TL;DR: UK security teams receive an average of 2,260 alerts per day, spend 15 hours a week investigating false positives, and take 13.6 hours to detect missed-alert incidents, according to Illumio’s analysis of the 2025 Global Cloud Detection and Response Report. The data shows that observability, not alert volume, is becoming the decisive control problem in cloud defence.
NHIMG editorial — based on content published by Illumio: Mind the Context Gap, Why UK Security Teams Are Struggling to Investigate What Matters
By the numbers:
- UK cybersecurity teams are receiving an average of 2,260 alerts per day, higher than the global average of 2,020.
- UK organizations report an average of 13.6 hours to detect an issue stemming from a missed alert.
Questions worth separating out
Q: How should security teams reduce false positives in cloud detection workflows?
A: They should attach identity, workload, and asset-criticality context to every alert before analysts see it.
Q: Why do east-west traffic patterns matter for lateral movement detection?
A: Because attackers often move sideways through normal-looking internal communication after initial access.
Q: What do security teams get wrong about alert enrichment?
A: They often treat enrichment as a reporting layer rather than an investigation control.
Practitioner guidance
- Map alert sources to identity and asset criticality Require every high-priority alert to carry workload identity, user identity, and business criticality before it reaches an analyst queue.
- Instrument east-west traffic for lateral movement detection Baseline normal service-to-service communication, then flag deviations in east-west traffic that indicate traversal between segments or unexpected privilege use.
- Correlate hybrid telemetry into one investigative view Merge cloud, on-prem, and identity telemetry so analysts can follow the same actor or workload across environments without switching tools.
What's in the full article
Illumio's full blog covers the operational detail this post intentionally leaves for the source:
- The report-level breakdown of UK, global, and regional alert-volume comparisons that support the context-gap argument.
- The specific respondent findings on false-positive fatigue, missed responses, and reputational impact across the UK sample.
- The practical description of how Illumio Insights correlates alerts across hybrid environments and maps blast radius.
- The article's fuller explanation of contextual observability and how it differs from basic alert enrichment.
👉 Read Illumio’s analysis of the UK cloud context gap and detection delays →
Context gap in UK cloud security: what practitioners need now?
Explore further
Context gap is becoming the defining operational failure in cloud defence. Teams do not fail because they see nothing. They fail because they cannot turn logs, alerts, and traffic into a defensible story quickly enough. That shifts the control problem from collection to interpretation, which is where many programmes are still weak. Practitioners should treat context as a security control, not just an analyst convenience.
A question worth separating out:
Q: Who should own contextual observability in a cloud security programme?
A: It should be shared across cloud security, SOC, and IAM teams because the evidence spans traffic, workload identity, and access rights. If any one team owns it alone, context becomes fragmented and response slows. Shared ownership keeps detection, investigation, and privilege decisions aligned.
👉 Read our full editorial: UK security teams are losing context faster than alerts