Limiting The Blast Radius Of Modern Cyber Attacks

The ever-evolving landscape of cyberattacks has led to a disturbing trend: the break-in is no longer the most critical aspect of an attack. Rather, it’s the lateral movement that occurs after the initial breach that causes the most damage. As attackers navigate through a network, testing connections, escalating privileges, and spreading their reach, a small vulnerability can quickly turn into a catastrophic incident. The key to mitigating this damage lies in true observability and rapid containment, which can limit the blast radius and prevent a small crack from becoming a gaping wound.

Understanding the Challenge

According to Illumio’s 2025 Global Cloud Detection and Response Report, most organizations are monitoring hybrid communications and east-west traffic, but they lack the context to make sense of the data. This is a classic case of being “drowning in telemetry,” where the sheer volume of logs and flow data becomes overwhelming, making it difficult to identify potential threats. As Andrew Rubin, Illumio’s founder and CEO, aptly puts it, “We have more data and telemetry than we’ve ever had. The problem is we haven’t figured out how to use it in a highly efficient, highly effective way.”

This challenge is further exacerbated by the fact that teams are spending an inordinate amount of time chasing false positives, with thousands of alerts hitting daily. Analysts often describe this process as “alert triage roulette,” where they spin the wheel and hope to land on the one alert that actually indicates an attack in progress. This approach is not only inefficient but also exhausting, leading to missed alerts, downtime, and significant financial impact.

The Limitations of Current Detection Tools

Despite the proliferation of detection tools, including CDR, NDR, XDR, SIEM, and SOAR, the blind spots remain. The problem lies not in the volume of data but in the lack of correlation and context. Without enriched context at the point of decision, it’s impossible to distinguish between noise and actual threats. This is why the conversation needs to shift from “more detection” to “observability and containment.”

Observability means having a clear understanding of who, what, where, and how critical an incident is, with context stitched across clouds and data centers. This context should be visualized in a way that shows likely attack paths and blast radius, enabling teams to take targeted action. Containment, on the other hand, involves acting on this context to block or quarantine threats before they become incidents.

A New Approach to Cybersecurity

Looking ahead to 2026, security leaders are prioritizing the development of AI/ML capabilities, improving cloud detection and response, and reducing time-to-respond. The rise of autonomous SOCs is also expected to play a critical role in this new approach. By leveraging AI and machine learning, teams can move from reactive to proactive, with fewer raw alerts and more context-rich insights.

Rubin emphasizes the importance of better observability and faster detection, stating, “AI is going to be a tool in the hands of both the defenders and the attackers forever. In the short term, the advantage probably goes to those who operate outside the rule of law. The one thing we can do to combat that is better observability and finding things faster than we have in the past.” By adopting this approach, organizations can turn visibility into understanding and understanding into containment, ultimately spending less time chasing false alarms and more time shutting down real attackers.