By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: IllumioPublished October 23, 2025

TL;DR: UK security teams receive an average of 2,260 alerts per day, spend 15 hours a week investigating false positives, and take 13.6 hours to detect missed-alert incidents, according to Illumio’s analysis of the 2025 Global Cloud Detection and Response Report. The data shows that observability, not alert volume, is becoming the decisive control problem in cloud defence.


At a glance

What this is: This analysis argues that UK security teams have enough alerts but not enough context to investigate what matters, with detection delays and false positives exposing a deeper observability gap.

Why it matters: For IAM and security practitioners, the lesson is that identity, asset criticality, and traffic context must be connected or cloud detection and response will continue to miss lateral movement and high-risk activity.

By the numbers:

👉 Read Illumio’s analysis of the UK cloud context gap and detection delays


Context

UK cloud security teams are not short on telemetry. They are short on context, which makes it hard to decide which alerts matter, which assets are exposed, and whether activity represents noise or a real attack path. In practice, that gap turns detection into triage by exhaustion rather than informed investigation.

The article sits at the intersection of cloud security, observability, and identity-aware investigation. The identity angle is real because context only becomes actionable when teams can connect traffic patterns to user identity, workload identity, asset criticality, and privilege, otherwise lateral movement and misuse blend into background noise.


Key questions

Q: How should security teams reduce false positives in cloud detection workflows?

A: They should attach identity, workload, and asset-criticality context to every alert before analysts see it. That lets teams distinguish routine activity from risk faster, reduces wasted investigation time, and improves escalation quality. The goal is not more alerts, but better decisions about which alerts deserve response. A contextual triage model also reduces burnout.

Q: Why do east-west traffic patterns matter for lateral movement detection?

A: Because attackers often move sideways through normal-looking internal communication after initial access. If teams only watch north-south traffic, they can miss the internal pivot that turns a limited compromise into a broader incident. East-west visibility makes suspicious traversal detectable earlier, especially in hybrid environments where service communication is dense.

Q: What do security teams get wrong about alert enrichment?

A: They often treat enrichment as a reporting layer rather than an investigation control. Adding a few more fields does not help if analysts still cannot connect the alert to identity, privilege, and environment. Real value comes from correlating signals into an operational story that supports containment decisions.

Q: Who should own contextual observability in a cloud security programme?

A: It should be shared across cloud security, SOC, and IAM teams because the evidence spans traffic, workload identity, and access rights. If any one team owns it alone, context becomes fragmented and response slows. Shared ownership keeps detection, investigation, and privilege decisions aligned.


Technical breakdown

Why alert volume becomes a context problem

High alert counts do not automatically create better detection. When telemetry arrives without asset importance, identity, environment, or behavioural context, analysts must reconstruct the story manually, which slows triage and increases false positives. That is especially damaging in hybrid environments where east-west traffic can hide lateral movement until the attacker has already moved. Contextual observability is the missing layer between raw signals and defensible action.

Practical implication: correlate alerts with identity, workload, and asset criticality before routing them to analysts.

How lateral movement hides inside east-west traffic

East-west traffic describes workload-to-workload communication inside an environment, where attackers often pivot after initial access. Because this traffic is normal, defenders need baselines, segmentation, and path analysis to distinguish legitimate service communication from an intruder moving between systems. Without that, detection tools may see the packets but miss the attack story. In Zero Trust Architecture terms, trust must be continuously re-evaluated, not inferred from network location.

Practical implication: instrument east-west paths and isolate high-value segments so suspicious movement is visible earlier.

Why hybrid observability depends on identity context

Hybrid environments break simple detection models because the same user, workload, or service can generate activity across cloud and on-prem systems. If tools cannot correlate identities, privileges, and asset roles across those environments, investigators lose the chain that explains what an alert means. For IAM teams, that means identity data is not just access control input. It is investigative evidence that determines whether a signal is benign, risky, or containment-worthy.

Practical implication: unify identity and telemetry data so investigators can trace activity across platforms.


Threat narrative

Attacker objective: The attacker aims to move laterally, remain hidden inside routine cloud traffic, and extend dwell time before containment.

  1. Entry typically begins with initial compromise that produces a valid alert but not enough surrounding context for immediate classification.
  2. Escalation occurs when the attacker uses legitimate-looking activity or east-west movement to blend into normal traffic and avoid prioritisation.
  3. Impact follows when defenders detect the event too late, allowing lateral movement, downtime, and containment cost to increase.

NHI Mgmt Group analysis

Context gap is becoming the defining operational failure in cloud defence. Teams do not fail because they see nothing. They fail because they cannot turn logs, alerts, and traffic into a defensible story quickly enough. That shifts the control problem from collection to interpretation, which is where many programmes are still weak. Practitioners should treat context as a security control, not just an analyst convenience.

Identity is the missing link in cloud observability. Alerts become actionable only when they can be tied to user identity, workload identity, privilege, and asset value. That is where IAM, PAM, and cloud security intersect: without identity context, even strong detection tools struggle to distinguish business activity from intrusion. Practitioners should make identity data part of investigation design, not an afterthought.

Contextual observability is a better concept than alert enrichment. Enrichment adds fields. Observability adds meaning by correlating source, destination, privilege, workload role, and environment into one investigative picture. That concept matters because the industry is moving toward higher-volume, faster-moving cloud environments where static triage models do not scale. Practitioners should build for decision quality, not just more data.

Zero Trust Architecture only works when the investigation layer is equally contextual. Zero Trust assumes continuous verification, but verification becomes weak if defenders cannot determine what an alert represents in time to act. That makes the context gap a governance issue, not just a tooling issue. Practitioners should align detection, identity, and containment processes so trust decisions are continuously informed.

What this signals

Context-rich detection will become a board-level expectation, not a SOC luxury. UK teams are already signalling that higher alert volume is not translating into better response, and that pattern will spread wherever hybrid estates grow faster than investigative maturity. For programmes that depend on identity and privilege data, the next step is to make context available at decision time, not after the incident has already expanded.

Identity telemetry should be treated as investigative infrastructure. When analysts can tie traffic to user identity, workload identity, and access scope, they can separate routine noise from lateral movement more reliably. That makes identity data part of the detection stack, not just the governance stack, and it will matter more as cloud and on-prem operations continue to converge.

The practical signal for security leaders is that richer tooling alone will not close the gap if alert pipelines still lack asset criticality and identity correlation. Teams should prepare for a shift toward contextual observability models that support faster containment and stronger post-incident evidence trails.


For practitioners

  • Map alert sources to identity and asset criticality Require every high-priority alert to carry workload identity, user identity, and business criticality before it reaches an analyst queue. This reduces false positives and helps investigators decide whether the signal deserves containment, escalation, or monitoring.
  • Instrument east-west traffic for lateral movement detection Baseline normal service-to-service communication, then flag deviations in east-west traffic that indicate traversal between segments or unexpected privilege use. Prioritise the segments that contain crown-jewel systems and sensitive data.
  • Correlate hybrid telemetry into one investigative view Merge cloud, on-prem, and identity telemetry so analysts can follow the same actor or workload across environments without switching tools. The goal is a single chain of evidence, not separate alerts that each look harmless in isolation.
  • Tune containment playbooks to blast-radius reduction Use blast-radius analysis to decide what to isolate first when an alert is credible. In environments with frequent false positives, this helps teams contain likely compromise without waiting for perfect certainty.

Key takeaways

  • The core problem is not too few alerts, but too little context to decide which ones matter.
  • UK respondents report 2,260 alerts per day and 13.6 hours to detect missed-alert incidents, showing how context loss slows response.
  • Teams that connect identity, workload, and traffic context will investigate faster and contain lateral movement earlier.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0DE.CM-1Continuous monitoring is central to the article's detection and context problem.
NIST Zero Trust (SP 800-207)The article's emphasis on context and hybrid visibility aligns with Zero Trust verification.
NIST SP 800-53 Rev 5SI-4System monitoring is the control family most relevant to contextual detection and response.
MITRE ATT&CKTA0008 , Lateral Movement; TA0007 , DiscoveryThe article highlights detection of lateral movement inside east-west traffic.

Correlate alerts with asset and identity context to improve monitoring outcomes.


Key terms

  • Contextual Observability: Contextual observability is the ability to understand what a signal means by linking it to identity, asset criticality, traffic patterns, and environmental data. It goes beyond collecting telemetry and focuses on giving analysts enough evidence to decide whether something is routine, suspicious, or immediately containable.
  • East-West Traffic: East-west traffic is communication that moves between internal systems, workloads, or services inside an environment. It matters because attackers often use internal paths after initial access, and those movements can look normal unless defenders baseline expected behaviour and segment high-value assets carefully.
  • Blast Radius: Blast radius is the practical extent of damage that can occur once a system, account, or workload is compromised. In cloud and identity operations, reducing blast radius means narrowing permissions, segmentation, and trust paths so one successful intrusion cannot spread widely or expose critical assets.

What's in the full article

Illumio's full blog covers the operational detail this post intentionally leaves for the source:

  • The report-level breakdown of UK, global, and regional alert-volume comparisons that support the context-gap argument.
  • The specific respondent findings on false-positive fatigue, missed responses, and reputational impact across the UK sample.
  • The practical description of how Illumio Insights correlates alerts across hybrid environments and maps blast radius.
  • The article's fuller explanation of contextual observability and how it differs from basic alert enrichment.

👉 Illumio’s full article expands on alert volumes, hybrid visibility, and contextual observability.

Deepen your knowledge

NHI Mgmt Group’s NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle fundamentals. It is designed for practitioners who need to connect identity controls to broader security operations.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org