every statistic in the new 2025 Global Cloud Detection and Response Report is a person — an analyst staring down a wall of alerts, a CISO trying to explain risk to the board, or a SOC team that doesn’t want to miss the breach.
We sat down with Raghu Nandakumara, vice president, industry strategy at Illumio, for a conversation on the human side of the new report’s findings. We wanted to unpack not just the numbers but the lived experience behind them and what it’ll take to change the story for security teams.
Q: We often hear that the cybersecurity industry has solved the visibility problem. So why are organizations still getting breached?
Visibility doesn’t mean understanding.
For years, we’ve heard that organizations don’t have visibility into their hybrid environments. But the data in this report actually says otherwise: 80% of organizations monitor hybrid communications and 77% monitor east–west traffic. That’s progress.
The problem is that almost 40% of that traffic lacks enough context to be useful. Security teams don’t have the information behind that visibility to prioritize or address risk.
It’s also related to compliance. Nearly all regulatory requirements require organizations to have visibility into their network communications. But they don’t require the ability to understand what that visibility actually means.
That’s why so many teams think they’ve ticked the visibility box but still can’t respond effectively. Context is what makes data useful. Without it, you’re just getting noise, not insight.
Q: How does that lack of context impact security team morale?
It can be frustrating. Teams invest in tools and yet still can’t answer the most basic question: is this connection necessary or not?
You’re overwhelmed by alerts and then frustrated that you can’t connect the dots. It feels like chasing shadows.
And when you’re always reacting instead of understanding, it’s easy to feel like you’re failing, even when you’re working hard.
So yes, alert fatigue is real, but what’s even more corrosive is the sense that you’re not actually solving the problem. That’s what I see driving a lot of the burnout and attrition in security teams.
Q: Lateral movement was a major topic in the study — nearly 90% of organizations experienced it, but only half spotted it in real time. Why does that gap exist?
If you don’t know what “good” looks like in your environment, you’ll never reliably spot “bad.” Knowing your network’s baseline is a fundamental challenge — one that’s continuing to let lateral movement proliferate.
On the perimeter, security policies are simple. You allow only what you want, so you can easily block the rest.
But inside the network, it’s more complicated. You don’t always have a baseline of what connections are required versus not required. Without that, even the best context won’t save you.
This causes many analysts to waste time going down rabbit holes. They see a connection, don’t know if it’s normal, investigate for hours, and eventually realize it was legitimate.
Meanwhile, the real attacker might be slipping through somewhere else.
Q: The report says only 28% of organizations can auto-quarantine attacks. What does that mean for detection and response?
Manual response simply doesn’t keep up with attacker speed in today’s threat landscape. Lateral movement happens in minutes, not hours, and it’s accelerated by the rise of AI-generated attacks.
Modern detection and response must be automated. And I want to be clear that automation, especially using AI, doesn’t mean replacing people or dismantling teams. It should relieve them of workloads that are impossible with the complexity of today's networks.
Automation should do the heavy lifting: filtering alert noise, surfacing high-risk alerts, and even suggesting next steps. That lets humans focus on what only humans can do — making judgment calls, thinking strategically, and connecting the bigger picture.
The challenge right now is adoption, not capability. Too many organizations still rely on manual processes because they don’t trust automation, or they don’t know how to balance it with human oversight.
When you strike the right balance, you protect both the organization and your teams.
Q: The report shows security teams face over 2,000 alerts a day on average. What does that feel like for the people managing those alerts?
Every day, many analysts are buried under alerts. Rules filter out some of the noise, and some alerts are false positives. But it’s one of those jobs where you always feel an underlying stress because you’re wondering if you missed the alert that matters.
You’re constantly second-guessing: what if the one I dismissed was the real breach? That mindset can keep you in a constant state of anxiety.
The result is burnout and mistakes. And in cybersecurity, mistakes can translate into downtime, reputational damage, financial losses, or regulatory scrutiny. The human toll is inseparable from the business toll.
Q: You mentioned AI. How can it change the day-to-day life of a SOC analyst?
In our survey, 34% of security leaders said AI will be a top priority for them in 2026. I think it should be, too. AI is massively powerful when it’s applied to the right problems.
First, it can help fill the context gap by telling you not just what a connection is but why it exists. For example, it can tell you that your payments gateway talks to your clearing system.
That’s a baseline communication in your network, and that data alone can be transformative for teams.
Second, AI can identify deviations from that baseline and distinguish between “normal but unusual” traffic, like a routine spike in traffic at the end of the month, compared to truly suspicious behavior.
Third, it can help you prioritize alerts and recommend actions. Instead of dumping thousands of alerts on analysts, AI can say: “Here are the three things you should look at today, here’s why, and here’s what you can do about them.”
That’s how you reduce fatigue and bring teams confidence. They can leave their shift knowing they focused on the right things, instead of worrying all night that they missed something.
Q: We often hear, “Breaches are inevitable. Disasters are optional.” How does that apply here?
Perfection is impossible. You can patch everything, follow every best practice, and still be undone by a zero-day attack. That’s just reality.
But breach containment is always achievable. Containment says that, yes, it’s likely you’ll be breached, but you can keep it from spreading into a disaster.
This helps security teams reframe the job from “stop every attack” — which in today’s threat landscape is nearly impossible — to “make sure we can contain the inevitable.”
Q: What can security leaders do differently today to support their teams?
Start by asking this question: do we understand the story our data is telling us?
If the answer is no, then you’re working in the dark. You need context.
The best way to get context is to connect the dots. That’s why there’s so much excitement about security graphs. They let you take data from endpoints, identities, applications, data bases — all the layers — and see them in one picture.
That gives leaders clarity, but more importantly, your team has confidence that they can focus on what matters, act decisively under pressure, and protect the business without burning out.
Illumio Insights: AI-powered cloud detection and response
The findings from The 2025 Global Cloud Detection and Response Report highlight how alert fatigue, lack of context, and manual processes put both organizations and their teams at risk.
Without a clear understanding of what’s happening in their environments, security teams are left struggling to understand, prioritize, and respond to threats.
Illumio Insights is purpose-built to address these challenges.
Using an AI security graph, Insights provides the context behind network activity. You can finally understand not just what’s happening in your network but why.
Insights establishes network baselines, highlights deviations from the norm, and surfaces the alerts that matter most. This helps reduce alert noise while increasing security confidence. And with built-in one-click breach containment, you can automatically stop lateral movement before it becomes a costly disaster.
With Insights, you'll gain the clarity and control you need to stay resilient. It transforms visibility into actionable understanding, supports automation without losing human judgment, and ultimately empowers teams to protect the business while reducing stress and burnout.
Download your free copy of The 2025 Global Cloud Detection and Response Report today.
