SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Raghu nandakumara illumio
#
Firewalls
#
Ransomware
#
Hybrid Cloud

Big firms detect cyberattacks but fail to contain them

Thu, 12th Mar 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

A global survey of IT and security leaders found that most large organisations are confident they can detect cyberattacks, but far fewer can contain incidents quickly enough to limit damage. Cloud environments and hidden network pathways add to the challenge.

The research, conducted by CyberEdge Group and commissioned by Illumio, polled 700 IT and security decision-makers across seven countries: the United States, the United Kingdom, Germany, France, Japan, Australia and Brazil. All organisations surveyed employed at least 1,000 people, with many employing more than 10,000.

Across the sample, 95% of respondents said they can detect unauthorised lateral movement-the technique in which an attacker moves through systems after an initial compromise. Yet 46% said they struggle to stop it once it begins.

Containment speed

Delays in isolating compromised systems emerged as a key weakness. Only 17% of organisations said they can isolate a compromised workload in near real time. More than half (51%) reported that isolation takes hours, days, or even weeks.

Slow containment gives attackers more time to spread inside a network, access additional systems, and reach sensitive data. The findings suggest detection tools and processes have matured faster than the operational steps needed to restrict an attacker's movement.

"Containment delayed is containment lost," said Steve Piper, founder and CEO of CyberEdge Group. "Only a small minority of organisations can isolate compromised workloads in near real time, while more than half are operating on a scale of hours or days. That delay creates a critical window where attackers can move laterally, escalate privileges, and significantly increase the impact of a breach."

Visibility gaps

Many organisations also discover unknown communication paths infrequently. Some 68% of respondents said they uncover previously unknown paths weekly or less often. These pathways can become routes an attacker could exploit to traverse environments.

Respondents pointed to cloud-to-data centre and multi-cloud connections as the weakest areas for visibility. Hybrid infrastructure creates more dynamic links between services and workloads, complicating efforts to maintain a consistent view of which systems can communicate.

Limited visibility makes it harder to confirm whether suspicious activity is an intrusion, a misconfiguration, or legitimate behaviour. It can also slow response, as teams may not know what a system can reach until an incident forces urgent investigation.

Threat priorities

AI-driven attacks have moved up the threat agenda. AI-enabled tactics, including deepfake impersonation, ranked among the top three threats, cited by 55% of respondents. Data and intellectual property theft was the top concern (57%), followed by targeted attacks designed to disrupt critical services (56%).

Ransomware and extortion ranked fourth, cited by 53% of respondents, suggesting concern spans both financially motivated crime and attacks aimed at disrupting operations and services.

Despite the focus on AI-enabled tactics, respondents placed greater weight on weaknesses in established security fundamentals when asked about sources of cyber risk. IT vulnerabilities ranked highest (66%). Employee error or misconduct and lack of integration between IT and operational technology environments both stood at 50%.

Only 19% cited unapproved or unmanaged use of large language models as a major risk. That suggests organisations still view traditional vulnerabilities and process gaps as more immediate exposure points than direct misuse of generative AI tools inside the business.

Microsegmentation

The survey explored the role of microsegmentation, a security approach that restricts traffic between systems and applications. Respondents linked it to faster detection and response, stronger breach containment, and greater visibility.

Half cited faster detection and response as a benefit. Another 47% pointed to stronger breach containment, while 46% cited greater visibility.

Execution, however, appears uneven. The research found that 68% of organisations use network-based firewalls or appliances for segmentation. That approach can be harder to apply consistently across hybrid environments, where workloads move between on-premises infrastructure and multiple cloud providers.

Respondents also cited practical barriers to deployment and expansion: cost (41%), limited visibility into network and application dependencies (39%), and integration challenges (38%).

"Most organisations can spot an intrusion, but stopping it is a different story," said Raghu Nandakumara. "AI is making attacks harder to interpret and contain, which means even small footholds can escalate fast. Microsegmentation is one of the few controls that enhances visibility and limits how far an intruder can move, but only when it's precise, scalable, and consistently applied."

Illumio said the findings highlight a gap between confidence in detection and readiness to isolate affected systems. The report frames containment time as a practical measure of resilience during an active incident.

Related stories
Black Box Automation vs. Engineer Control: The partnership redefining Kubernetes FinOps
Automotive microcontroller market set to hit USD $15.1bn
BlackBox Hosting partners Everpure for sovereign cloud
Locai Labs deploys AI coding assistant at First Light Fusion
Vodafone & Google Cloud launch AI & security tools

Top stories

AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack