TL;DR: Nearly 90% of organisations experienced a security incident involving lateral movement in the past year, according to a 2025 cloud detection and response report cited by Illumio. The article argues that internal traffic visibility, reachable ports, and shared onboarding of flow logs are the practical inputs needed to narrow blast radius and contain compromise faster.
NHIMG editorial — based on content published by Illumio: 3 Ways to Get the Most Out of Your Illumio Insights Free Trial
By the numbers:
- Nearly 90% of organizations experienced a security incident involving lateral movement in the past year.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should security teams reduce lateral movement in hybrid cloud environments?
A: They should start by identifying which systems can talk to each other, which ports are reachable, and which workloads are overexposed.
Q: Why does lateral movement remain hard to stop even when detection is in place?
A: Detection often sees the compromise after the attacker has already learned the internal topology and started using valid paths.
Q: What do security teams get wrong about network visibility and containment?
A: They sometimes treat visibility as if it were containment.
Practitioner guidance
- Inventory east-west communication paths Capture flow logs across AWS, Azure, GCP, and on-premises systems so you can identify unexpected internal paths, top talkers, and reachable services before an incident expands.
- Triage exposed ports and unnecessary reachability Prioritise workloads with listening ports or connectivity that are not required for the business function, then reduce the reachable set through segmentation or policy tightening.
- Link workload reachability to identity ownership Map each exposed service or account back to the team that owns its credentials and access lifecycle so containment decisions have a clear owner.
What's in the full article
Illumio's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step onboarding for AWS, Azure, GCP, and on-premises flow logs in the trial environment
- Role-based use of the Insights Agent for workload traffic analysis and breach containment workflows
- Examples of traffic maps, top talkers, unexpected flows, and exposure points from live trial data
- How the trial connects directly to Segmentation for quarantine actions and containment workflows
👉 Read Illumio's analysis of lateral movement visibility and containment in hybrid cloud →
Lateral movement in hybrid cloud: what IAM and security teams miss?
Explore further
Blast-radius visibility is now a governance requirement, not a nice-to-have telemetry layer. Once an attacker is inside, the question becomes how far they can move before containment takes effect. Tools that expose traffic paths and exposure points help, but the governance decision still sits with teams responsible for segmentation, workload access, and service identity. Practitioners should treat internal visibility as the input to containment policy, not the control itself.
A question worth separating out:
Q: Who should own decisions about isolating a compromised workload?
A: The owner should be the team that controls both the workload and the access path it uses, because containment depends on credentials, segmentation, and operational context. If those responsibilities are split, isolation slows down and lateral movement has more time to spread across the environment.
👉 Read our full editorial: Lateral movement visibility and containment gaps in hybrid cloud