Seeing an Attack Is No Longer the Same as Stopping One

By Erik Linask

Cybersecurity teams have spent years improving detection.  They have deployed better tooling, expanded telemetry, invested in analytics, and built workflows designed to surface suspicious behavior earlier in the attack cycle.  It’s logical the earlier detection should lead to better response, and it stands to reason those advances should make organizations harder to compromise.

That may not be reality, though.  While companies may see attacks forming, many still cannot stop them quickly enough to prevent escalation.

That is the key takeaway from a study of 700 IT and cybersecurity decision-makers across seven countries, which found that 95% of organizations say they are confident they can detect unauthorized lateral movement before it reaches critical assets.  Here’s the rub:  46% also admit they struggle to stop that movement once it begins.  The report was commissioned by Illumio and conducted by CyberEdge Group.

That gap matters because lateral movement is where an intrusion often turns into a breach with significant business consequences.  Once attackers gain an initial foothold, their ability to move across environments, escalate privileges, and reach higher-value systems often determines whether the incident remains contained or becomes disruptive.  Based on the report, the issue is that high visibility and strong detection confidence do not necessarily translate into resilience if organizations cannot isolate compromised systems quickly.

What it means is the industry needs to shift from asking, “Can you detect the attacker?” to “How fast can you contain them after detection?”  That is, of course, a harder standard to achieve, especially in today’s hybrid and multi-cloud environments.

Detection confidence is high, but containment remains uneven

What’s interesting is the report doesn’t imply an industry that is unaware.  Respondents express strong confidence in many areas, including visibility into communication paths that threat actors might use for lateral movement scored an average of just over 4 out of 5 overall, with stronger scores in traditional data center environments than across cloud boundaries.  Visibility drops a slightly across cloud environments, reinforcing the idea that hybrid infrastructure is still more susceptible to attack.

But, businesses appear to be on the right path, as many organizations continue to discover previously unknown communication paths frequently – though others less so.  While 63% find new paths weekly or more often, 37% identify them only once a month or less.  The latter group is concerning because they are leaving longer windows during which access by threat actors may be undiscovered and unmanaged, or poorly understood.

That lack of continuous clarity becomes more consequential when an intrusion is active.  According to the study, only 17% of organizations can isolate compromised workloads in near real time, and 33% can do so within minutes.  On the other hand, 40% still take hours, and 11% need days or longer.  Those are not just minor delays – they are significant exposure windows during which an attacker can continue to move, establish persistence, and deepen operational impact.

From an industry perspective, it points to the notion that detection is table stakes, while containment is a more meaningful test of resilience and a differentiator.  A security team may have strong alerting and still lose the race if it cannot translate detection into rapid isolation.

To reinforce that point, the study uses Salt Typhoon, the China-linked espionage campaign that targeted telecommunications networks, as an example.  The lesson is that attackers do not always need spectacular malware or exotic exploits to create strategic damage.  Lateral movement, credential abuse, and persistence inside trusted infrastructure can be more than enough to cause large-scale disruption, particularly when defenders rely too heavily on detection without restricting internal movement paths by default.

AI changes the threat mix, but basic weaknesses still dominate

Not surprisingly, the report notes that AI-driven attacks are now a mainstream concern.  When asked which threats worry them most, respondents put data and intellectual property theft first (57%), targeted attacks designed to disrupt services second (56%), and AI-based threats, including deepfake impersonation third (55%), followed closely by ransomware and extortion (53%).

That ranking says something important about how organizations now view the threat landscape. AI is not a future issue, but a threat just as significant as other familiar and damaging attack   categories.  At the same time, the report shows that respondents still see their biggest sources of cyber exposure in more basic weaknesses:

  • IT vulnerabilities – 66%
  • Employee error or misconduct – 50%
  • Lack of IT/OT integration – 50%
  • Credential theft and privilege escalation – 45%

Shadow AI comes in at a mere 19%.

So, while AI may be accelerating attack complexity, most organizations believe the real damage still begins with traditional problems, like unpatched systems, weak internal controls, fragmented environments, and human error.  In other words, emerging threats may be reshaping the attack surface, but security and system design fundamentals still determine how much damage an attacker can cause.

This is where microsegmentation comes into play.  Organizations cite faster detection and response, stronger breach containment, and improved visibility as the main benefits of segmentation.  Yet, the execution story is more mixed:  Although 93% report using at least one segmentation approach, 68% still rely on network-based firewalls, while 62% have adopted software-based modern microsegmentation.  The theory is that hardware-based approaches can leave gaps and uneven protection, instead of providing the granular control needed to prevent lateral movement.

The theory is that hardware-centric models often create inconsistent islands of control rather than the granular, workload-level containment needed to stop modern lateral movement.

The operational reality is that modern infrastructures are simply harder to secure with perimeter-era assumptions.  Containment today depends less on one-time zoning decisions and more on continuously enforced, context-aware isolation that can follow workloads across environments.

That’s not to say that detection investments are misplaced, but that detection alone no longer defines cyber readiness.  Organizations have become better at seeing threats, but many still are not operationally capable of containing them at machine speed.  Until that changes, security leaders may keep discovering the same uncomfortable truth:  The attack was visible, but the damage kept spreading anyway.

For MSPs, the message is this:  Customers do not just need better threat alerts; they need partners who can help them limit the blast radius when something gets through – and we know it will, considering 97% of organizations say they were affected by at least one cyber risk in the past year.  That creates an opportunity for MSPs to move beyond a detection-first conversation and position themselves around practical resilience that includes improving segmentation, reducing visibility gaps across hybrid environments, accelerating containment, and helping clients build security architectures that are easier to control under pressure.  In a market where many organizations still take too long to isolate compromised systems, the MSPs that stand out will be the ones that can show not only how they spot threats, but how they help stop those threats from becoming major business disruptors.




Edited by Erik Linask
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Group Editorial Director

SHARE THIS ARTICLE
Related Articles

AI Is Changing MSP Value Proposition, Not Eliminating It

By: Erik Linask    7/1/2026

MSPs are moving beyond AI hype and focusing on the practical questions that matter most: client data protection, AI governance, service desk efficienc…

Read More

MSPs: The Network Is No Longer Someone Else's Problem

By: Erik Linask    6/30/2026

Reinvent's new MyCloud SecureLink offering gives MSPs and resellers a partner-ready way to deliver managed SD-WAN, network security, and resilient con…

Read More

Why the Fastest-Growing MSPs Are Saying "No" More Often

By: Special Guest    6/30/2026

The fastest-growing MSPs in the U.S. are boosting margins, reducing cyber risk, and scaling more sustainably by adopting stricter customer qualificati…

Read More

The Next MSP Platform Battle Will Be Fought Over Data, Not Features

By: Erik Linask    6/24/2026

SuperOps and Guardz are bundling IT operations and agentic security into a single MSP offering, reflecting a broader shift away from fragmented tool s…

Read More

The AI ROI Problem Was Never About the Model; It's About Integration

By: Erik Linask    6/24/2026

Xurrent's new built-in iPaaS is designed to help AI agents move from recommendation to execution by connecting ITSM workflows directly to systems like…

Read More