TL;DR: French organisations detect lateral movement in 88% of cases, yet incidents still average 6.1 hours of downtime and nearly $193,000 in cost because teams struggle to correlate alerts across tools and environments, according to Illumio and the 2025 Global Cloud Detection and Response Report. The real gap is containment context, not detection volume.
NHIMG editorial — based on content published by Illumio: French Security Teams Detect Breaches Just Fine. So Why Are They Still Facing Downtime?
By the numbers:
- French organisations receive an average of 2,336 security alerts per day.
- 12 months., ee percent of French IT and security leaders expect their cloud security budgets to increase over the next 12 months.
Questions worth separating out
Q: What breaks when organisations can detect lateral movement but cannot correlate it quickly?
A: Detection without correlation breaks containment.
Q: Why does lateral movement create more operational damage than a simple access alert?
A: Lateral movement matters because it turns one compromised foothold into a wider trust problem.
Q: How do security teams know whether alerting is actually helping containment?
A: Alerting helps containment only if analysts can decide in minutes what the attacker can reach next.
Practitioner guidance
- Correlate identity and path data before escalation Join cloud telemetry, identity events, and network relationships so responders can see which accounts, workloads, and segments are reachable from a suspected foothold.
- Prioritise high-blast-radius identities Identify service accounts, privileged users, and cross-environment permissions that can move an incident from local compromise to broad outage.
- Reduce alert noise at the correlation layer Tune detections to suppress duplicate or low-context events that do not help with scope decisions.
What's in the full article
Illumio's full article covers the operational detail this post intentionally leaves for the source:
- A country-by-country breakdown of alert volume, false positives, and containment confidence that supports programme benchmarking.
- The full commentary on why French teams see connections but still lack actionable insight during lateral movement incidents.
- The article's explanation of how AI-driven analysis is expected to reduce alert fatigue and speed investigation across hybrid environments.
- The source's product-specific discussion of how Illumio Insights presents attacker movement and blast-radius context.
👉 Read Illumio's analysis of why French teams still struggle to contain lateral movement →
Lateral movement in France: why containment still lags detection?
Explore further
Context collapse is the real control failure behind delayed containment. French teams are not short of alerts, and they are not short of confidence. What they lack is a unified way to interpret movement across hybrid environments before the attacker’s path becomes business impact. In practice, the control gap is not detection, but the ability to turn signal into containment priority.
A question worth separating out:
Q: Who is accountable when cloud detection is strong but containment still fails?
A: Accountability sits with the programme owners who govern response context, not just detection tooling. Cloud security, SOC, IAM, and infrastructure teams all influence whether movement data can be correlated into action. Frameworks such as NIST CSF and NIST SP 800-53 expect controls that support timely response, not only event collection.
👉 Read our full editorial: French cloud teams detect lateral movement but still lose hours