TL;DR: 80% of organisations monitor hybrid communications and 77% monitor east-west traffic, yet almost 40% of that traffic still lacks enough context to be useful, according to Illumio’s 2025 Global Cloud Detection and Response Report. That makes visibility a weak control unless teams can explain why connections exist, not just that they exist; the real governance issue is context, because detection without decision quality still leaves lateral movement and alert fatigue intact.
NHIMG editorial — based on content published by Illumio: Global Cloud Detection and Response Report Q&A on the human side of cloud security gaps
By the numbers:
- almost 40% of that traffic lacks enough context to be useful.
- over 2,000 alerts a day on average.
Questions worth separating out
Q: What fails when cloud visibility has no context?
A: Without context, visibility produces telemetry but not decisions.
Q: Why do hybrid environments make lateral movement harder to detect?
A: Hybrid environments create complex east-west traffic patterns, shared services, and automation flows that can look normal even when an attacker is moving laterally.
Q: How do teams know if cloud threat detection is actually working?
A: The strongest signal is whether security teams can validate an alert with evidence captured during execution, not after the fact.
Practitioner guidance
- Define connection baselines for hybrid traffic Map expected east-west flows by application, workload, and business function so analysts can tell whether a connection is necessary or suspicious before escalation begins.
- Link telemetry to identity ownership Bind service accounts, workload identities, and automation paths to accountable owners so every internal communication has a clear business and security context.
- Use containment triggers for high-risk lateral paths Predefine which internal routes justify quarantine, segmentation, or step-up review when a deviation appears, and test those triggers regularly.
What's in the full article
Illumio's full blog covers the operational detail this post intentionally leaves for the source:
- The report’s survey framing and respondent context, useful if you need to assess how representative the findings are.
- The human-factor commentary from Illumio’s interview with Raghu Nandakumara, including how teams experience alert fatigue and response friction.
- Illustrative examples of AI-assisted prioritisation and breach containment workflows that go beyond the high-level governance view.
- The vendor’s explanation of how its security graph and one-click containment are positioned to reduce noise and speed decisions.
👉 Read Illumio’s analysis of the 2025 Global Cloud Detection and Response Report →
Cloud traffic context gaps: what IAM and SOC teams need to know?
Explore further
Visibility without interpretive context is a governance failure, not a tooling win. The report’s central lesson is that collecting hybrid traffic data is no longer the hard part. The hard part is deciding what the data means for risk, ownership, and containment. That maps directly to identity programmes, where access telemetry is only useful when it can be tied to a human, workload, or service purpose. Practitioners should treat context as a control objective, not an optional enhancement.
A question worth separating out:
Q: Who is accountable when telemetry shows suspicious internal movement?
A: Accountability should sit with the teams that own the systems, service accounts, and dependencies involved, not only with the SOC. Detection teams can surface the event, but application and platform owners must define what is normal and what should be blocked. Governance works when ownership, escalation, and containment authority are explicit before an incident occurs.
👉 Read our full editorial: Cloud detection gaps persist when visibility lacks context